Google has three months to comply with a series of demands by European data protection regulators led by France’s Commission nationale de l'informatique et des libertés (CNIL), including informing users before cookies are installed and clarifying the explicit reasons why personal data is collected and how long that data is kept.

Cookies are tiny bits of text known as name-value pairs that websites install on computers that can later be retrieved – it’s the way a site knows, for example, what state you live in or what brand of shoes you’ve bought before. Installing cookies can be disabled, but by default they can be actively installed on computers.

“If Google Inc. [Nasdaq:GOOG] does not comply with this formal notice at the end of the given time limit, CNIL’s Select Committee (formation restreinte), in charge of sanctioning breaches to the French Data Protection Act, may issue a sanction against the company,” the CNIL said on Thursday.

The issue pits government regulators against the world’s largest Internet search company; it remains to be seen which side will prevail – or even whether any of the measures will actually increase privacy protections for Internet users who use Google’s services. The issue is a challenge to Google’s attempts to collect valuable user information through its DoubleClick digital advertising technology, its Analytics service and its “+1” button, an application similar to Facebook’s  “like” function that tells others that a user has endorsed a particular webpage.

For months, European regulators have objected to Google’s one-size-fits-all privacy policy encompassing all of its operations, in which users have no means of opting out. Google maintains that it isn't violating any data-privacy laws in Europe.