The authority also notes:
Firstly, the investigation showed that Google provides insufficient information to its users (including passive users), especially on the purposes and the categories of data being processed. As a result, a Google user is unable to determine which categories of data are processed in the service he uses, and for which purpose these data are processed. Internet companies should not develop privacy notices that are too complex, law-oriented or excessively long. However, the search for simplicity should not lead internet companies to avoid the respect of their duties. We require from all large and global companies that they detail and differentiate their processing operations.
Finally, Google failed to provide retention periods for the personal data it processes.
Read the full documents from the CNIL for more on the legal issues and its recommendations to Google.