Search engines should delete personal data held about their users within six months, a European Commission advisory body on data protection has said.
The recommendation is likely to be accepted by the European Commission and could lead to a clash with search giants like Google, Yahoo and MSN.
Google and MSN anonymise user data after 18 months, while Yahoo does the same after 13 months.
The body said search companies were not clear enough on data protection.
Peter Fleischer, Google's global privacy counsel, said in a statement: "Google takes privacy incredibly seriously; protecting our users' privacy is at the heart of all our products.
"It is the reason we were the first company to commit to anonymising our search logs, and also why we dramatically shortened our preference cookie lifetime."
In a statement Yahoo said it was reviewing the details of the body's recommendations.
"We remain committed to striking the right balance between protecting user privacy, providing the most compelling online experience, meeting our legal obligations and preventing fraud," the firm said.
Many search engines currently collect and store information from each search query, holding information about the search query itself, the unique PC address (known as an IP number), and details about how a user makes their searches, such as the web browser that is being used.
Users who create an account with a search engine hand over more data to the firms, including search history. Some search engines also enrich personal data held on their users with information from third parties.
The report from the Article 29 Data Protection Working Party said search engine providers had "insufficiently explained" why they were storing and processing personal data to their users.
It said "search engine providers must delete or irreversibly anonymise personal data once they no longer serve the specified and legitimate purpose they were collected for".
The report said the personal data of users should not be stored or processed "beyond providing search results" if the user had not created an account or registered with the search engine.
The advisory body also said it preferred search engines did not collect and use personal data to serve personalised adverts unless the user had consented and signed up to the service.
The body was set up to provide expert opinion to the European Commission and to make recommendations in the areas of personal data and privacy. The Commission usually adopts the recommendations the body makes.
The report also said search engines did not need to gather additional personal data, beyond the IP address of a machine being used, in order to deliver basic search results and advertisements.
It added: "Because many search engine providers mention many different purposes for the processing, it is not clear to what extent data are reprocessed for another purpose that is incompatible with the purpose for which they were originally collected."
It said search engines should not use personally identifiable data to improve their services or for accountancy purposes.
Personal data stored for security purposes should not also be used to improve services, the body recommended.
The report issued a set of obligations to search engines firms, including:
- Search engines should get informed consent from users if they correlate personal data across different services, such as desktop search
- Search engine providers must delete or anonymise (in an irreversible and efficient way) personal data once they are no longer necessary for the purpose for which they were collected
- Personal data should not be held by search engines for longer than six months
- In case search engine providers retain personal data longer than six months, they must demonstrate comprehensively that it is strictly necessary for the service
- It is not necessary to collect additional personal data from individual users in order to be able to perform the service of delivering search results and advertisements
- Search engine providers must give users clear and intelligible information about their identity and location and about the data they intend to collect store or transmit, as well as the purpose for which they are collected
The report also warned that if search engines enriched personal data about users from third parties they could be breaking the law unless customers had given explicit consent.
It said users had the right to access, inspect and correct all the personal data about themselves held by search engines, including their profiles and search history.
By Darren Waters
Technology editor, BBC News website