Google said it will take a phased approach to this, starting with accounts that were created and never used again. It also said it will send multiple notifications over the months leading up to the deletion to both the account email address and the recovery email.
Google explained the reasoning for the updated policy:
"If an account hasn’t been used for an extended period of time, it is more likely to be compromised. This is because forgotten or unattended accounts often rely on old or re-used passwords that may have been compromised, haven't had two-factor authentication set up, and receive fewer security checks by the user.
"Our internal analysis shows abandoned accounts are at least 10x less likely than active accounts to have a two-step verification set up. Meaning, these accounts are often vulnerable, and once an account is compromised, it can be used for anything from identity theft to a vector for unwanted or even malicious content, like spam."
Other than signing in every two years, activity on a Google Account includes these types of actions: