European Union (EU) data protection agencies found the search engine does not comply with legislation following a nine-month investigation.
But in a letter to the company's chief executive Larry Page, France's Commission Nationale de l'Informatique (CNIL), which led the investigation, said the company's policy raises "numerous questions" about data protection.
"Google provides insufficient information to its users (including impassive users), especially on the purposes and the categories of data being processed," the letter said. "The investigation confirmed our concerns about the combination of data across services."
"We expect that Google takes the necessary steps to improve information and clarify the combination of data, and more generally ensure compliance with data protection laws and principles," it concluded.
The group stopped short of saying Google's data gathering practices are illegal, but identified 12 measures that must be put in place to satisfy their concerns.
These include changing the way people are told about how their personal information and browsing records will be used -- especially location information and credit card data. The regulators also want Google to spell out its intentions for combining the data, asking users for explicit consent.
"Google has a few months, three or four months, to comply. If it takes no action, we will enter a phase of litigation," said CNIL president Isabelle Falque-Pierrotin.
In response, Peter Fleischer, Google's global privacy counsel, said: "We have received the report and are reviewing it now.