They argued that Google "empowers itself to collect vast amounts of personal data about Internet users," but "has not demonstrated that this collection was proportionate to the purposes for which they are processed."
"Combining personal data on such a large scale creates high risks to the privacy of users," the regulators said.
Peter Fleischer, Google's global privacy counsel, said in a statement that the search company is reviewing the EU regulator's report and is committed to protecting its users' online privacy.
The EU letter lists a set of recommendations on how Google can improve its privacy practices. Among the recommendations, the data protection authorities said Google should make it easier for users to opt out of this sharing of data across the company's services and secure explicit consent from users before combining this data.
"As data-protection regulators, we expect that Google takes the necessary steps to improve information and clarify the combination of data, and more generally ensure compliance with data-protection laws and principles," the regulators said.
Isabelle Falque-Pierrotin, the chairwoman of CNIL, said Google could face fines from the French regulator or other EU authorities for not implementing these changes within the next "three to four months," Bloomberg reported.
Members of the Asia Pacific Privacy Authorities — which represents data-protection regulators from Australia, Canada and Mexico — sent a letter of support for the EU's privacy recommendations to Google.