Google has no official response as it is still reviewing the report
Instead, CNIL asks Google to make it clearer to users what data is being collected, by which sites and why.
It also recommends that Google enable users to control how their data is shared between products, which would in effect nullify the biggest and most controversial changes implemented in March.
CNIL also wants Google to limit the data it collects to the absolute minimum it actually requires to operate.
The agency didn't call Google's actions illegal, but has said that if Google ignores its warnings and recommendations, it is prepared to take legal action.
CNIL acts on behalf of all EU member states, though a few are yet to give their approval of the findings.
"Firstly, it is not possible to ascertain from the analysis that Google respects the key data protection principles of purpose limitation, data quality, data minimization, proportionality and right to object," the agency explained.
It is worried that there are no specified limits in Google's data policy, meaning that the company could store anything it wants.
The second main concern is about data unification. The investigation found that Google makes little difference between the type of data that is stored and the period it's kept. CNIL believes users should actively consent to their data being used across Google products.
It says this can take several forms, including something like the Search Plus Your World button, which allows users to get personalized results but also get "clean" results, which are not influenced by their actions on other Google properties.
Google said it has received the report and recommendations and that it's reviewing it to provide an official answer. It has no response to the findings at this point.