Since March, Google has been combining data from across its sites to potentially better target adverts - which regulators see as "high risk" to people's privacy.
Last October, the firm was given four months to revise its policy.
Google said its actions did comply with EU law.
The new policy was implemented after the company combined 60 separate privacy policies into one agreement.
CNIL said the internet giant had not yet made the changes demanded by the regulators.
"Google did not provide any precise and effective answers," CNIL said on Monday.
"In this context, the EU data protection authorities are committed to act and continue their investigations. Therefore, they propose to set up a working group, led by the CNIL, in order to coordinate their reaction, which should take place before summer."
But Google said the firm did respect European law.
"We have engaged fully with the CNIL throughout this process, and we'll continue to do so going forward," the firm told the BBC.
In total, 12 recommendations were outlined in a letter signed by 24 of the EU's 27 data regulators, following a nine-month investigation into Google's data collection practices.
Among the proposed changes were the following:
• Google must "reinforce users' consent". It suggests this could be done by allowing its members to choose under what circumstances data about them was combined by asking them to click on dedicated buttons.
• The firm should offer a centralised opt-out tool and allow users to decide which of Google's services provided data about them.
• Google should adapt its own tools so that it could limit data use to authorised purposes. For example, it should be able to use a person's collated data to improve security efforts but not to target advertising.