The ruling follows complaints lodged by two advocacy groups last May, shortly after GDPR came into force.
One was filed on behalf of 10,000 signatories by France's Quadrature du Net group, while the other was lodged by None Of Your Business, the organisation founded by Austrian privacy activist Max Schrems.
Both accused Google of securing "forced consent" through the use of pop-up boxes online or on its apps which imply that its services will not be available unless people accept its conditions of use.
Following an investigation, the CNIL ruled that Google made it too difficult for users to understand and manage preferences on how their personal information is used, in particular with regards to targeted advertising.
"The information provided is not sufficiently clear for the user to understand the legal basis for targeted advertising is consent, and not Google's legitimate business interests," the CNIL said.
In response, Google said in a statement: "People expect high standards of transparency and control from us. We're deeply committed to meeting those expectations and the consent requirements of GDPR. We're studying the decision to determine our next steps."