Google has been fined 50 million euros (£44m) by the French data regulator CNIL, for a breach of the EU's data protection rules.
CNIL said it had levied the record fine for "lack of transparency, inadequate information and lack of valid consent regarding ads personalisation".
The regulator stated people were "not sufficiently informed" about how Google had collected data to personalise advertising.
Two privacy rights groups: noyb and La Quadrature du Net (LQDN) had filed complaints against Google claiming Google did not have a valid legal basis to process user data for ad personalisation, as required under the GDPR.
It was decided that the case would be handled by the French data regulator, rather than in Ireland where Google's European headquarters are based.
The regulator said Google had not obtained clear consent to process data because "essential information" was "disseminated across several documents", and that "the relevant information was accessible after several steps, implying sometimes up to five or six actions."
In addition to the lack of transparency, the regulator stated that Google had failed to obtain “a valid legal basis to process user data”. "The information on processing operations for the ads personalisation is diluted in several documents and does not enable the user to be aware of their extent.”
The option to personalise ads was "pre-ticked" when creating an account, going against the GDPR rules.
"The user gives his or her consent in full, for all the processing operations purposes carried out by Google based on this consent (ads personalisation, speech recognition, etc). However, the GDPR provides that the consent is 'specific' only if it is given distinctly for each purpose."
In a statement, the regulator said it was Google's "utmost responsibility to comply with the obligations on the matter".