The request was made in a formal letter sent on Tuesday (16 October) by the EU's Data Protection Authorities united within the so-called Article 29 Working Party. The letter was signed by 24 of EU's 27 data regulators plus those of Croatia and Liechtenstein.
This consolidated 60 privacy policies into one and pooled data collected on individual users across its services, including YouTube, Gmail and its social network Google+. Users cannot opt out.
The regulators' letter said: "Combining personal data on such a large scale creates high risks to the privacy of users."
"The investigation showed that Google provides insufficient information to its users [including passive users], especially on the purposes and the categories of data being processed," the regulators wrote.
"Google empowers itself to collect vast amounts of personal data about internet users, but Google has not demonstrated that this collection was proportionate to the purposes for which they are processed," the letter says.
"Therefore, Google should modify its practices when combining data across services for these purposes," the letter said.
Google did not immediately react.
The regulators also want Google to spell out its intentions and methods for combining data collected from its various services. They want the web search giant to ask users for explicit consent when bundling data together, the letter said.
The pooling of anonymous user data across Google services, is a big advantage when selling online ads.
Google and other large internet groups like Facebook provide free services to consumers and earn money from selling ads that they say are more closely targeted than traditional TV or radio campaigns.
"They may be prepared to test the legal position in Europe to see what they can get away with."
The tussle with the EU over data privacy comes at a delicate time for Google.
Europe's antitrust authorities are also examining the company's business model to see if it uses its clout in search advertising to favour its own services over competitors' offerings. Google is in talks with EU regulators on the case, and could offer concessions.
"Key issues such as what type of personal data is collected, for what purpose and for how long it is retained were willfully neglected," she said reminding that these "are not just mere questions of good practice but legal obligations".
“No matter how big a company, European laws and fundamental consumer rights should not be ignored. Indeed, as a pacesetter it’s all the more important for Google to comply and be seen to do so."
In March 2011, EU Justice Commissioner Viviane Reding spelled out new privacy rules for personal data held on the Internet, including a "right to be forgotten" that would allow users to permanently delete data held by companies.
Reding's proposals would overhaul the EU's 15 year-old Data Protection Directive. Her "four pillars" include urging more transparency from companies that process personal data, making privacy the default setting on websites and ensuring that all companies that operate in the European Union follow EU data protection rules.
Data protection and privacy in electronic communications are also governed by the E-privacy Directive, which dates back to 2002.