The changes were made in March 2012 and meant Google gathered data on people who used more than one of its services.
Google said it provided specific information to users about the data it collected on them.
In a summary of its findings, the Dutch Data Protection Authority (DPA) said that Google's policy did not do enough to specify what it was collecting data for.
Dutch data laws do allow information to be gathered about individuals but only for a particular purpose or business goal. Because Google did not set out exactly what it was doing with data it was "acting in breach" of the country's laws, said the DPA in a statement.
In addition, said the DPA, Google had not done enough to win consent from its users to grab data in the first place. The search giant had to work harder to get "unambiguous" consent from users to combine data.
Google had also failed to put in place good enough safeguards to ensure data about the same user across services was combined legitimately, added the DPA.
"Google spins an invisible web of our personal data, without consent," said Jacob Kohnstamm, DPA chairman in a statement. "That is forbidden by law."
In response, Google said it did give users detailed information about the data it was collecting and what would be done with it.