A statement from CNIL said the fine was imposed for lack of transparency, inadequate information and lack of valid consent over personalisation of advertising.
CNIL can impose fines of up to €20 million or 4% of a company's annual income and chose the latter alternative.
The complaints by NOYB and LQDN were made on 25 and 28 May 2018 respectively and found a number of violations by the search giant.
It said that Google had violated the obligation to have a legal basis for personalisation of ads. Elaborating on this, CNIL said users were not given sufficient information to make an informed decision about the ads they received.
Additionally, the watchdog determined that the consent that was provided was neither specific nor unambiguous.
In its statement, the CNIL said: "This is the first time that the CNIL applies the new sanction limits provided by the GDPR.
"The amount decided, and the publicity of the fine, are justified by the severity of the infringements observed regarding the essential principles of the GDPR: transparency, information and consent."
Contacted for comment, a Google spokesperson replied: "People expect high standards of transparency and control from us. We’re deeply committed to meeting those expectations and the consent requirements of the GDPR. We’re studying the decision to determine our next steps.”
Commenting on the fine handed out by CNIL, Ryan Kalember, vice-president of security at Proofpoint, said: "This GDPR fine brings to light some vital lessons for other businesses observing this crisis from a distance. By becoming the highest fined company since the GDPR came into force, Google is now the black and white case study of ‘what could happen’ in the event of non-compliance.
"In a privacy-first world, companies must build a people-centric compliance strategy, which can only start by getting visibility into highly regulated data, the systems that process that data and identifying who within your business has access to that data.
"Many organisations are still unsure whether their GDPR compliance strategy is 100% fit for purpose, but this incident signals that long gone are the days where privacy can be relegated to an IT or compliance effort: the magnitude of this fine clearly shows this is a business issue.
"Compliance professionals now have a use case to take to the board to secure any funding and resources they need to become GDPR-compliant if their organisation isn’t today.”
In July last year, the European Union fined Google €4.3 billion for allegedly breaching anti-trust rules over its Android mobile operating system. Google has challenged this fine.
And in June 2017, Google was fined €2.42 billion for allegedly abusing its search engine dominance to give illegal advantage to its own comparison shopping service. The company has appealed against this fine.
A third fine is said to be in the EU pipeline, this for alleged anti-business practices involving Google's AdSense advertising system.
The EU has also floated the idea of breaking up Google into a number of smaller units, with EU competition commissioner Margrethe Vestager saying the political bloc harbours "grave suspicions" about the firm's dominance of the search market.
Brussels is not the only one to fine Google for anti-business practices. In February 2017, the Competition Commission of India fined the company 135.86 crore rupees (about US$21.1 million) for "abusing its dominant position in online general Web search and Web search advertising services in India".