The U.S. company is breaching the country's data protection act by using people's private information such as browsing history and location data to target them with customised ads, the Data Protection Authority (DPA) said.
The regulator gave Google until the end of February to change how it handles the data it collects from individual web users.
The company's handling of user data under its new privacy guidelines, introduced in 2012, has also been under investigation in five other European countries – France, Germany, Britain, Italy and Spain.
"This has been ongoing since 2012 and we hope our patience will no longer be tested," said Jacob Kohnstamm, chairman of the Dutch DPA.
Google combines data from search engine queries, emails, third-party websites tracking or "cookies", location data and video browsing to customise advertising.
"This combining occurs without Google adequately informing the users in advance and without the company asking for consent. This is in breach of the law," the DPA said.
It ordered the company to stop the violations or face incremental fines up to a maximum of 15 million euros. It said Google must start informing users of its actions and seeking their consent.
A Google spokesman could not be immediately reached for comment.