A French regulatory agency this week said the data Microsoft collects on users of Windows 10 is “excessive” and ordered the company to stop.

The French National Data Protection Commission (CNIL), made the charge in a formal notice filed Wednesday. It gave Microsoft three months to change a number of data-gathering methods that the agency said violate French law.

Among the alleged practices that CNIL is objecting to:

  • Irrelevant or excessive data collected. Rather than just collecting information necessary to improve products, Microsoft’s telemetry service is also unnecessarily monitoring which apps users download and how much time they spend on each of them.
  • Lack of security. Microsoft allows users an unlimited number of attempts to authenticate themselves when they type in their four-digit PIN to access their Microsoft account and make purchases in Windows Store. This puts payment information at risk, CNIL says.
  • Lack of individual consent. A default ‘advertising ID’ that activates when Windows 10 is installed allows Microsoft and third parties to track users’ browsing without their consent. Microsoft also installs advertising-related cookies without alerting users or allowing them to block the cookies, according to CNIL.

The agency said it came to the conclusions after a three-month investigation.

“We built strong privacy protections into Windows 10, and we welcome feedback as we continually work to enhance those protections,” Microsoft said in a statement provided to ZDNet. “We will work closely with the CNIL over the next few months to understand the agency’s concerns fully and to work toward solutions that it will find acceptable.”

The US and the European Union recently signed a new ‘Privacy Shield’ pact that will govern the transfer of Europeans’ personal data to the US.

CNIL’s action comes after similar crackdowns on other tech companies operating in France, including Facebook and Google.