The French data protection authority on Wednesday ordered Microsoft to stop collecting excessive data on users of its Windows 10 operating system and serving them personalized ads without their consent.
The CNIL said the U.S. company had three months to stop tracking browsing by users so that Windows apps and third-party apps can offer them targeted advertising without their consent, failing which it could initiate a sanctions procedure.
A number of EU data protection authorities created a contact group to investigate Microsoft’s Windows 10 operating system following its launch in July 2015, the French privacy watchdog said.
Get Data Sheet, Fortune’s technology newsletter.
The action against Microsoft (msft) mirrors that taken by the CNIL against Facebook (fb), which was ordered in February to stop collecting users’ information then used for advertising without their consent.
Microsoft processes information on all the apps downloaded and installed on Windows by a user and the time spent on each one to identify problems and improve its products. However the CNIL said it considered this to be excessive since the data “are not necessary for the operation of the service.”
The French watchdog also said that Microsoft puts advertising cookies on users’ terminals without properly informing them beforehand or giving them a chance to opt out.
Microsoft Is Trying to Reinvent Itself
“It has been decided to make the formal notice public due to, among other reasons, the seriousness of the breaches and the number of individuals concerned (more than ten million Windows users on French territory),” the CNIL said in a statement.
“The purpose of the notice is not to prohibit any advertising on the company’s services but, rather, to enable users to make their choice freely, having been properly informed of their rights.”
While the fines that can currently be levied by European data protection authorities are paltry compared to the revenues of big U.S. tech companies, a new European Union data protection law set to enter into force in two years provides for fines of up to 4% of a company’s annual global turnover.
David Heiner, vice president and deputy general counsel for Microsoft, said the company would work closely with the CNIL over the next few months to understand its concerns fully and “to work toward solutions that it will find acceptable.”
The CNIL also said Microsoft was still illegally transferring data to the United States using the Safe Harbour framework, which was struck down by the top EU court in October on concerns about mass U.S. surveillance practices.
Companies have had to rely on alternative legal structures such as “standard contractual clauses” to move data across the Atlantic in line with tough EU data transferral rules.
Heiner said Microsoft relied on a variety of legal mechanisms for transferring data from Europe to the United States, including standard contractual clauses.
A new EU-U.S. data transfer pact will be open to companies as of Aug. 1 and Microsoft has said it will sign up to it.