French data authority Commission Nationale de l’Informatique et des Libertés (CNIL) are not impressed by Microsoft’s continued harvesting of personal user data through Windows 10. CNIL is threatening sanctions if Microsoft doesn’t end data collection and targeted advertising within three months.

Windows 10 has been under investigation by a number of EU data protection authorities since its launch in July 2015, according to CNIL. It has reached several scathing conclusions about Windows 10, including (but not limited to), excessive data collection, a lack of security, lack of individual consent to targeted advertising, no option to block cookies, and the illegal transfer of EU user data to the US (citing an October 2015 decision by the Court of Justice of the European Union).

This formal notice is given only by CNIL. Their article states that other EU data agencies “are continuing their investigations.” CNIL states that this notice is “not to prohibit any advertising on the company’s services but, rather, to enable users to make their choice freely, having been properly informed of their rights”.

If Microsoft fail to comply within the three month window, CNIL could issue sanctions on the basis of the Data Protection Act. These sanctions would likely take the form of fines.