The National Data Protection Commission (CNIL) said in a statement that it had given the US computing giant three months to comply with the French Data Protection Act to ensure user data security and confidentiality.
The agency said media and political groups brought the issue to its attention after Microsoft launched its latest Windows 10 operating system a year ago.
Those investigations “revealed many failures” including collection of “irrelevant or excessive (user) data”, the statement said.
CNIL also criticised Microsoft over the four-character PIN number that enables users to authenticate access to online services, saying the tech giant failed to limit the number of attempts to enter the correct code, threatening data and personal security.
The agency condemned Windows 10's use of targeted advertising without first obtaining users' consent, as well as the operating system's lack of a way to block cookies.
“The company puts advertising cookies on users' terminals without properly informing them of this in advance or enabling them to oppose this,” the statement said.
Microsoft is still transferring user data outside the European Union even though the European Court of Justice ruled on privacy grounds in October that the transfer of European citizens' data to the United States under the obsolete “safe harbour” basis was no longer valid, CNIL said.
Should Microsoft fail to comply with the formal notice, CNIL would draw up a report on Data Protection Act breaches that could result in a fine of €150,000 ($165,000), the agency added.
Microsoft said it would cooperate with CNIL to address its concerns.
“We built strong privacy protections into Windows 10, and we welcome feedback as we continually work to enhance those protections,” Microsoft vice president David Heiner said in a statement.
Concerning transfer of data from Europe to the United States, Microsoft relies on a variety of legal mechanisms, in addition to “safe harbour”, he added.
After a legal wrangle over handling web data between Europe and the United States, the European Union earlier this month launched a controversial deal with Washington aimed at curbing government spying on EU citizens' personal internet data.
A new “Privacy Shield” sets out tough rules to prevent US intelligence agencies from accessing Europeans' data, with companies facing penalties if they do not meet European standards of protection.
Microsoft will release an updated privacy statement next month that will say it intends to adopt the Privacy Shield, the company said.
But critics say the new arrangements do not go far enough and will face legal challenges.