This article co-authored with guest blogger Leonel Gonzalez, a R+C summer associate and student at Roger Williams University School of Law

An investigation by France’s National Data Protection Commission (CNIL) has found that Windows 10 has been “collecting excessive user data” and has been tracking users’ web browsing without their consent. The CNIL has ordered Microsoft to take steps to uphold the “security and confidentiality” of its users’ personal information.

The investigation found Windows 10 tracks apps downloaded by the users and the time spent using the apps. Microsoft reported it uses the information to fix bugs and improve Windows 10. However, CNIL found the tracking was not essential to operating Windows 10 and therefore an infringement on a user’s privacy.

In addition, the CNIL expressed their concern for the PIN security feature in Windows 10. The feature allows users to enter a PIN to log into the system. There is no restriction on the number of times a PIN may be entered which makes it susceptible to brute force hacking.

Microsoft responded to CNIL’s notice by stating they will be working closely with CNIL and will be releasing an updated privacy policy next month.

There are approximately 10 million Windows users in France and 270 million users in the U.S.