The Federal Trade Commission has mandated that software provider Avast must pay a hefty $16.5 million and refrain from selling or licensing any web browsing data for advertising purposes as part of a settlement to resolve allegations that the company and its subsidiaries sold such information to third parties despite claiming that their products would safeguard consumers from online tracking.
According to the complaint filed by the FTC, Avast, a UK-based company, along with its Czech subsidiary, unfairly gathered consumers’ browsing information through its browser extensions and antivirus software, stored it indefinitely, and then sold it without proper notification and without obtaining consumer consent.
Moreover, the FTC asserts that Avast misled users by assuring them that their software would protect their privacy by blocking third-party tracking, while failing to adequately disclose that they would sell their detailed, re-identifiable browsing data. The FTC claims that Avast sold this data to over 100 third parties through its subsidiary, Jumpshot.
Samuel Levine, the Director of the FTC’s Bureau of Consumer Protection, condemned Avast’s actions by stating, “Avast promised users that its products would protect the privacy of their browsing data but delivered the opposite. Avast’s bait-and-switch surveillance tactics compromised consumers’ privacy and broke the law.”
Since at least 2014, Avast has allegedly been collecting consumers’ browsing information through browser extensions and antivirus software, which included sensitive data such as web searches, visited webpages, religious beliefs, health concerns, political preferences, location, financial status, and visits to child-directed content.
The complaint further outlines that Avast not only failed to disclose their data collection and selling practices to consumers but also made misleading claims about reducing internet tracking. When users searched for Avast’s browser extensions, they were informed that Avast would block tracking cookies and shield privacy, which were allegedly deceptive statements.
After acquiring Jumpshot, Avast rebranded the company as an analytics firm. From 2014 to 2020, Jumpshot reportedly sold browsing data collected by Avast to various clients including advertising, marketing, and data analytics companies. Despite Avast’s assertion that they used an algorithm to anonymize the data, the FTC alleges that the company did not effectively anonymize consumers’ browsing information.
Additionally, the FTC states that Avast failed to prevent some data buyers from re-identifying Avast users based on the data provided by Jumpshot. Even when contracts included restrictions on re-identification, they were drafted in a way that allowed data buyers to associate non-personally identifiable information with users’ browsing data. This enabled clients to track specific users or link their browsing histories with other data sources.
As part of the settlement, Avast will pay $16.5 million for consumer redress and is required to comply with various provisions, including refraining from selling browsing data, obtaining express consent before selling data from non-Avast products, deleting transferred web browsing information, notifying affected consumers, and implementing a comprehensive privacy program to address the FTC’s concerns.
Overall, the FTC’s actions against Avast highlight the importance of transparency and consumer consent in data collection practices, as well as the need for companies to uphold their privacy promises to users.