The Federal Trade Commission (FTC) in the U.S. has imposed a fine of $16.5 million on security software provider Avast and prohibited the company from selling or licensing user browsing data to advertisers.
The decision of the consumer protection agency concerns Avast’s practices of collecting user browsing data through its browser extensions and antivirus software and then selling that data to third parties, all while at the same time promising its customers that its products actually shield them from online tracking.
The relevant complaint, which lists Avast’s U.K. base and Czech subsidiary Jumpshot, alleges that the data collection and selling practices occurred from 2014 to 2020 without sufficient notice or consumer consent. Moreover, the collected data was not anonymized before it was sold to over a hundred third parties through Jumpshot.
FTC highlights an example in a deal between Jumpshot and Omnicom, where the former agreed with the latter to share user click data for 50% of its customers from the highly-valuable (for advertisers) markets of the United States, United Kingdom, Mexico, Australia, Canada, and Germany.
The FTC now orders Avast to pay a $16.5 million fine for its data handling practices, as well as to abide by the following provisions:
- Avast is banned from selling or licensing browsing data from its products for advertising purposes.
- Must get explicit consent from consumers before selling browsing data from non-Avast products.
- Required to delete all browsing data and related products or algorithms transferred to Jumpshot.
- Must inform consumers whose data was sold without consent about the FTC’s actions.
- Needs to establish a comprehensive privacy program addressing the FTC-highlighted misconduct.
RestorePrivacy has contacted Avast with a request for a comment on FTC’s order, and we have received the following statement from the security company:
Avast has reached a settlement with the FTC to resolve its investigation of Avast’s past provision of customer data to its Jumpshot subsidiary that Avast voluntarily closed in January of 2020. We are committed to our mission of protecting and empowering people’s digital lives. While we disagree with the FTC’s allegations and characterization of the facts, we are pleased to resolve this matter and look forward to continuing to serve our millions of customers around the world.
Avast spokesperson
Since the storm of controversy that burst out in 2020 following the revelation about the collection, storage, and sale of user data, Avast has taken big steps to re-establish consumer trust, launching new privacy apps like ‘BreachGuard’ and Avast SecureLine VPN, ensuring compliance with the General Data Protection Regulation (GDPR), and the California Consumer Privacy Act (CCPA) privacy regulation for all its products, and establishing partnerships with external privacy organizations like TrustARC, OneTrust, and the Future Privacy Forum, to help them develop effective privacy strategies its products and services.
Whether Avast has fully learned from its mistakes would depend on its actions following this settlement, including how it has adjusted its data handling practices, its commitment to consumer privacy, and adherence to the settlement terms, but typically, companies subjected to such regulatory actions are earnest about compliance with legal requirements, implementing robust privacy policies and enhancing transparency about data usage.