FTC Orders Avast to Pay $16.5 Million and Halt Sale of Browsing Data After Deceptive Practices

The Federal Trade Commission (FTC) has mandated that software provider Avast pays $16.5 million and cease the sale or licensing of web browsing data for advertising purposes. The settlement comes as a response to charges asserting that Avast, along with its subsidiaries, violated privacy commitments by selling user data despite assuring customers that its products would safeguard them from online tracking.

The complaint alleges that Avast Limited, based in the United Kingdom, collected users' browsing data through its browser extensions and antivirus software. The company purportedly stored this information indefinitely and sold it without adequate notice or obtaining consumer consent. The FTC contends that Avast misled users by claiming its software would protect privacy by blocking third-party tracking, while in reality, it sold detailed, re-identifiable browsing data to over 100 third parties through its subsidiary, Jumpshot.

Samuel Levine, Director of the FTC’s Bureau of Consumer Protection, emphasized, "Avast promised users that its products would protect the privacy of their browsing data but delivered the opposite."

The FTC alleges that since at least 2014, Avast has been collecting users' browsing information, including web searches, visited webpages, and sensitive details such as religious beliefs and financial status. Avast failed to inform consumers about this data collection and falsely claimed its products would reduce online tracking.

Following Avast's acquisition of Jumpshot, the latter was rebranded as an analytics company. From 2014 to 2020, Jumpshot sold browsing information to various clients, including advertising, marketing, and data analytics companies. The FTC argues that Avast inadequately anonymized this data, including unique identifiers, timestamps, device information, and location details.

As part of the settlement, Avast will pay a $16.5 million civil penalty and face several restrictions. These include the prohibition of selling browsing data from Avast-branded products, obtaining affirmative consent before selling data from non-Avast products, deleting web browsing information transferred to Jumpshot, notifying affected consumers, and implementing a comprehensive privacy program.

The proposed order aims to ensure that Avast and its subsidiaries accurately represent how they use collected data and prevent deceptive practices in the future. The FTC voted 3-0 to issue the administrative complaint and accept the proposed consent agreement, underscoring the unanimous decision on the matter. FTC Chair Lina M. Khan, along with Commissioners Rebecca Kelly Slaughter and Alvaro Bedoya, issued a joint statement emphasizing the importance of holding companies accountable for consumer privacy violations.

The GRC Report is the first word in governance, risk, and compliance news. As your trusted source for comprehensive coverage, the GRC Report keeps you informed and equipped to navigate the evolving landscape of governance, risk, and compliance. And remember, the GRC Report isn't just a news source; it's a community of professionals who share your passion for GRC excellence. Don't miss out on our insightful articles and breaking news – join the conversation and empower your GRC journey.