To protect consumer privacy, the Federal Trade Commission (FTC) has finalized an order against Avast, banning the antivirus software provider from selling or licensing web browsing data for advertising purposes. This decision comes after the FTC found that Avast and its subsidiaries engaged in deceptive practices by collecting and selling consumers’ detailed browsing information without proper consent.
The FTC’s investigation, which was first announced in February, revealed that Avast’s products, including browser extensions and antivirus software, were unfairly collecting consumers’ browsing data. This data was stored indefinitely and sold to third parties without adequate user notice. Despite promising to protect consumers from online tracking, Avast failed to inform users that it would sell their re-identifiable browsing data.
FTC Commissioner, Rebecca Kelly Slaughter, remarked, “Consumers expect their data to be private and secure, especially when using products marketed for privacy protection. Avast’s practices were a stark violation of this trust.”
According to the FTC, Avast’s subsidiary, Jumpshot, sold the browsing data of over 100 million users to more than 100 third parties between 2014 and 2020. This data included search terms, URLs accessed, and even the contents of cookies, which are small pieces of data stored by websites on a user’s device. Despite claims that the data was anonymized, the FTC found that it was re-identifiable. In 2020, Avast began to wind down its Jumpshot subsidiary.
As part of the settlement, Avast must pay $16.5 million, which will be used to provide redress to affected consumers. The company must also delete all web browsing information transferred to Jumpshot and any products or algorithms derived from that data. Additionally, Avast must obtain express consent from consumers before selling or licensing browsing data in the future.
The order also mandates that Avast notify consumers whose data was sold without their consent about the FTC’s actions. Additionally, Avast must implement a comprehensive privacy program to address the misconduct highlighted by the FTC. This program will be subject to third-party reviews and annual compliance monitoring for the next ten years.
