The Federal Trade Commission (FTC) has prohibited Avast from selling or licensing web browsing data for advertising purposes. The company will also pay a fine to resolve the FTC charges.
In its complaint, the FTC alleges that U.K.-based Avast, through its Czech subsidiary, improperly collected consumer browsing information through its browser extensions and antivirus software, and that it did so without proper notice to consumers. It states that it was stored indefinitely and sold without the consent of the owner. . The FTC also found that Avast misled users by claiming the software protected consumer privacy by blocking third-party tracking, but sold detailed re-identifiable browsing data to consumers. The lawsuit also accuses the company of failing to properly notify the company. The FTC alleged that Avast sold that data to more than 100 third parties through its Jumpshot subsidiary.
According to the FTC, since at least 2014, Avast has collected consumer browsing information through browser extensions that can modify or extend the functionality of consumers’ web browsers and through antivirus software installed on consumers’ computers and mobile devices. It is said that he has done so. This browsing data includes information about the user’s web searches and the web pages the user visits, and includes information about the consumer’s religious beliefs, health concerns, political leanings, location, economic situation, Access to children’s content and other sensitive information will be revealed.
According to the complaint, Avast not only failed to notify consumers that it was collecting and selling browsing data, but also claimed that its products reduce tracking on the Internet. For example, when users searched for Avast’s browser extensions, they were told that Avast would “block unwanted tracking cookies that collect data about their browsing activities” and promised that its desktop software would “protect your privacy.” Prevent anyone from accessing your computer. ”
The company claimed that it used special algorithms to remove identifying information before transferring data to customers. But the FTC alleges that the company failed to adequately anonymize consumer browsing information, which it sold in disaggregated form through its various products. For example, that data feed contains a unique identifier for each web browser that collected the information, including all websites visited, exact timestamp, device and browser type, city, state, and country. there is a possibility. The complaint alleges that when Avast explained its data-sharing practices, it falsely claimed that it would only transfer consumers’ personal information in aggregated and anonymous form.
The FTC alleges that the company failed to prohibit some data buyers from re-identifying Avast users based on data provided by Jump Shot. Additionally, even if Avast’s contract contains such a prohibition, the contract contains language that allows a data purchaser to associate non-personally identifiable information with Avast’s user browsing information. I did. In fact, some of Jumpshot’s products are designed to allow clients to track specific users and to associate specific users (and their browsing history) with other information the client has. For example, as alleged in the complaint, Jumpshot has a contract with Omnicom, an advertising conglomerate, in which Jumpshot provides an “All Clicks Feed” to 50% of his customers in the United States, United Kingdom, and Mexico. It is stated that it will be provided to Omnicom. , Australia, Canada, and Germany. The agreement allowed Omnicom to associate Avast data with the data broker’s data sources on a user-by-user basis.
In addition to a $16.5 million payment that would be used to provide relief to consumers, the proposed order would prohibit Avast and its subsidiaries from misrepresenting how they use the data they collect. Other provisions of the proposed order include:
- Prohibited from selling browsing data: Avast is prohibited from selling or licensing browsing data from Avast-branded products to third parties for advertising purposes.
- Obtain affirmative, explicit consent: Companies obtain affirmative, explicit consent from consumers before selling or licensing browsing data from non-Avast products to third parties for advertising purposes. is needed.
- Data and Model Deletion: Avast must delete any web browsing information transferred to Jumpshot, and any Jumpshot products or algorithms derived from that data.
- Consumer Notification: Avast must notify consumers whose browsing information was sold to a third party without their consent about the FTC’s action against them.
- Implementing a Privacy Program: Avast must implement a comprehensive privacy program that addresses the fraudulent practices flagged by the FTC.
