The Federal Trade Commission (FTC) orders Avast to pay $16.5 million and be prohibited from selling or licensing users’ web browsing data for advertising purposes.
The complaint alleges that Avast collects, stores, and sells the browsing data of millions of consumers without their knowledge or consent, and misleads consumers into believing that the products used to collect their data block online tracking. It is alleged that the consumer’s rights were violated.
“FTC privacy lawsuits are routinely filed against companies that misrepresent their data practices, but they are also used to protect people’s browsing records, protect them from data tracking, and sell those records. “Avast’s decision to explicitly promote its products is particularly upsetting,” said FTC Chair Lina M. Clan chief.
“Furthermore, the amount of data released by Avast is staggering: The complaint alleges that by 2020, Jumpshot had amassed “more than 8 petabytes of viewing information dating back to 2014.”
More specifically, since at least 2014, the UK-based company Avast Limited has used Avast’s browser extensions and antivirus software to collect consumers’ web browsing information without their knowledge or consent. , the FTC said.
Avast’s data feed included a unique identifier for each web browser and a combination of information about every website visited, timestamp, device and browser type, and the user’s city, state, and country. When explaining its data-sharing practices, the company also falsely claimed that users’ personal information would only be transferred in aggregated and anonymous form.
The FTC also said Avast stored this information indefinitely and sold it to more than 100 third parties through its Jumpshot subsidiary between 2014 and 2020.
For example, Jump Shot has entered into a deal with advertising company Omnicom to access 50% of Jump Shot’s customer data from six countries: the United States, United Kingdom, Mexico, Australia, Canada, and Germany, as alleged in the complaint. was allowed.
Avast also allegedly misled users by promising to protect their privacy by blocking third-party tracking. However, they were not informed that their detailed and re-identifiable browsing data would be sold.
In addition to being ordered to pay $16.5 million, Avast will be prohibited from licensing or selling browsing data collected using Avast-branded products to third parties for advertising purposes.
The company requires consent from all customers before selling or licensing browsing data obtained from non-Avast products.
The FTC also requires Avast to delete all web browsing data shared with Jumpshot and any products or algorithms developed by Jumpshot using that data.
In addition, Avast must notify users whose browsing data was sold to a third party without their consent about the FTC’s action against the company.
“Avast promised users that its products would protect the privacy of their browsing data, when in fact the opposite was true. Avast’s bait-and-switch tactics violated consumer privacy and violated the law,” the FTC’s Bureau of Consumer Affairs said in a statement. Director Samuel Levin said. protection.
An Avast spokesperson said the company has already reached a settlement with the FTC to resolve an investigation into data shared with its Jumpshot subsidiary, which was shut down in January 2020.
“We are committed to our mission of protecting and empowering people’s digital lives,” an Avast spokesperson told BleepingComputer.
“While we disagree with the FTC’s allegations and factual findings, we are pleased to have resolved this matter and look forward to continuing to serve our millions of customers around the world. ”
Updated February 22nd 11:57 EST: Added Avast statement.