Avast slapped with $16.5m fine from FTC for selling user data without permission

The US regulator said Avast had been storing and selling customer information acquired through its privacy software without user consent.

by · Tech Monitor

Avast has been fined $16.5m by the US Federal Trade Commission. The regulator said that the cybersecurity firm had been harvesting information from users about their browsing habits through its antivirus software. The FTC added that Avast misled users by informing them that their software would protect their online privacy by blocking third-party trackers, while instead collecting and then re-selling their re-identifiable browsing data. 

“Avast promised users that its products would protect the privacy of their browsing data but delivered the opposite,” said the director of the FTC’s Bureau of Consumer Protection, Samuel Levine. “Avast’s bait-and-switch surveillance tactics compromised consumers’ privacy and broke the law.”

The FTC has fined Czechia-based cybersecurity firm Avast for re-selling users’ browser data without consent. (Photo by BalkansCat / Shutterstock)

Avast sold user data since 2014

The FTC said that Avast had been collecting users’ browser data since 2014. This included their search history which, when pieced together by interested third parties, revealed “consumers’ religious beliefs, health concerns, political leanings, location, financial status, visits to child-directed content and other sensitive information.” 

Most of this data was sold to customers by Jumpshot, an analytics company and a Czech subsidiary of Avast. While publicly claiming it was anonymising the information it had acquired through the use of what it described as a “special algorithm,” Jumpshot did nothing of the kind, failing to remove unique identifiers that could be associated with individual users’ web browsers. It was in this way that customer data was sold to over 100 third parties, including advertising companies, data brokers and analytics firms. 

Cybersecurity firm to be banned from re-selling browser data

In addition to fining the cybersecurity firm $16.5m for these infractions, the FTC has also issued a proposed order to prevent Avast from re-selling or licensing browser data. The company will also be required to obtain explicit consent from users when Avast wishes to re-sell or license browsing data it has acquired from non-Avast products, delete any web browsing data delivered to Jumpshot, and “inform consumers whose browsing information was sold to third parties without their consent about the FTC’s actions against the company.”

A spokesperson from Avast told Reuters that the company had agreed to pay the fine issued by the FTC and that it had closed Jumpshot in 2020 following a joint investigation by Motherboard and PCMag. As for the other provisions of the proposed order, they said, the “operational provisions of the settlement are already consistent with Avast’s current privacy and security programs.”