FTC Fines Avast for Selling Users' Browsing Data

The Federal Trade Commission (FTC) is fining Avast $16.5 million for allegedly selling consumers' browsing data to third parties despite promising to protect consumers from online tracking.

In its complaint, the FTC said Avast, based in the United Kingdom, through its Czech subsidiary, unfairly collected consumers’ browsing information through the company’s browser extensions and antivirus software, stored it indefinitely, and sold it without adequate notice and without consumer consent.

Gen Digital is Avast’s parent company.

The FTC also charges that Avast deceived users by claiming its software would protect consumers’ privacy by blocking third-party tracking, but failed to adequately inform consumers that it would sell their detailed, re-identifiable browsing data. The FTC alleged Avast sold that data to more than 100 third parties through its subsidiary, Jumpshot. 

The FTC's Samuel Levine

“Avast promised users that its products would protect the privacy of their browsing data, but delivered the opposite,” said Samuel Levine, director of the FTC’s bureau of consumer protection. “Avast’s bait-and-switch surveillance tactics compromised consumers’ privacy and broke the law.”

Avast sent us the following statement:

"Avast has reached a settlement with the FTC to resolve its investigation of Avast’s past provision of customer data to its Jumpshot subsidiary that Avast voluntarily closed in January of 2020. We are committed to our mission of protecting and empowering people’s digital lives. While we disagree with the FTC’s allegations and characterization of the facts, we are pleased to resolve this matter and look forward to continuing to serve our millions of customers around the world." 

Long History of Collecting Consumers' Browsing Data

According to the FTC, since at least 2014, Avast has been collecting consumers’ browsing information through browser extensions, which can modify or extend the functionality of consumers’ web browsers, and through antivirus software installed on consumers’ computers and mobile devices. This browsing data included information about users’ web searches and the web pages they visited, revealing consumers’ religious beliefs, health concerns, political leanings, location, financial status, visits to child-directed content and other sensitive information.

According to the FTC complaint, not only did Avast fail to inform consumers that it collected and sold their browsing data, the company claimed that its products would decrease tracking on the internet. For example, when users searched for Avast’s browser extensions, they were told Avast would “block annoying tracking cookies that collect data on your browsing activities” and promised that its desktop software would “shield your privacy. Stop anyone and everyone from getting to your computer.” 

After Avast bought Jumpshot, a competitor antivirus software provider, the company rebranded the firm as an analytics company. From 2014 to 2020, Jumpshot sold browsing information that Avast had collected from consumers to a variety of clients including advertising, marketing and data analytics companies and data brokers, according to the complaint.

The company claimed it used a special algorithm to remove identifying information before transferring the data to its clients. The FTC, however, said the company failed to sufficiently anonymize consumers’ browsing information that it sold in non-aggregate form through various products.

Re-identifying Users' Data

The FTC said Avast failed to prohibit some of its data buyers from re-identifying Avast users based on data that Jumpshot provided. And, even where Avast’s contracts included such prohibitions, the contracts were worded in a way that enabled data buyers to associate non-personally identifiable information with Avast users' browsing information.

Some of the Jumpshot products were designed to allow clients to track specific users or even to associate specific users—and their browsing histories—with other information those clients had, according to the FTC. For example, as alleged in the complaint, Jumpshot entered into a contract with Omnicom, an advertising conglomerate, which stated that Jumpshot would provide Omnicom with an “all clicks feed” for 50% of its customers in the United States, United Kingdom, Mexico, Australia, Canada and Germany. According to the contract, Omnicom was permitted to associate Avast’s data with data brokers’ sources of data, on an individual user basis. 

In addition to paying $16.5 million, which is expected to be used to provide redress to consumers, the proposed order will prohibit Avast and its subsidiaries from misrepresenting how it uses the data it collects.

Other provisions of the proposed order include: