Avast Faces a $16.5 Million Fine from the FTC for Selling User Browsing Data

The Federal Trade Commission (FTC) of the United States has fined antivirus company Avast $16.5 million for allegedly selling customers' browser information to marketers while falsely advertising that its products would prevent internet monitoring.

Furthermore, the business cannot sell or license any web browsing data for commercial use. Additionally, it must inform users whose browsing information was sold to unaffiliated third parties.

The Federal Trade Commission (FTC) claimed that Avast “unfairly collected consumers' browsing information through the company's browser extensions and antivirus software, stored it indefinitely, and sold it without adequate notice and consumer consent.”

Along with misleading users into believing that the software would prevent third-party tracking and safeguard their privacy, it also accused the U.K.-based company of misleading users into believing that it would sell their “detailed, re-identifiable browsing data” to over 100 third parties via its Jumpshot subsidiary.

Furthermore, data buyers might link non-personally identifiable information to browser data from Avast users, enabling other businesses to monitor and link individuals and their browsing history to other data they already possess.

After a collaborative investigation by Motherboard and PCMag, the deceptive data privacy practice was exposed in January 2020. Jumpshot identified Google, Yelp, Microsoft, McKinsey, Pepsi, Home Depot, Condé Nast, and Intuit as some of its “past, present, and potential clients.”

Avast's browser add-ons were deleted from the stores of Google Chrome, Mozilla Firefox, and Opera one month earlier. Security researcher Wladimir Palant had previously declared such extensions spyware in October 2019.

Without getting their informed consent, the Avast antivirus software placed on a person's computer collects the data, which includes a user's Google searches, location lookups, and online footprint.
“Browsing data [sold by Jumpshot] included information about users' web searches and the web pages they visited – revealing consumers' religious beliefs, health concerns, political leanings, location, financial status, visits to child-directed content and other sensitive information,” the Federal Trade Commission claimed.

By August 2018, Jumpshot claimed to be the “only company that unlocks walled garden data,” it claimed to have data from up to 100 million devices. It is stated that the browsing data has been gathered since at least 2014.

In response to the uproar about privacy, Avast announced that it would “terminate the Jumpshot data collection and wind down Jumpshot's operations, with immediate effect.”

Since then, Avast has combined with Norton LifeLock, another cybersecurity startup, to become Gen Digital, the new parent company of Avast, which also produces AVG, Avira, and CCleaner.

Samuel Levine, the Federal Trade Commission's Bureau of Consumer Protection director, stated, “Avast promised users that its products would protect the privacy of their browsing data but delivered the opposite. Avast's bait-and-switch surveillance tactics compromised consumers' privacy and broke the law.”