FTC Orders Avast to Pay $16.5M for Selling Data
The Federal Trade Commission (FTC) has ordered Avast to pay $16.5 million and to cease the practice of selling customer browsing data for advertising purposes.
The FTC has “reason to believe” that Avast sold customer browsing data to more than 100 third parties through its subsidiary Jumpshot without consumer consent or notification. Avast did all of this while claiming to customers that it was selling antivirus software that would protect customer’s privacy by blocking third party tracking cookies.
Samuel Levine, Director of the FTC’s Bureau of Consumer Protection, pointed out that “Avast promised users that its products would protect the privacy of their browsing data but delivered the opposite.”
Beyond storing and selling the data without consent, the FTC claims that the data was not sufficiently anonymized or aggregated and would thus allow third parties to identify specific users and even cross reference users browsing history with data from other systems.
Avast acquired Jumpshot, a competitive antivirus software, in 2013. It rapidly rebranded it as an analytics company and the FTC claims Jumpshot sold Avast user data from 2014 to 2020, at which time Avast closed Jumpshot.
Beyond the $16.5 million payment, the FTC will also block Avast from selling user data, requiring it to delete currently stored data sent to Jumpshot as well as any products or algorithms based on the user data. Finally, it will oblige Avast to notify its customers about the outcomes of the FTC order.
The current FTC order is now subject to a 30-day period for public comment in the Federal Register, after which it will decide whether to make the order final.
Avast claims it has reached a settlement with the FTC. In a statement, the company said, “While we disagree with the FTC’s allegations and characterization of the facts, we are pleased to resolve this matter and look forward to continuing to serve our millions of customers around the world.”