FTC fines Avast $16.5 Million and bans sale of browsing data for advertising

FTC fines Avast $16.5 Million and bans sale of browsing data for advertising

The Federal Trade Commission (FTC) this month has taken significant action against global software provider Avast, fining the company $16.5 million and banning them from selling user browsing data for advertising purposes.

The FTC charges that Avast and its subsidiaries violated consumer trust by selling sensitive browsing data to third parties after promising their products would protect privacy and block online tracking.

The FTC's complaint reveals Avast Limited, a UK-based company with a Czech subsidiary, built a business model that depended on exploiting consumer desires for online privacy. For years, they aggressively marketed their antivirus software and browser extensions, emphasizing user control and protection from unwanted surveillance. Advertisements highlighted phrases like "block annoying tracking cookies" and "stop anyone and everyone from getting to your computer."

However, while promoting these benefits, Avast's software collected remarkably granular browsing data from users. This included:

  • Every single website visited, with precise timestamps
  • Detailed search queries, revealing personal interests
  • Location data, pinpointing user movements
  • Information exposing health concerns, political views, shopping habits, and other private details
  • The specific content of viewed social media pages and web forums

From Antivirus to Data Broker: The Jumpshot Connection

The FTC alleges that Avast's 2013 acquisition of Jumpshot, another antivirus provider, was a pivotal moment. Rather than simply merging products, Avast repurposed Jumpshot as a data analytics company – the mechanism through which they monetized the vast amounts of browsing data collected. Jumpshot's clients spanned various industries, including:

  • Large advertising networks
  • Marketing data aggregators
  • Data brokers specializing in detailed consumer profiles

Avast claimed to anonymize this data before selling it, but the FTC found their methods insufficient. Individual browsers were often tracked with unique identifiers across the web for extended time periods. Furthermore, contracts with some buyers explicitly allowed them to re-identify consumers by combining Avast's data with other information sources, undermining the privacy protections Avast claimed to provide.

The Fallout: Consumers Betrayed

The FTC's action against Avast underscores the risks of the opaque data market and highlights the lack of clear privacy regulations in the US. Consumers who installed Avast products reasonably expected protection, not exploitation.

“Avast promised users that its products would protect the privacy of their browsing data but delivered the opposite,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “Avast’s bait-and-switch surveillance tactics compromised consumers’ privacy and broke the law.”

Consequences and Requirements for Change

The FTC's order aims to redress the harm and prevent similar conduct. Beyond the $16.5 million fine, Avast faces the following requirements:

  • Ban on Data Sales: Prohibition from selling/licensing Avast-branded product browsing data for advertising purposes.
  • Strict Consent: Cannot sell non-Avast browsing data unless users give clear, affirmative consent.
  • Data Deletion: Must delete all data acquired through Jumpshot and its resulting products.
  • Notice to Consumers: Must inform affected users about the FTC's action and data sales.
  • Comprehensive Privacy Program: Implement new measures to protect data and prevent misconduct.

Protecting Yourself: Consumer Takeaways and Resources

The Avast case highlights the need for vigilance when choosing software and services:

  • Privacy Policies Matter: Read them carefully, paying attention to data collection and use practices.
  • "Free" Isn't Always Free: Consider the "hidden costs" – is the product monetized by selling your data?
  • Choose Reputable Companies: Research companies, read reviews, and stick with trusted brands.
  • Use Privacy Tools: Utilize reputable browser extensions focused on privacy or a Virtual Private Network (VPN).

Read more