FTC sends $15.3 million in refunds to Avast antivirus customers

The Federal Trade Commission began distributing $15.3 million to consumers affected by deceptively marketed antivirus software from Avast on December 2, 2025, marking the culmination of a case that exposed how privacy software itself violated user privacy through undisclosed data collection and sale practices.

According to the announcement, the agency sent checks, PayPal payments, and Zelle transfers to 103,152 Avast customers who filed valid claims following a settlement agreement reached in June 2024. The refund program addresses allegations that Avast used its browser extensions and antivirus software to collect, store, and sell consumers' browsing information without adequate notice and without consumer consent.

The settlement stems from complaints filed by the FTC in February 2024. Those complaints alleged Avast deceived users by claiming the software would protect consumers' privacy by blocking third party tracking, yet failed to adequately inform consumers that it would then sell their detailed, re-identifiable browsing data. The enforcement action targeted practices spanning multiple years during which Avast marketed itself as a privacy-protecting tool while simultaneously operating what regulators characterized as an extensive data collection operation.

Consumer payment methods varied according to selections made when filing claims. Check recipients must cash their checks within 90 days as indicated on payment documentation. PayPal recipients received 30 days to redeem their PayPal payments. Zelle payments deposited directly into recipient bank accounts without requiring additional action from consumers.

The refund administrator, Rust Consulting, Inc., handles consumer questions through a dedicated phone line at 1-866-290-0165. According to FTC guidance documents, the Commission never requires people to pay money or provide account information to file a claim or receive a refund. Recipients who encounter problems with payments or have questions about the process can contact Rust Consulting directly or visit the FTC website for frequently asked questions about the refund process.

The case highlights persistent tensions between privacy marketing claims and actual data handling practices across consumer software products. Avast positioned its antivirus and browser security products as protecting users from third-party tracking and surveillance. Marketing materials emphasized privacy protection as a core product benefit, attracting consumers concerned about online tracking and data collection by advertising companies.

Yet according to the February 2024 complaint, Avast operated a subsidiary called Jumpshot that monetized user browsing data. The subsidiary sold de-identified browsing information to third parties for advertising and analytics purposes. The FTC argued this data remained re-identifiable despite technical processing intended to obscure direct links to specific individuals. Browsing histories can reveal sensitive information including health conditions, political views, financial status, and personal relationships through patterns of website visits and search queries.

The distinction between anonymous and re-identifiable data represents a recurring issue in FTC enforcement actions targeting data collection practices. Technical methods such as hashing transform data into different formats but often fail to eliminate the possibility of linking information back to specific individuals. The commission has consistently maintained that companies cannot claim anonymization when re-identification remains technically feasible.

Avast's browser extensions collected information about every website users visited, including URLs, timestamps, and page content. The antivirus software monitored browsing behavior as part of its security scanning functions. This technical architecture positioned Avast to observe essentially all online activity conducted by users with the software installed.

The June 2024 settlement imposed specific obligations on Avast beyond monetary consumer redress. The company faced a permanent prohibition on selling or licensing web browsing data for advertising purposes. This restriction limits Avast's ability to monetize browsing information collected through its security products, fundamentally altering the business model that generated revenue from Jumpshot operations.

Data deletion requirements mandated that Avast destroy all web browsing information previously transferred to Jumpshot. The company must also delete any products or algorithms derived from this browsing data. These provisions aim to prevent continued use of improperly collected information even after ceasing new collection activities.

The settlement established specific consent requirements for any future data sales. Avast must obtain clear and affirmative express consent from users before selling or licensing browsing data from non-Avast products to third parties for advertising purposes. This standard exceeds typical terms of service disclosures by requiring explicit opt-in consent rather than buried provisions in lengthy privacy policies.

User notification obligations require Avast to inform affected individuals about the FTC's enforcement action. This provision ensures consumers understand that their browsing information was sold without proper consent and provides transparency about how the company handled their data.

The $15.3 million refund total represents funds Avast agreed to provide as part of the settlement agreement. Distribution amounts to individual consumers depend on several factors including how long they used Avast products, which specific products they purchased, and claim documentation provided during the claims process. The FTC typically distributes available funds on a pro rata basis when total harm exceeds available resources, meaning each recipient receives an equal percentage of documented losses.

Avast's case joins a broader pattern of FTC enforcement targeting companies whose privacy claims conflict with actual data practices. The Commission has taken action against numerous technology companies for misrepresenting data collection, use, and sharing activities. Enforcement actions have addressed social media platforms, data brokers, mobile applications, and hardware manufacturers across multiple years.

The agency faced significant backlash in similar enforcement actions where available settlement funds fell far short of total consumer losses. Bankruptcy proceedings, asset dissipation, and limited defendant resources often constrain the FTC's ability to secure full restitution for affected consumers. The Avast settlement provided substantial funds relative to some other cases, though individual payment amounts remained modest given the large number of affected users.

Browser extensions present particular privacy challenges because they operate with elevated permissions allowing access to all websites users visit. Extensions marketed for security, ad blocking, or privacy protection often require broad access to browsing data to perform their advertised functions. This technical necessity creates opportunities for data collection that extend far beyond what users typically expect from security software.

Industry practices around browser data collection have evolved significantly in response to regulatory pressure and privacy concerns. Major browser developers including Google, Mozilla, and Apple have implemented restrictions on extension capabilities and enhanced permission disclosure requirements. These changes aim to give users better control over what information extensions can access and how that information gets used.

The advertising technology industry has responded to the erosion of third-party cookies and device identifiers by seeking alternative data sources. First-party data collected directly from consumers has become increasingly valuable for advertisers seeking to target campaigns effectively. This dynamic creates financial incentives for companies with direct consumer relationships to monetize browsing behavior and personal information.

Consent management represents a critical compliance requirement across multiple privacy regulations. The California Consumer Privacy Act, General Data Protection Regulation, and various other laws establish specific standards for obtaining consumer consent before collecting or sharing personal information. Companies must provide clear disclosures about data practices and give consumers meaningful choices about whether to allow data collection and sharing.

The FTC's enforcement approach has increasingly focused on deceptive privacy claims rather than establishing comprehensive privacy standards through rulemaking. Individual enforcement actions address specific deceptive practices but create uncertainty about broader industry obligations. Technology companies face challenges determining what constitutes adequate privacy protection in the absence of clear regulatory standards applicable across contexts.

Payment distribution through multiple methods including checks, PayPal, and Zelle reflects the FTC's efforts to maximize the number of consumers who successfully receive refunds. Check processing creates challenges when recipients move, change names, or encounter other circumstances preventing payment receipt. Electronic payment methods including PayPal and Zelle typically achieve higher redemption rates because they deliver funds directly to accounts recipients already use for other transactions.

The claims process required affected consumers to affirmatively file documentation with the FTC's refund administrator. Many eligible consumers never file claims due to lack of awareness, difficulty navigating claims processes, or skepticism about legitimacy. The FTC's consumer education efforts aim to increase claim filing rates, but substantial amounts often remain unclaimed after initial distribution periods.

Unclaimed funds return to the U.S. Treasury when the FTC exhausts distribution efforts. The agency attempts secondary distributions when significant funds remain after initial payments, but administrative costs limit how many distribution rounds prove economically viable. Over the last five years, more than 95% of money collected for refunds has been returned to consumers according to the agency's Refunds Dashboard.

Marketing professionals should understand that privacy violations carry significant financial and reputational risks. Consumer trust represents a valuable asset that becomes difficult to rebuild once damaged through privacy breaches or deceptive practices. Companies that prominently market privacy protection face heightened scrutiny when their actual practices fall short of marketing claims.

The Avast case demonstrates how technical capabilities for data collection can conflict with consumer expectations set through marketing messages. Software that monitors all browsing activity for security purposes inevitably sees sensitive information. The distinction between legitimate security scanning and unauthorized data harvesting depends largely on proper consent, disclosure, and restrictions on secondary data use.

Advertising industry consolidation around a few large platforms has concentrated enormous amounts of consumer data in hands of Google, Meta, Amazon, and other dominant players. These companies face ongoing regulatory scrutiny across multiple jurisdictions addressing privacy practices, competition concerns, and content moderation obligations. Smaller advertising technology companies struggle to compete while navigating increasingly complex privacy compliance requirements.

The FTC announced that its 2024 actions led to more than $339 million in refunds to consumers across the country. This total encompasses multiple enforcement cases beyond the Avast matter, including actions targeting business opportunity fraud, deceptive subscription practices, and various other consumer protection violations. Refund totals vary dramatically across cases depending on defendant assets, cooperation levels, and the nature of underlying violations.

Interactive dashboards maintained by the FTC provide state-by-state breakdowns of refund distributions. These data visualization tools allow researchers and journalists to track enforcement patterns, identify geographic concentrations of affected consumers, and analyze trends in the types of cases generating consumer redress. Transparency around refund programs supports accountability and helps consumers verify whether they might be eligible for payments in past or current cases.

The December 2, 2025 payment distribution date marks approximately 11 months after the February 2024 complaint filing and six months after the June 2024 settlement agreement. This timeline reflects the FTC's goal of sending payments within six months of receiving data and money necessary for distribution. Lengthy settlement negotiations, claims processing, and administrative requirements often extend timelines beyond initial projections.

Avast continues operating its antivirus and security software business under the terms of the settlement order. The prohibition on selling browsing data for advertising purposes constrains one revenue stream but does not prevent the company from offering security products or charging subscription fees. Many security software companies operate without monetizing browsing data, relying instead on subscription revenue from end users.

Consumer protection advocates have long argued that free or low-cost security products often hide their true costs by monetizing user data. The adage "if you're not paying for the product, you are the product" applies to many services that appear free while generating revenue through advertising or data sales. Security software presents an especially problematic case because users download these tools specifically to protect privacy and security.

The FTC's jurisdiction encompasses enforcement of Section 5 of the FTC Act, which prohibits unfair or deceptive acts or practices in commerce. This broad authority allows the Commission to challenge various business practices that harm consumers even when specific privacy statutes might not apply. Deceptive marketing claims fall squarely within this authority regardless of the industry or product category involved.

Federal privacy legislation remains limited despite years of congressional discussion about comprehensive data protection laws. The lack of an omnibus federal privacy statute creates a patchwork of sectoral laws, state regulations, and enforcement actions addressing specific practices. Technology companies face obligations under California's privacy laws, European regulations like GDPR when serving international users, and various sector-specific requirements, but no single comprehensive federal framework governs most commercial data collection and use.

The Avast refund program illustrates both the possibilities and limitations of consumer redress through enforcement actions. Affected users received compensation for privacy violations, and Avast faces ongoing restrictions on data practices. However, individual payment amounts likely remained modest relative to privacy harms experienced, and many eligible consumers may never receive payments if they failed to file claims or cannot be located.

Timeline

• February 2024: FTC alleges that Avast collected users' browsing data through browser extensions and antivirus software and sold this information without consent
• June 2024: FTC reaches settlement with Avast requiring consumer redress and prohibiting future browsing data sales for advertising purposes
• July 2024: FTC issues warning about hashed data anonymity claims, reinforcing stance on data re-identification risks
• August 2024: FTC announces enforcement actions against TikTok for alleged COPPA violations involving data collection from children
• September 2024: FTC launches Operation AI Comply targeting companies using artificial intelligence for deceptive practices
• October 2024: FTC finalizes "Click to Cancel" rule addressing subscription cancellation difficulties
• November 2024: FTC issues guidance on Data Clean Rooms warning about privacy technology limitations
• November 2025: Meta reaches $190 million settlement with shareholders over Cambridge Analytica privacy failures
• December 2, 2025: FTC sends payments totaling $15.3 million to 103,152 Avast customers who filed valid claims

Summary

Who: The Federal Trade Commission distributed refunds to 103,152 Avast customers who filed valid claims following a settlement with Avast, with payments administered by Rust Consulting, Inc. The case targeted practices by Avast Software s.r.o. and its subsidiary Jumpshot Inc., which collected and sold browsing data.

What: The FTC sent payments totaling nearly $15.3 million through checks, PayPal, and Zelle to consumers affected by deceptively marketed antivirus software. The settlement requires Avast to provide consumer redress, delete previously collected browsing data transferred to Jumpshot, and prohibits the company from selling or licensing web browsing data for advertising purposes. Avast must obtain clear affirmative consent before any future data sales and notify affected users about the enforcement action.

When: The FTC announced the refund distribution on December 2, 2025, approximately six months after reaching a settlement agreement in June 2024 and 10 months after filing initial complaints in February 2024. Check recipients have 90 days to cash payments while PayPal recipients must redeem within 30 days of receipt. The underlying violations occurred over multiple years when Avast operated its data collection and sales operation.

Where: The enforcement action originated from Federal Trade Commission headquarters but affects consumers nationwide who purchased or used Avast antivirus software and browser extensions. Refund payments reach customers across all U.S. states through mail-delivered checks and electronic payment platforms. Affected consumers used Avast products on personal computers, mobile devices, and web browsers for security and privacy protection.

Why: Avast violated consumer protection laws by claiming its software would protect user privacy by blocking third-party tracking while simultaneously collecting detailed, re-identifiable browsing data and selling this information to third parties for advertising purposes without adequate disclosure or consent. The deceptive privacy claims misled consumers who specifically purchased security software to protect their online activities. The settlement aims to compensate affected users, prevent future violations, and establish clear standards for consent before selling browsing data.