What just happened? Cybersecurity giant Avast has been hit with a $16.5 million fine from the FTC for selling customers’ web browsing data to advertisers. The company carried out this practice despite its promise to protect consumers from online tracking. Avast has now been banned from selling user data for advertising purposes.
The FTC writes in its complaint that since at least 2014 to 2020, Avast collected consumers’ browsing information through its antivirus and browser extensions. This data included information about searches and web pages that were visited, revealing the likes of religious beliefs, health concerns, political leanings, location, financial status, visits to child-directed content, and other sensitive information.
This information Avast gathered was stored indefinitely, according to the complaint, and sold to over 100 third parties without customers’ knowledge or consent. Buyers included Google, Yelp, Microsoft, Home Depot, Pepsi, and consulting giant McKinsey, making Avast tens of millions of dollars.
1. Avast promised users it would protect their browsing data from online tracking – but then did the exact opposite. @FTC’s action against Avast makes clear that browsing data is sensitive, and firms that sell this data could be violating the law. https://t.co/R41ci2LE8j
— Lina Khan (@linakhanFTC) February 22, 2024
Avast had promised that its software blocked data-collecting tracking cookies, but in reality it was the security company doing the tracking.
“Avast promised users that its products would protect the privacy of their browsing data but delivered the opposite,” said Samuel Levine, director of the FTC’s Bureau of Consumer Protection, in a statement on Thursday. “Avast’s bait-and-switch surveillance tactics compromised consumers’ privacy and broke the law.”
Avast’s privacy practices came to light in January 2020 following a joint investigation by Motherboard and PCMag. It led to Avast closing down Jumpshot, its data harvesting subsidiary. Avast claimed it removed identifying information from user data before selling it, but the FTC said the company “failed to sufficiently anonymize consumers’ browsing information.” Avast sold data with unique web browser identifiers, precise timestamps, type of device and browser, and the city, state, and country.
Avast had more than 430 million active users worldwide at the time. Jumpshot said it had access to data from 100 million devices.
The FTC’s proposed order will prevent Avast from misrepresenting how it uses the data it collects. It is also prohibited from selling or licensing any browsing data from Avast-branded products to third parties for advertising purposes, and must delete all the web-browsing data acquired by Jumpshot.
Avast merged with NortonLifeLock in 2022, forming a parent company called Gen Digital. Its products include AVG, Avira, and CCleaner.
Avast’s statement in response to the FTC’s complaint read: “We are committed to our mission of protecting and empowering people’s digital lives.”
“While we disagree with the FTC’s allegations and characterization of the facts, we are pleased to resolve this matter and look forward to continuing to serve our millions of customers around the world.”