FTC Order Will Ban Avast from Selling Browsing Data for Advertising Purposes, Require It to Pay $16.5 Million Over Charges the Firm Sold Browsing Data After Claiming Its Products Would Block Online Tracking

The Federal Trade Commission will require software provider Avast to pay $16.5 million and prohibit the company from selling or licensing any web browsing data for advertising purposes to settle charges that the company and its subsidiaries sold such information to third parties after promising that its products would protect consumers from online tracking.

In its complaint, the FTC says that Avast Limited, based in the United Kingdom, through its Czech subsidiary, unfairly collected consumers’ browsing information through the company’s browser extensions and antivirus software, stored it indefinitely, and sold it without adequate notice and without consumer consent. The FTC also charges that Avast deceived users by claiming that the software would protect consumers’ privacy by blocking third party tracking, but failed to adequately inform consumers that it would sell their detailed, re-identifiable browsing data. The FTC alleged Avast sold that data to more than 100 third parties through its subsidiary, Jumpshot. 

“Avast promised users that its products would protect the privacy of their browsing data but delivered the opposite,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “Avast’s bait-and-switch surveillance tactics compromised consumers’ privacy and broke the law.” 

Since at least 2014, the FTC says Avast has been collecting consumers’ browsing information through browser extensions, which can modify or extend the functionality of consumers’ web browsers, and through antivirus software installed on consumers’ computers and mobile devices. This browsing data included information about users’ web searches and the webpages they visited—revealing consumers’ religious beliefs, health concerns, political leanings, location, financial status, visits to child-directed content and other sensitive information.

According to the complaint, not only did Avast fail to inform consumers that it collected and sold their browsing data, the company claimed that its products would decrease tracking on the Internet. For example, when users searched for Avast’s browser extensions, they were told Avast would “block annoying tracking cookies that collect data on your browsing activities” and promised that its desktop software would “shield your privacy. Stop anyone and everyone from getting to your computer.” 

After Avast bought Jumpshot, a competitor antivirus software provider, the company rebranded the firm as an analytics company. From 2014 to 2020, Jumpshot sold browsing information that Avast had collected from consumers to a variety of clients including advertising, marketing and data analytics companies and data brokers, according to the complaint.

The company claimed it used a special algorithm to remove identifying information before transferring the data to its clients. The FTC, however, says the company failed to sufficiently anonymize consumers’ browsing information that it sold in non-aggregate form through various products. For example, its data feeds included a unique identifier for each web browser it collected information from and could include every website visited, precise timestamps, type of device and browser, and the city, state, and country. When Avast did describe its data sharing practices, Avast falsely claimed it would only transfer consumers’ personal information in aggregate and anonymous form, according to the complaint.

The FTC says the company failed to prohibit some of its data buyers from re-identifying Avast users based on data that Jumpshot provided. And, even where Avast’s contracts included such prohibitions, the contracts were worded in a way that enabled data buyers to associate non-personally identifiable information with Avast users’ browsing information. In fact, some of the Jumpshot products were designed to allow clients to track specific users or even to associate specific users—and their browsing histories—with other information those clients had. For example, as alleged in the complaint, Jumpshot entered into a contract with Omnicom, an advertising conglomerate, which stated that Jumpshot would provide Omnicom with an “All Clicks Feed” for 50% of its customers in the United States, United Kingdom, Mexico, Australia, Canada, and Germany. According to the contract, Omnicom was permitted to associate Avast’s data with data brokers’ sources of data, on an individual user basis. 

In addition to paying $16.5 million, which is expected to be used to provide redress to consumers, the proposed order, will prohibit Avast and its subsidiaries from misrepresenting how it uses the data it collects. Other provisions of the proposed order include:

• Prohibition on Selling Browsing Data: Avast will be prohibited from selling or licensing any browsing data from Avast-branded products to third parties for advertising purposes;
• Obtain Affirmative Express Consent: The company must obtain affirmative express consent from consumers before selling or licensing browsing data from non-Avast products to third parties for advertising purposes;
• Data and Model Deletion: Avast must delete the web browsing information transferred to Jumpshot and any products or algorithms Jumpshot derived from that data;
• Notify Consumers: Avast will be required to inform consumers whose browsing information was sold to third parties without their consent about the FTC’s actions against the company; and
• Implement Privacy Program: Avast will be required to implement a comprehensive privacy program that addresses the misconduct highlighted by the FTC.

The Commission voted 3-0 to issue the administrative complaint and to accept the proposed consent agreement. FTC Chair Lina M. Khan joined by Commissioners Rebecca Kelly Slaughter and Alvaro Bedoya issued a statement on this matter.

The FTC will publish a description of the consent agreement package in the Federal Register soon. The agreement will be subject to public comment for 30 days after publication in the Federal Register after which the Commission will decide whether to make the proposed consent order final. Instructions for filing comments will appear in the published notice. Once processed, comments will be posted on Regulations.gov.

NOTE: The Commission issues an administrative complaint when it has “reason to believe” that the law has been or is being violated, and it appears to the Commission that a proceeding is in the public interest. When the Commission issues a consent order on a final basis, it carries the force of law with respect to future actions. Each violation of such an order may result in a civil penalty of up to $51,744.

The lead staff attorneys on this matter are Cathlin Tully and Andy Hasty from the FTC’s Bureau of Consumer Protection.