Czech cybersecurity firm Avast has been fined $16.5 million by the United States Federal Trade Commission (FTC) for illicitly collecting a substantial amount of user browsing data and selling it to over a hundred data brokers. The FTC, in its Thursday (2/22) announcement, not only demanded that Avast cease such practices but also imposed the financial penalty.
According to the FTC’s investigation, Avast used its developed antivirus software and browser extensions to gather user browsing data. Not only did Avast store these user details indefinitely, but it also sold them, without user consent or notification, to more than 100 third-party data brokers globally through its subsidiary, Jumpshot, for targeted advertising purposes.
Since at least 2014, Avast utilized browser extensions or antivirus software installed on smartphones and computers to collect users’ browsing data, including search and visited websites. This allowed the company to access sensitive information such as users’ religious beliefs, health issues, political inclinations, location, financial status, and more. Ironically, while Avast publicly claimed that its products could reduce online tracking and protect user privacy, it failed to inform or obtain consent for collecting and selling user data.
Moreover, despite Avast’s claim of using algorithms to first remove personally identifiable information before selling the data, the FTC discovered that Avast created a unique identifier for each browser and the collected data, including visited websites, timestamps, device and browser type, city, and country. This was done despite Avast’s public statement that it only transmitted consumer data in aggregated and anonymized ways.
In 2019, Google and Mozilla removed four browser extensions developed by Avast from their Chrome and Firefox stores due to excessive user tracking. In 2020, following reports of Avast selling user browsing data, the company shut down Jumpshot, its marketing subsidiary, claiming to possess data from 100 million devices globally.
This week, in addition to the $16.5 million fine, the FTC has prohibited Avast from selling browsing data without explicit user consent. Avast must also delete the initially transferred browsing data to Jumpshot and any products or algorithms derived from that data. Avast is mandated to implement a comprehensive privacy program.