Continue reading on DataGuidance with:
Free Member
Limited ArticlesCreate an account to continue accessing select articles, resources, and guidance notes.
Already have an account? Log in
USA: FTC proposes $16.5M fine against Avast for sale of browsing data for advertising purposes
On February 22, 2024, the Federal Trade Commission (FTC) announced a proposed order prohibiting Avast Limited, Avast Software s.r.o, and Jumpshot, Inc., (collectively Avast) from selling or licensing any web browsing data for advertising purposes and requiring Avast to pay $16.5 million for violation of the Federal Trade Commission Act (FTC Act) following an investigation.
Background to the case
In particular, the FTC highlighted that Avast, through its Czech subsidiary, collected consumers' browsing information through browser extensions and antivirus software installed on user devices since at least 2014.
Findings of the FTC
Ostensibly, Avast products were used for security and privacy purposes, collecting information including the Uniform Resource Locators (URLs) of webpages visited, consumers' search queries, and the value of cookies placed on consumers' computers by third parties. The FTC noted that Avast expressly represented that Avast extensions would decrease tracking on the internet, but found that Avast extensions tracked consumers' browsing activities more extensively than ordinary cookies could. The use of such extensions was apparent across both mobile and desktop platforms.
In addition, the FTC outlined that until 2018, Avasts' privacy policy failed to indicate that consumers' browsing data would be disclosed to third parties outside a law enforcement or service provider context, and when the privacy policy was revised, failed to disclose how the data was disclosed. Further, the FTC detailed that Avast failed to notify consumers during the installation of Avast software and for consumers who had already installed Avast software that it had sold their data, including that which had previously been collected from the latter users.
Finally, the FTC considered Avast to have made misrepresentations regarding the aggregation and anonymization of consumers' data. Avast sold consumer browsing information that Avast collected to consulting firms, investment companies, advertising companies, and search engine optimization firms among others, failing to disclose that browsing information was not sufficiently anonymized when sold. Notably, the FTC clarified that the personal information sold by Avast included the precise timestamp of search history, type of device and browser, and the city, state, and country of the consumer.
Outcomes
In light of the above, the FTC required Avast to pay $16.5 million in monetary relief for consumer redress.
More specifically, the FTC also explained that the proposed consent order contains provisions designed to prevent Avast from engaging in the same or similar acts in the future, namely:
- a prohibition on the sale of browsing data from Avast branded products to third parties for advertising purposes;
- obtaining affirmative express consent from consumers before selling or licensing browsing data from non-Avast products to third parties for advertising purposes;
- deleting any models, algorithms, or software deployed by Avast based on Avast data;
- clearly and conspicuously notifying users whose browsing information was sold to third parties without their consent about the FTC's actions; and
- establishing, implementing, and maintaining a comprehensive privacy program that protects covered information, which includes:
- designating a qualified employee or employees for the program;
- assessing and documenting internal and external risks to the privacy program; and
- training employees on how to safeguard the privacy of covered information.
You can read the press release here, the complaint here, and the proposed order here.