Cybersecurity software company Avast will pay $16.5 million for selling consumer data to third parties as part of a settlement with the Federal Trade Commission. It’s also being slapped with a ban from the FTC from selling or licensing data for advertising purposes.
The agency says that Avast and its subsidiaries collected substantial amounts of aggregated, re-identifiable data from its browsing extensions and antivirus software, indefinitely stored it, and then sold users’ web browsing histories from 2014-2020 — all without “adequate” consent or notice.
According to the FTC, more than 100 of Avast’s clients bought this data, including advertising companies, consulting firms, and data brokers.
The FTC argues in its complaint that Avast also “deceived users by claiming that the software would protect consumers’ privacy by blocking third party tracking,” while, in reality, it peddled their browsing data.
“A person’s browsing history can reveal extraordinarily sensitive information. A record of the websites someone visits can divulge everything from someone’s romantic interests, financial struggles, and unpopular political views to their weight-loss efforts, job rejections, and gambling addiction,” FTC chair Lina Khan said in a statement.
“The FTC charges that Avast’s conduct here was not only deceptive, but also an unfair practice,” Khan continued. “Because it is intrinsically sensitive, browsing data warrants heightened protection.”
The sale was spearheaded by Avast’s American subsidiary. Jumpshot claimed its data from over 100 million global online consumers could help customers “see where your audience is going before and after they visit your site or your competitors’ sites, and even track those who visit a specific URL.”
The detailed nature of the web browsing data sold is astonishing. Clients got their hands on web page visits, precise timestamps, the city, state, and country where a user was based, and the type of device and browser they used. Much of this data came with a “unique and persistent device identifier associated with each particular browser” that allowed “the third-party buyer to trace individuals across multiple domains over time.”
An Avast spokesperson said they settled with the FTC to “resolve its investigation of Avast’s past provision of customer data to its Jumpshot subsidiary that Avast voluntarily closed in January of 2020.”
“We are committed to our mission of protecting and empowering people’s digital lives,” the spokesperson said. “While we disagree with the FTC’s allegations and characterization of the facts, we are pleased to resolve this matter and look forward to continuing to serve our millions of customers around the world.”