Avast, a cybersecurity software developer, has been fined $16.5 million by the Federal Trade Commission (FTC). The fine is for unauthorized collection and sale of user browsing data. The FTC’s decision is a significant blow to Avast’s reputation. It also highlights the importance of protecting consumer privacy.
Background
Avast Limited is a UK-based company with a Czech subsidiary, Jumpshot. Avast is accused of collecting consumers’ browsing information through its Czech and selling it without adequate notice or consent. The company collected extensive details about users’ online behaviour, including search histories and website visitation patterns, through browser extensions and antivirus software. Despite claims that the data would be deleted, Avast retained this information indefinitely. The company eventually sold it to over 100 third parties. These include ads, marketing, and data analytics firms, without obtaining proper consent from users.
Deceptive Marketing Practices
The FTC further accused Avast of deceiving customers by promising protection against online tracking while simultaneously selling their browsing data. By doing so, the company breached consumer trust and undermined the very principles upon which its reputation rests. Despite assertions that the data it shares with third parties are anonymous, Avast did not properly anonymize the information. This leaves users vulnerable to identification and potential harm.
FTC Enforcement Measures
To address these transgressions, the FTC imposed several conditions on Avast:
Gizchina News of the week
- Prohibition on Selling Browsing Data: Avast is barred from selling or licensing browsing data obtained from Avast-branded products to third parties.
- Obtaining Affirmative Express Consent: Before selling or licensing browsing data from non-Avast sources, it must first secure explicit approval from consumers.
- Data and Model Deletion: The company must delete all web browsing information transferred to Jumpshot, its former subsidiary, and destroy any related models or algorithms.
- Notification Obligations: The company must notify affected consumers who had their browsing data sold without consent.
- Implementation of Comprehensive Privacy Program: The company will establish a robust privacy program to prevent future infractions.
Avast’s Response
An Avast spokesperson said the company had agreed to pay $16.5 million to resolve the FTC’s charges. The company also said that it has since voluntarily shut down Jumpshot in January 2020.
“The operating terms of the settlement agreement are consistent with Avast’s current privacy and security programs,” the spokesperson said in an email.
Lina Khan, FTC Chairman said in a Tweet
“Avast promised users it would protect their browsing data from online tracking—but then did the exact opposite. FTC’s action against Avast makes clear that browsing data is sensitive, and firms that sell this data could be violating the law…Our action bans Avast from selling browser data to third parties for serving ads. We also secured $16.5 million in relief—the highest monetary remedy in a de novo privacy violation case. We’ll continue to use all our tools to protect Americans from invasive tracking.”
Conclusion
The FTC’s decision to fine Avast $16.5 million for selling user browsing information without permission is a significant step towards protecting consumer privacy. The FTC’s enforcement measures send a strong message to the industry. It reminds them of the importance of adhering to fair trade practices and protecting consumer privacy. As part of the settlement process, the FTC will publish a description of the consent agreement package in the Federal Register. This will permit a period of public comment before finalizing the terms.