Avast, a leading cybersecurity software company, finds itself in hot water as the Federal Trade Commission (FTC) levies a hefty fine of $16.5 million against it. This action comes after Avast was discovered storing and selling customer information without their explicit consent.
In its announcement, the FTC also mandates that Avast cease the sale of user data for advertising purposes.
Avast Engages in Unauthorized Data Collection and Sale
The FTC's complaint reveals that Avast engaged in the unauthorized harvesting of user web browsing data through its antivirus software and browser extensions from 2014 to 2020. Surprisingly, this practice encompassed collecting sensitive information, including religious beliefs, health data, political affiliations, geographical locations, and financial standing.
Subsequently, Avast stored this data indefinitely and privately sold it to more than 100 third-party entities without the knowledge or consent of its customers.
Exposure and Fallout
Avast's unethical data privacy practices came to light in 2020 following an investigative report by Motherboard and PCMag. In response, Avast promptly discontinued its data harvesting division, Jumpshot.
Despite Avast's assertion that it anonymized user data before sale, the FTC's investigation uncovered glaring deficiencies in this process. The company's failure to adequately anonymize browsing information resulted in the sale of identifiable data, including browsing history, timestamps, device specifics, and user locations.
Deceptive Practices of Avast
The FTC's scrutiny also revealed that Avast deceived users by falsely claiming its software could prevent online tracking while actively engaging in such practices itself. In addition to the substantial fine, the FTC's proposed order mandates Avast to refrain from misrepresenting its data handling practices.
Avast is compelled to cease selling or licensing browsing data from its products and expunging all web browsing data acquired through Jumpshot. Furthermore, Avast must notify affected customers regarding the unauthorized sale of their data.
"We are committed to our mission of protecting and empowering people's digital lives. While we disagree with the FTC's allegations and characterization of the facts, we are pleased to resolve this matter and look forward to continuing to serve our millions of customers around the world," Avast spokesperson Jess Monney told The Verge in a statement.
FTC Assures to Safeguard Customers' Data Privacy
This enforcement action against Avast pinpoints the FTC's intensified focus on addressing lapses in data privacy. Earlier in January, the FTC reached settlements with Outlogic (formerly X-Mode Social) and InMarket, restricting the sale of location-tracking data. These actions reflect a broader regulatory trend to safeguard consumer privacy and hold companies accountable for their data practices.