Avast Limited, a UK-based company that sold browser extensions and antivirus software to protect consumer privacy, stores consumers' browsing data indefinitely and transfers it to third parties without their consent. We did just the opposite by selling it. On February 22, 2024, the FTC fined Avast $16.5 million for a data collection and sales scheme that Avast and its subsidiaries engaged in from 2014 to 2020.
The FTC has begun investigating Avast and its wholly-owned subsidiaries Avast Software, SRO, and Jumpshot, Inc. for violations of Sections 4 and 5 of the Federal Trade Commission Act dating back to at least 2014. The FTC alleged that Avast did the following: and its subsidiaries distributed software marketed for “blocking” purposes.[] Unsolicited tracking cookies protect consumer privacy by collecting consumer browser data and preventing web services from tracking consumers' online activities. Avast's browser extensions, antivirus software, and apps collected URLs, search queries, and cookie values ​​placed on consumers' computers by third parties. However, according to the FTC, Avast and its subsidiaries not only failed to protect consumer privacy as advertised, but also sold “protected” browsing information from 2014 to 2020 without users' notice or consent. was doing.
As claimed by FTC complaint, Avast acquired rival antivirus company Jumpshot in early 2014 and rebranded Jumpshot as an analytics company. From 2014 to 2020, Jumpshot sold browsing information collected by Avast to consulting firms, investment firms, advertising agencies, and data brokers. This data provides buyers with “highly detailed information about how consumers navigate the Internet,” including timestamps and unique device identifiers associated with each browser, allowing Jumpshot and Its buyers can now track individuals over time and across multiple domains. Purchasers were able to use the information they purchased from Jumpshot to engage in activities such as targeted messaging to consumers and businesses.
The FTC asserts that “the vast majority of consumers would not know that Avast software monitors everything they do on the Internet,'' and that the information collected may be sensitive to consumers' religious beliefs, health concerns, etc. , party affiliation, location, and other interests have been revealed. . The FTC accused Avast of improperly collecting, retaining, and selling consumer browsing information, falsely failing to disclose consumer tracking, falsely representing that consumer data was anonymized, and and was accused of engaging in deceptive trade practices.
On February 22, 2024, the FTC and Avast entered into a consent order in which Avast agreed to pay $16.5 million. Avast also agrees not to (1) sell, license, transfer, or otherwise disclose Collected Browsing Information to any third party for advertising purposes without the consumer's affirmative explicit consent; or (2) the purpose, express or implied, for collecting, using, disclosing, or maintaining the collected information, and the extent to which Avast may anonymize the information. Avast also agreed that he would delete and destroy any information collected by Jump Shot within 20 days and instruct buyers to do the same. Avast also agrees that it and its subsidiaries have implemented and maintained a comprehensive privacy program to protect the privacy of the information they collect and certify annually that they have established and maintained that privacy program as mandated. Did.
This is the latest FTC enforcement action targeting companies that misuse or fail to protect sensitive consumer data. In the absence of a federal law protecting consumer privacy, the FTC has used Section 5 of the FTC Act, which prohibits deceptive and unfair trade practices, to punish companies that fail to protect sensitive data, such as biometric data. The government took the difficult decision of imposing a large fine on the government. , sensitive health information, and now your browsing history. What all these enforcement actions and penalties have in common is consumer consent. Companies should always err on the side of clearly communicating their intentions to use the data and obtaining affirmative consent before using the data collected.