The Federal Trade Commission (FTC) requires Avast, an antivirus security vendor, to pay a $16.5 million fine to settle charges that the company and its subsidiaries sold and licensed browsing data Web to third parties, after claiming that its products protect consumers from such online tracking.
The FTC claimed that Avast was collecting consumers’ browsing data and storing it indefinitely without notice or consent, as noted in the complaint. Additionally, the FTC alleged that Avast deceived its users by claiming it would protect their privacy by preventing third-party tracking, and then sold identifiable browsing data to more than 100 third parties through Jumpshot, a subsidiary.
The FTC said Avast has been collecting consumer browsing data since 2014 using antivirus software installed on users’ devices. Browsing data reveals users’ private information such as religious beliefs, health problems, financial status, political affiliations, and other sensitive information.
“Avast promised users that its products would protect the privacy of their browsing data, but got the opposite,” said Samuel Levine, director of the FTC’s Bureau of Consumer Protection. “Avast’s bait-and-switch surveillance tactics have compromised consumer privacy and broken the law.”
The money Avast was ordered to pay will go to affected consumers. Additionally, in a proposed ordinance approved 3-0 by the commission, the company will be prohibited from “misrepresenting how it uses the data it collects.”
Beyond that, Avast must obtain express and affirmative consent from users before selling their data, delete web browsing information transferred to Jumpshot, notify consumers of browsing data sold, and implement a privacy program to address misconduct highlighted by the FTC.