FTC to ban Avast from selling browsing data for advertising purposes

The U.S. Federal Trade Commission (FTC) will order Avast to pay $16.5 million and ban the company from selling the users' web browsing data or licensing it for advertising purposes.

The complaint says Avast violated millions of consumers' rights by collecting, storing, and selling their browsing data without their knowledge and consent while misleading them that the products used to harvest their data would block online tracking.

"While the FTC's privacy lawsuits routinely take on firms that misrepresent their data practices, Avast's decision to expressly market its products as safeguarding people's browsing records and protecting data from tracking only to then sell those records is especially galling," said FTC Chair Lina M. Khan.

"Moreover, the volume of data Avast released is staggering: the complaint alleges that by 2020 Jumpshot had amassed "more than eight petabytes of browsing information dating back to 2014."

More specifically, the FTC says UK-based company Avast Limited harvested consumers' web browsing information without their knowledge or consent using Avast browser extensions and antivirus software since at least 2014.

Avast data feeds included unique identifiers for each web browser and a combination of info on every website visited, timestamps, type of device and browser, as well as the users' city, state, and country. When describing its data-sharing practices, the company also falsely claimed it would only transfer the users' personal information in an aggregate and anonymous form.

The FTC also said Avast stored this information indefinitely and sold it to over 100 third parties between 2014 and 2020 through their Jumpshot subsidiary.

For instance, Jumpshot made an agreement with advertising company Omnicom, which allowed it to access 50% of Jumpshot's customer data from six countries: the United States, the United Kingdom, Mexico, Australia, Canada, and Germany, as alleged in the complaint.

Avast also purportedly misled users by promising to protect their privacy by blocking third-party tracking. However, it failed to inform them that their detailed, re-identifiable browsing data would be sold.

The company's data harvesting practices were exposed in December 2019 after Mozilla pulled four of the company's browser extensions (i.e., Avast Online Security, Avast SafePrice, AVG Online Security, and AVG SafePrice) from its Firefox addon repository after receiving reports that they were tracking users' web browsing.

A Motherboard / PCMag joint investigation found one month later that Avast's Jumpshot subsidiary was selling the browsing data collected from customers to third parties, including the Omnicom data broker named in FTC's complaint.

​Besides being ordered to pay $16.5 million, Avast will be prohibited from licensing or selling any browsing data collected using Avast-branded products to third parties for advertising purposes.

The company will have to obtain consent from all customers before selling or licensing browsing data obtained from non-Avast products. The FTC will also require Avast to delete all web browsing data shared with Jumpshot and any products or algorithms developed by Jumpshot using said data.

Furthermore, Avast will have to notify users whose browsing data was sold to third parties without their consent about the FTC's actions against the company.

"Avast promised users that its products would protect the privacy of their browsing data but delivered the opposite. Avast's bait-and-switch surveillance tactics compromised consumers' privacy and broke the law," said Samuel Levine, the head of the FTC's Bureau of Consumer Protection.

An Avast spokesperson told BleepingComputer that the company has already reached a settlement with the FTC to resolve the investigation regarding the data shared with the Jumpshot subsidiary that was shut down in January 2020.

"We are committed to our mission of protecting and empowering people’s digital lives," the spokesperson said.

"While we disagree with the FTC’s allegation and characterization of the facts, we are pleased to resolve this matter and look forward to continuing to serve our millions of customers around the world."

Update February 22, 11:57 EST: Added Avast's statement.