FTC to ban Avast from selling browsing data for advertising purposes

The U.S. Federal Trade Commission (FTC) will order Avast to pay $16.5 million and ban the company from selling the users' web browsing data or licensing it for advertising purposes.

The complaint says Avast violated millions of consumers' rights by collecting, storing, and selling their browsing data without their knowledge and consent while misleading them about the privacy protection offered by their software.

"While the FTC's privacy lawsuits routinely take on firms that misrepresent their data practices, Avast's decision to expressly market its products as

safeguarding people's browsing records and protecting data from tracking only to then sell those records is especially galling," said FTC Chair Lina M. Khan.

"Moreover, the volume of data Avast released is staggering: the complaint alleges that by 2020 Jumpshot had amassed "more than eight petabytes of browsing information dating back to 2014."

More specifically, the FTC says UK-based company Avast Limited harvested consumers' web browsing information without their knowledge or consent using Avast browser extensions and antivirus software since at least 2014.

Avast data feeds included unique identifiers for each web browser and a combination of info on every website visited, timestamps, type of device and browser, as well as the users' city, state, and country. When describing its data-sharing practices, the company also falsely claimed it would only transfer the users' personal information in an aggregate and anonymous form.

The FTC also said Avast stored this information indefinitely and sold it to over 100 third parties between 2014 and 2020 through their Jumpshot subsidiary.

For instance, Jumpshot made an agreement with advertising company Omnicom, which allowed it to access 50% of Jumpshot's customer data from six countries: the United States, the United Kingdom, Mexico, Australia, Canada, and Germany, as alleged in the complaint.

Avast also purportedly misled users by promising to protect their privacy by blocking third-party tracking. However, it failed to inform them that their detailed, re-identifiable browsing data would be sold.

​Besides being ordered to pay $16.5 million, Avast will be prohibited from licensing or selling any browsing data collected using Avast-branded products to third parties for advertising purposes.

The company will have to obtain consent from all customers before selling or licensing browsing data obtained from non-Avast products. 

The FTC will also require Avast to delete all web browsing data shared with Jumpshot and any products or algorithms developed by Jumpshot using said data. 

Furthermore, Avast will have to notify users whose browsing data was sold to third parties without their consent about the FTC's actions against the company.

"Avast promised users that its products would protect the privacy of their browsing data but delivered the opposite," said Samuel Levine, the head of the FTC's Bureau of Consumer Protection.

"Avast's bait-and-switch surveillance tactics compromised consumers' privacy and broke the law."

An Avast spokesperson was not immediately available for comment when contacted by BleepingComputer earlier today.