The US government’s consumer protection agency is moving to ban anti-malware software vendor Avast from selling customer web browsing data to third-party advertising companies.
A complaint from the Federal Trade Commission (FTC) accused the European security company of unfairly collecting consumer web browsing data through its browser extension and anti-virus software and “and sold it without adequate notice and without consumer consent.”
The agency also plans to slap Avast with a $16.5 million fine and an order to stop selling or licensing any web browsing data for advertising purposes.
In its complaint, the FTC also charges the Czech company deceived users by claiming that the software would protect consumers’ privacy by blocking third party tracking, but failed to adequately inform consumers that it would sell their detailed, re-identifiable browsing data.
The complaint alleges that Avast sold that data to more than 100 third parties through its Jumpshot subsidiary.
“Avast’s bait-and-switch surveillance tactics compromised consumers’ privacy and broke the law,” said FTC director Samuel Levine. “Avast promised users that its products would protect the privacy of their browsing data but delivered the opposite.”
The FTC said the browsing data, collected and resold since at least 2014, included information about users’ web searches and the web pages they visited — revealing consumers’ religious beliefs, health concerns, political leanings, location, financial status, visits to child-directed content and other sensitive information.
The commission said Avast acquired rival Jumpshot and rebranded the firm as an analytics play that sold browsing information that Avast had collected to advertising, marketing and data analytics companies and data brokers.
Despite Avast claims that it used special tools to remove identifying information before transferring the data to its clients, the watchdog agency said the company failed to sufficiently anonymize consumers’ browsing information that it sold in non-aggregate form through various products.
“For example, its data feeds included a unique identifier for each web browser it collected information from and could include every website visited, precise timestamps, type of device and browser, and the city, state, and country. When Avast did describe its data sharing practices, Avast falsely claimed it would only transfer consumers’ personal information in aggregate and anonymous form, according to the complaint,” the FTC said.
UPDATE: Avast has issued the following statement on the FTC’s proposed order:
“Avast has reached a settlement with the FTC to resolve its investigation of Avast’s past provision of customer data to its Jumpshot subsidiary that Avast voluntarily closed in January of 2020. We are committed to our mission of protecting and empowering people’s digital lives. While we disagree with the FTC’s allegations and characterization of the facts, we are pleased to resolve this matter and look forward to continuing to serve our millions of customers around the world.”
Related: UK Clears Norton’s $8B Avast Cyber Security Takeover
Related: FTC Orders Blackbaud to Address Poor Security Practices
Related: Flaws in Avast, AVG Software Could Cause Attacks on Millions of Devices
Related: FTC Accuses Data Broker of Selling Sensitive Location Data