The U.S. Federal Trade Commission (FTC) has imposed a $16.5 million fine on antivirus vendor Avast for allegedly selling users’ browsing data to advertisers, despite claiming its products would prevent online tracking. Additionally, Avast is prohibited from selling or licensing any web browsing data for advertising purposes and must inform users whose data was sold without consent.
The FTC’s complaint alleges that Avast collected consumers’ browsing information through its browser extensions and antivirus software, stored it indefinitely, and sold it without adequate notice or consent. The company is accused of deceiving users by promising to block third-party tracking and protect privacy while secretly selling their detailed browsing data to over 100 third parties through its Jumpshot subsidiary.
Data buyers could link non-personally identifiable information with Avast users’ browsing data, enabling other companies to track and associate users with their browsing histories. This practice was exposed in January 2020 by a joint investigation by Motherboard and PCMag, revealing several major companies as clients of Jumpshot.
Avast’s browser add-ons were removed from Google Chrome, Mozilla Firefox, and Opera stores in response to these findings. Avast has since discontinued Jumpshot’s data collection and operations. The company has merged with NortonLifeLock to form a new parent company called Gen Digital, which includes other products like AVG, Avira, and CCleaner.
The FTC’s Bureau of Consumer Protection Director Samuel Levine criticized Avast’s actions, stating that the company promised to protect users’ browsing data privacy but instead compromised it, calling their tactics a “bait-and-switch surveillance.”