View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
February 23, 2024

Avast slapped with $16.5m fine from FTC for selling user data without permission

The US regulator said Avast had been storing and selling customer information acquired through its privacy software without user consent.

By Greg Noone

Avast has been fined $16.5m by the US Federal Trade Commission. The regulator said that the cybersecurity firm had been harvesting information from users about their browsing habits through its antivirus software. The FTC added that Avast misled users by informing them that their software would protect their online privacy by blocking third-party trackers, while instead collecting and then re-selling their re-identifiable browsing data. 

“Avast promised users that its products would protect the privacy of their browsing data but delivered the opposite,” said the director of the FTC’s Bureau of Consumer Protection, Samuel Levine. “Avast’s bait-and-switch surveillance tactics compromised consumers’ privacy and broke the law.”

A photo of the Avast logo atop an office block in Czechia.
The FTC has fined Czechia-based cybersecurity firm Avast for re-selling users’ browser data without consent. (Photo by BalkansCat / Shutterstock)

Avast sold user data since 2014

The FTC said that Avast had been collecting users’ browser data since 2014. This included their search history which, when pieced together by interested third parties, revealed “consumers’ religious beliefs, health concerns, political leanings, location, financial status, visits to child-directed content and other sensitive information.” 

Most of this data was sold to customers by Jumpshot, an analytics company and a Czech subsidiary of Avast. While publicly claiming it was anonymising the information it had acquired through the use of what it described as a “special algorithm,” Jumpshot did nothing of the kind, failing to remove unique identifiers that could be associated with individual users’ web browsers. It was in this way that customer data was sold to over 100 third parties, including advertising companies, data brokers and analytics firms. 

Cybersecurity firm to be banned from re-selling browser data

In addition to fining the cybersecurity firm $16.5m for these infractions, the FTC has also issued a proposed order to prevent Avast from re-selling or licensing browser data. The company will also be required to obtain explicit consent from users when Avast wishes to re-sell or license browsing data it has acquired from non-Avast products, delete any web browsing data delivered to Jumpshot, and “inform consumers whose browsing information was sold to third parties without their consent about the FTC’s actions against the company.”

A spokesperson from Avast told Reuters that the company had agreed to pay the fine issued by the FTC and that it had closed Jumpshot in 2020 following a joint investigation by Motherboard and PCMag. As for the other provisions of the proposed order, they said, the “operational provisions of the settlement are already consistent with Avast’s current privacy and security programs.”

Read more: Massive spike in cyberattacks using valid user credentials

Content from our partners
Scan and deliver
GenAI cybersecurity: "A super-human analyst, with a brain the size of a planet."
Cloud, AI, and cyber security – highlights from DTX Manchester

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.