Avast: FTC begins compensation phase of Avast privacy violation settlement

As part of a landmark $16.5 million settlement with the Federal Trade Commission (FTC) over charges that UK-based software provider Avast Limited compromised consumer privacy by deceptively collecting and selling users' browsing data, the FTC has begun sending claim forms to consumers who bought the deceptively marketed antivirus software. The FTC's complaint, filed in February 2024, alleged that Avast misled consumers by promising privacy protection while simultaneously engaging in the sale of detailed and re-identifiable browsing data. Avast, which marketed itself as a company dedicated to blocking third-party tracking, instead collected extensive browsing histories through its antivirus software and browser extensions. This information was subsequently sold to more than 100 third parties through Avast's Czech subsidiary, Jumpshot. In its complaint, the FTC said Avast unfairly collected consumers' browsing information through the company's browser extensions and antivirus software, stored it indefinitely, and sold it without adequate notice and without consumer consent. The FTC also charged that Avast deceived users by claiming that the software would protect consumers' privacy by blocking third party tracking, but failed to adequately inform consumers that it would sell their detailed, re-identifiable browsing data. "Avast promised users that its products would protect the privacy of their browsing data but delivered the opposite," said Samuel Levine, director of the FTC's Bureau of Consumer Protection. "Avast's bait-and-switch surveillance tactics compromised consumers' privacy and broke the law." Since at least 2014, the FTC said Avast had collected consumers' browsing information through browser extensions which can modify or extend the functionality of consumers' web browsers and through antivirus software installed on consumers' computers and mobile devices. This browsing data included information about users' web searches and the webpages they visited, revealing consumers' religious beliefs, health concerns, political leanings, location, financial status, visits to child-directed content and other sensitive information. This case underscores the growing concern over data privacy and the responsibilities of cybersecurity firms to uphold their commitments to protecting user information. As part of the settlement, Avast is not only required to pay $16.5 million - funds that will be used to compensate affected consumers - but the FTC also has banned the company from misrepresenting how it collects and uses data. Avast is explicitly prohibited from selling or licensing browsing data obtained from Avast-branded products to third parties for advertising purposes. Additionally, Avast must implement a comprehensive privacy program to prevent future violations of consumer trust. The FTC is actively reaching out to affected consumers, sending claim forms by email to 3,690,813 individuals who purchased Avast's antivirus software between August 2014 and January 2020. These consumers will have until June 5, 2025, to file their claims through an online portal set up by the FTC, which emphasized that no payment or account information is required to submit a claim or to receive a refund, reinforcing its commitment to transparency in the refund process. The FTC's enforcement action comes at a time when digital privacy concerns are at an all-time high. Companies that offer cybersecurity solutions have a fundamental obligation to protect their users, yet Avast's actions revealed a stark contradiction between its promises and its practices. The FTC's complaint detailed how Avast collected user data, including information about web searches, visited pages, and potentially sensitive personal details such as religious beliefs, health concerns, political affiliations, and financial status. This data was stored indefinitely and, despite claims of anonymization, was allegedly not sufficiently de-identified, making it possible to link browsing histories back to individual users. The controversy intensified following Avast's acquisition of Jumpshot, an analytics firm that transformed into a major player in the data brokerage industry. Jumpshot sold Avast's collected browsing data to a wide range of clients, including advertisers, marketers, and data brokers. According to the FTC, Avast falsely reassured users that their personal data would only be shared in an aggregated and anonymous format, yet the company failed to implement sufficient safeguards to prevent re-identification. One particularly troubling aspect of the case is the way Avast structured its data sales. Some of Jumpshot's products were designed to allow clients to track specific users and to match browsing histories with other available data sources. For instance, an agreement between Jumpshot and Omnicom, an advertising conglomerate, allowed Omnicom to access Avast users' browsing data and integrate it with information from data brokers on an individual user basis. This practice further exacerbated the risks posed to consumer privacy and violated Avast's own claims of anonymity. According to the FTC, Avast claimed it used a special algorithm to remove identifying information before transferring the data to its clients. The FTC, however, says the company failed to sufficiently anonymize consumers' browsing information that it sold in non-aggregate form through various products. For example, its data feeds included a unique identifier for each web browser it collected information from and could include every website visited, precise timestamps, type of device and browser, and the city, state, and country. When Avast did describe its data sharing practices, the FTC said it falsely claimed it would only transfer consumers' personal information in aggregate and anonymous form, according to the complaint. Beyond the financial penalty, the FTC's settlement imposes stringent new requirements on Avast. In addition to banning the sale of browsing data from Avast-branded products, the company must obtain explicit user consent before selling or licensing browsing data from other non-Avast products. Avast is also required to delete all browsing data previously transferred to Jumpshot, along with any products or algorithms derived from that data. Furthermore, the company must notify all affected consumers about the FTC's actions and establish a robust privacy program to ensure compliance with data protection regulations moving forward. The FTC's decision to pursue such strong measures reflects a commitment to holding companies accountable for deceptive data practices. The agency's enforcement efforts align with broader regulatory trends aimed at curbing data exploitation and enhancing consumer protection in an increasingly digital world. The case against Avast also serves as a cautionary tale for other tech companies that collect and monetize user data. While data analytics and targeted advertising remain lucrative industries, businesses must navigate these opportunities responsibly, ensuring that they prioritize transparency, security, and user consent. The growing scrutiny from regulatory bodies worldwide suggests that companies failing to uphold ethical data practices may face significant legal and financial repercussions. The FTC's settlement with Avast followed a series of high-profile enforcement actions against companies that have misused consumer data. In 2024 alone, the FTC facilitated more than $285 million in refunds to consumers affected by deceptive business practices across various industries. The agency's interactive refund data dashboards provide insights into state-by-state distributions of these settlements. For consumers affected by Avast's deceptive practices, the settlement offers a form of restitution. However, it also raises important questions about the broader landscape of digital privacy and the extent to which users can trust the companies that claim to protect them. The Avast case is a stark reminder that consumers must remain vigilant about how their data is collected, used, and shared. Moving forward, Avast's compliance with the FTC's order will be closely monitored. The company's ability to rebuild consumer trust will depend on its willingness to adhere to stronger privacy protections and transparent data policies. The settlement not only delivers justice for affected consumers, it also sets a precedent for how regulatory bodies will handle similar cases in the future. Avast is a member of identity-focused organizations such as the FIDO Alliance and the Decentralized Identity Foundation (DIF). In January it expanded the availability of its identity protection called Avast Secure Identity to 15 additional countries outside of the U.S., including the UK, France, Germany, Australia, New Zealand, Brazil, Mexico, Spain and Italy.