On February 24, 2024, the Federal Trade Commission announced that it will require software provider Avast to pay $16.5MM and prohibit the company from selling or licensing any web browsing data for advertising purposes to settle charges that the company and its subsidiaries sold such information to third parties after promising that its products would protect consumers from online tracking.

In the complaint, the FTC alleges that Avast Limited, based in the United Kingdom, through its Czech subsidiary, unfairly collected consumers’ browsing information through the company’s browser extensions and antivirus software, stored it indefinitely, and sold it without adequate notice and without consumer consent.

The Federal Trade Commission also charges that Avast deceived users by claiming that the software would protect consumers’ privacy by blocking third party tracking, but failed to adequately inform consumers that it would sell their detailed, re-identifiable browsing data. The FTC further alleges that Avast sold that data to third parties via its subsidiary.

“Avast promised users that its products would protect the privacy of their browsing data but delivered the opposite,” said FTC lawyer Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “Avast’s bait-and-switch surveillance tactics compromised consumers’ privacy and broke the law.”

Since at least 2014, according to the FTC, Avast has been collecting consumers’ browsing information through browser extensions, which can modify or extend the functionality of consumers’ web browsers, and via antivirus software installed on consumers’ computers and mobile devices. This browsing data allegedly included information about users’ web searches and the webpages they visited—revealing consumers’ religious beliefs, health concerns, political leanings, location, financial status, visits to child-directed content and other sensitive information.

According to the agency’s complaint, not only did Avast fail to inform consumers that it collected and sold their browsing data, the company also claimed that its products would decrease tracking on the Internet.

For example, according to the FTC, when users searched for Avast’s browser extensions, they were told Avast would “block annoying tracking cookies that collect data on your browsing activities” and promised that its desktop software would “shield your privacy. Stop anyone and everyone from getting to your computer.”

After Avast purchased its subsidiary entity, a competitor antivirus software provider, the company rebranded the firm as an analytics company, according to the FTC. From 2014 to 2020, the subsidiary entity sold browsing information that Avast had collected from consumers to a variety of clients including advertising, marketing and data analytics companies and data brokers, according to the complaint.

Also according to the complaint, the company claimed it used a special algorithm to remove identifying information before transferring the data to its clients. The FTC says the company failed to sufficiently anonymize consumers’ browsing information that it sold in non-aggregate form through various products.

For example, its data feeds included a unique identifier for each web browser it collected information from and could include every website visited, precise timestamps, type of device and browser, and the city, state, and country, alleges the agency. When Avast did describe its data sharing practices, Avast is alleged to have falsely claimed it would only transfer consumers’ personal information in aggregate and anonymous form.

The FTC alleges that the company failed to prohibit some of its data buyers from re-identifying Avast users based on data that the subsidiary entity provided. And, even where Avast’s contracts included such prohibitions, the contracts were worded in a way that enabled data buyers to associate non-personally identifiable information with Avast users’ browsing information, according to the FTC.

The FTC alleges that some of the subsidiary’s products were designed to allow clients to track specific users or even to associate specific users—and their browsing histories—with other information those clients had. For example, as alleged in the complaint, the subsidiary entity entered into a contract with an advertising conglomerate which purportedly stated that the subsidiary entity would provide it with an “All Clicks Feed” for 50% of its customers in the United States, United Kingdom, Mexico, Australia, Canada, and Germany. According to the contract, the conglomerate was allegedly permitted to associate Avast’s data with data brokers’ sources of data, on an individual user basis.

The Federal Trade Commission is the chief federal agency on privacy policy and enforcement. Rapid changes in technology have raised new privacy challenges an issues that marketers should address preemptively alongside an experienced FTC defense lawyer. The FTC uses law enforcement, policy initiatives and consumer and business education to protect consumers’ personal information. When companies tell consumers they will safeguard their personal information, the FTC can and does take law enforcement action to make sure that companies live up these promises. The FTC has brought legal actions against organizations that have violated consumers’ privacy rights, or misled them by failing to maintain security for sensitive consumer information, or caused substantial consumer injury.

In many of these cases, the FTC has charged the defendants with violating Section 5 of the FTC Act, which bars unfair and deceptive acts and practices in or affecting commerce. In addition to the FTC Act, the agency also enforces other federal laws relating to consumers’ privacy and security.

In addition to paying $16.5 million, which is expected to be used to provide redress to consumers, the proposed order, contains provisions governing how Avast and its subsidiaries may and may represent how it uses the data it collects. Other provisions of the proposed order include:

• Prohibition on Selling Browsing Data: Avast will be prohibited from selling or licensing any browsing data from Avast-branded products to third parties for advertising purposes;
• Obtain Affirmative Express Consent: The company must obtain affirmative express consent from consumers before selling or licensing browsing data from non-Avast products to third parties for advertising purposes;
• Data and Model Deletion: Avast must delete the web browsing information transferred to its subsidiary entity and any products or algorithms the entity derived from that data;
• Notify Consumers: Avast will be required to inform consumers whose browsing information was sold to third parties without their consent about the FTC’s actions against the company; and
• Implement Privacy Program: Avast will be required to implement a comprehensive privacy program that addresses the misconduct highlighted by the FTC.

FTC Chair Lina M. Khan joined by Commissioners Rebecca Kelly Slaughter and Alvaro Bedoya issued a statement on this matter.

Contact an experienced FTC CID lawyer if you or your company are the subject of an FTC investigation or enforcement matter.

The FTC will publish a description of the consent agreement package in the Federal Register soon. The agreement will be subject to public comment for 30 days after publication in the Federal Register after which the Commission will decide whether to make the proposed consent order final. Instructions for filing comments will appear in the published notice. Once processed, comments will be posted on Regulations.gov.