According to Chair Lina Khan, the Federal Trade Commission (“FTC”) recent action against Avast Limited and its subsidiaries for $16.5 million is the “highest monetary remedy in a de novo privacy violation case” and the first time a non-health service company has been banned from selling sensitive data after promising to keep it secure.

In its complaint, the FTC alleged that Avast sold browsing data despite its promises to protect consumers from online tracking. It would be easy to skim past the Avast proposed consent agreement (or those in the X-Mode or InMarket cases) as just another example of FTC taking on “mass data collectors.” But the Avast case offers some key nuggets of guidance that all companies, whether or not they fall into that category, should heed.

What could go wrong with a company claiming to “shield your privacy?”

 According to the FTC’s complaint, Avast marketed browser extensions and antivirus software using claims that its offerings would reduce tracking on the Internet and to protect its customers’ browsing data. To that end, Avast said its browser extension “[b]locks annoying tracking cookies that collect data on your browsing activities,” and that its desktop antivirus software would “[s]hield your privacy.”

Contrary to those claims, however, the FTC alleged that Avast, through its Czech subsidiary Jumpshot, collected more than eight petabytes of detailed consumer browsing data and then sold that browsing data to third parties in a non-aggregated, re-identifiable form.  Avast’s privacy policy had represented to its customers, however, that all identifying information would be removed from any data that Avast shared with third parties.

The FTC asserted that from 2014 to 2020, Avast earned tens of millions of dollars in gross revenues by selling its users’ detailed browsing data to more than 100 customers.

 FTC’s Claims of Avast’s Deceptive and Unfair Conduct

 The FTC’s complaint charged that Avast’s representations that its offerings would protect consumer privacy by preventing third parties from tracking online activity, and promises to only share browsing data in anonymous and aggregated form, were both deceptive under Section 5 of the FTC Act, given that the company in fact did the opposite.

In addition to that deception claim, however, the FTC alleged that Avast’s collection, storage, and sale of consumers’ granular and re-identifiable browsing data without providing adequate notice and without obtaining consumers’ consent was also an “unfair” practice under Section 5. Notably, the FTC stated that “re-identified browsing data is sensitive data” and warrants heightened protection.

 To settle the FTC’s claim, Avast agreed to a consent order that includes a requirement to pay more than $16.5 million penalty to the agency, and also to a series of other requirements

• Avast is prohibited from selling or licensing any browsing data from Avast products to third parties for advertising purposes.
• Avast must obtain affirmative express consent from consumers before selling or licensing browsing data from non-Avast products to third parties for advertising purposes.
• In addition to deleting all browsing data transferred to Jumpshot, Avast must delete all models, algorithms and software derived from the data, and instruct any third parties that received such data to do the same.
• Avast must inform consumers whose browsing data was sold to third parties without their consent about the FTC’s action.
• Avast must implement a comprehensive privacy program and will be subject to ongoing monitoring by and regular reporting to the FTC for 20 years.

What can businesses learn at Avast’s expense?

1. “Browsing and location data are sensitive. Full stop.”

In less than two years, the FTC has steadily expanded its definition of sensitive data to include precise geolocation (Kochava, X-Mode, and In-Market), biometric (Rite Aid and Alexa), health data (GoodRx, BetterHelp, and Premom), and now browsing data. Notably, browsing data typically doesn’t include data elements one would normally consider to be sensitive with sensitive data (e.g. name, social security number, race, health data, financial data, etc.), but according to the agency, that data is still “sensitive” because of what it can reveal about a consumer, particularly when paired with a unique and persistent identifier.

2. Selling or licensing browsing data requires affirmative express consent.

The FTC has made clear that because browsing data is “sensitive,” it’s subject to the same rules that apply to other types of sensitive data. Thus, a business cannot sell or share browsing data for advertising purposes without first obtaining the consumer’s affirmative express consent.

The FTC defined affirmative express consent in the Avast order both by what is and is not. First, the FTC defined affirmative express consent as “any freely given, specific, informed, and unambiguous indication of an individual consumer’s wishes demonstrating agreement by the individual, such as by clear affirmative action, following a clear and conspicuous disclosure to the individual . . . of all information material to the provision of consent.”

The Avast order further notes that affirmative express consent must be separate from any privacy policy, terms of service, terms of use, or similar document. And the FTC makes clear that hovering over, muting, pausing, or closing of a piece of content by the consumer or obtaining consent through a user interface that has the effect of subverting or impairing decision-making or choice is not affirmative express consent.

3. Mean what you say.

It cannot have been lost on the FTC that Avast’s practices were the polar  opposite of the privacy representations it made to consumers. In the press release accompanying the action, Chair Lina Khan noted “Avast’s decision to expressly market its products as safeguarding people’s browsing records and protecting data from tracking only to then sell those records is especially galling.” The message is therefore clear: your privacy practices should align with the letter and the spirit of your privacy commitments, especially if you market your offerings as protecting peoples’ privacy.