Rules Navigator

Avast customers whose data was allegedly unlawfully sold to be compensated

Avast logo in front of their main office for Prague.
Photo: Getty Images

Thomas Hyrkiel

 Click to share on Facebook (Opens in new window/tab) Click to share on Twitter (Opens in new window/tab) Click to share on LinkedIn (Opens in new window/tab) Click to share on WhatsApp (Opens in new window/tab)

The FTC is sending claim forms to users who bought antivirus software that captured their sensitive information.

As part of its settlement of the FTC’s complaint made last year, Avast was required to pay a fine of $16.5m. These funds will now be used to compensate customers.

The company provided antivirus software to consumers purportedly in order to identify and address risks to their privacy and security. One of those risks was explicitly identified as tracking cookies used to collect data on browsing activities.

According to the FTC complaint, while making claims about protecting the privacy of users, the company’s software was being utilized to collect browsing information from those very users.

The information the company collected was then sold on to a variety of clients including marketing data analytics companies and data brokers.

Extraordinary detail

A proprietary algorithm was used to remove identifying information from the data. This process was not adequate in anonymizing the data and the third-parties to whom the data was sold were provided “with extraordinary detail regarding how consumers navigated” the internet, permitting both the company and its customers to “trace individuals across multiple domains over time” including those where a third party “was not able to place a cookie directly.”

Some of the contracts with Avast’s customers did not prohibit them from re-identifying Avast users based on the data provided. In other words the software did exactly what it claimed to prevent – it captured and disseminated sensitive data on its users.

It may be stating the obvious given the advertized purpose of the software in question, but the FTC investigation found that the company continued to collect and disseminate this information despite the fact that it “had direct evidence that many consumers did not want their browsing information to be sold to third parties.”

The FTC’s order against the company bans it “from misrepresenting how it uses the data it collects and from selling or licensing any browsing data from Avast-branded products to third parties for advertising purposes”.

In its FAQs on the settlement, Avast states that it strongly disagrees with “the FTC’s allegations and characterization of the facts”, but that it is “pleased to resolve this matter” while “remaining committed to our mission of protecting and empowering people’s digital lives.”  

The company’s unlawful capture, processing and sale of user data also led, last year, to a fine of €13.9m from the Czech supervisory authority for infringements of GDPR.

, , , , ,

You may also like