The Federal Trade Commission has fined antivirus software provider Avast $16.5 million and prohibited the company from selling or licensing any web browsing data for advertising purposes.

FTC says that Avast Limited, based in the United Kingdom, through its Czech subsidiary, unfairly collected consumers’ browsing information through the company’s browser extensions and antivirus software, stored it indefinitely, and sold it without adequate notice and without consumer consent. Avast also deceived consumers that it would protect their privacy by blocking third party tracking, but instead sold their detailed, re-identifiable browsing data to more than 100 third parties through its subsidiary, Jumpshot. 

“Avast promised users that its products would protect the privacy of their browsing data but delivered the opposite,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “Avast’s bait-and-switch surveillance tactics compromised consumers’ privacy and broke the law.” 

Since at least 2014, Avast has been accused of collecting consumers’ browsing information through browser extensions, which can modify or extend the functionality of consumers’ web browsers, and through antivirus software installed on consumers’ computers and mobile devices. The data include users’ web searches and the webpages they visited—revealing consumers’ religious beliefs, health concerns, political leanings, location, financial status, visits to child-directed content and other sensitive information.

After Avast bought Jumpshot, a competitor antivirus software provider, the company rebranded the firm as an analytics company. From 2014 to 2020, Jumpshot sold browsing information that Avast had collected from consumers to a variety of clients including advertising, marketing and data analytics companies and data brokers, according to the complaint.

Avast sold user data in non-aggregate form through various products. For example, its data feeds included a unique identifier for each web browser it collected information from and could include every website visited, precise timestamps, type of device and browser, and the city, state, and country.

Avast falsely claimed it would only transfer consumers’ personal information in aggregate and anonymous form. In fact, some of the Jumpshot products were designed to allow clients to track specific users or even to associate specific users—and their browsing histories—with other information those clients had. Jumpshot entered into a contract with Omnicom, an advertising conglomerate, which stated that Jumpshot would provide Omnicom with an “All Clicks Feed” for 50% of its customers in the United States, United Kingdom, Mexico, Australia, Canada, and Germany. According to the contract, Omnicom was permitted to associate Avast’s data with data brokers’ sources of data, on an individual user basis. 

In addition to paying $16.5 million, which is expected to be used to provide redress to consumers, the proposed order, will prohibit Avast and its subsidiaries from misrepresenting how it uses the data it collects.

Avast will be prohibited from selling or licensing any browsing data from Avast-branded products to third parties for advertising purposes; it must obtain affirmative express consent from consumers before selling or licensing browsing data; it must delete the web browsing information transferred to Jumpshot and any products or algorithms Jumpshot derived from that data; must inform consumers whose browsing information was sold to third parties without their consent; and has to implement a comprehensive privacy program that addresses the misconduct.