Listen to this post

On February 22, 2024, the Federal Trade Commission announced a settlement order against Avast Limited (“Avast”) requiring Avast to pay $16.5 million and prohibiting Avast from selling or licensing any web browsing data for advertising purposes. This ban is to settle charges that the company and its subsidiaries sold such information to third parties after promising that its products would protect consumers from online tracking.

In the FTC’s complaint, the FTC alleged that Avast, through its Czech subsidiary, unfairly collected consumers’ browsing information since at least 2014 through Avast’s browser extensions and antivirus software, stored it indefinitely, and sold it without adequate notice and without consumer consent. The FTC also alleged that the company deceived users by claiming that the software would protect consumers’ privacy by blocking third-party tracking, and that any sharing would be in “anonymous and aggregate form,” but failed to adequately inform consumers that it would sell their detailed, re-identifiable browsing data. In addition, the FTC alleged that the company sold that data to more than 100 third parties through its subsidiary, and did not prohibit many of the data buyers from re-identifying the data.

In its proposed order, the FTC sought a $16.5 million settlement in order to provide redress to consumers. The proposed order prohibits Avast from selling, licensing or otherwise sharing any browsing data from Avast-branded products to third parties for advertising purposes.  It also prohibits Avast from making further misrepresentations about the data. In addition, the proposed order will require Avast to:

  • obtain affirmative express consent from consumers before using browsing data for advertising purposes, and before selling or licensing browsing data from non-Avast products to third parties for advertising purposes;
  • delete the web browsing information transferred to Jumpshot and any products or algorithms Jumpshot derived from that data;
  • inform consumers whose browsing information was sold to third parties without their consent about the FTC’s actions against the company; and
  • implement a comprehensive privacy program that addresses the misconduct highlighted by the FTC.

This case is notable in that the FTC penalized a non-U.S. company, and reflects a growing trend in the FTC’s targeting of data brokers for enforcement in recent months.