Avast’s $16.5 Million FTC Settlement is a Wake-Up Call for Businesses on Data Privacy
In a landmark decision that has sent shockwaves through the tech and software industries, the Federal Trade Commission (“FTC”) has finalized an order against Avast, a prominent provider of antivirus software, banning the company from selling or licensing any web browsing data for advertising purposes. The settlement also requires Avast to pay $16.5 million, which will be used to compensate consumers whose privacy was violated. This case serves as a stark reminder of the importance of data transparency, consumer trust, and the growing need for businesses to implement robust privacy practices.
The allegations against Avast center around deceptive practices that misled consumers about how their browsing data would be handled. The FTC claimed that Avast, through its Czech subsidiary, collected users’ browsing information through browser extensions and antivirus software, stored this data indefinitely, and sold it to third-parties for advertising purposes. Despite Avast’s promises that its products would block online tracking and protect consumer privacy, the company failed to adequately disclose that it was collecting and selling highly detailed, re-identifiable browsing data to over 100 third-party clients through its subsidiary, Jumpshot.
For years, Avast had marketed its products with the assurance that users’ data would be shielded from unwanted tracking. Ads for its software prominently featured claims about blocking “annoying tracking cookies” and protecting users from online surveillance. However, the reality was very different. Not only did Avast fail to inform consumers about its data collection practices, but it also allowed third-parties to re-identify individuals from the data it sold. This included sensitive information like web searches, political views, and financial details, personal data that many users believed was being protected.
This settlement underscores the growing scrutiny around data privacy and the responsibility companies have in safeguarding consumer information. As part of the settlement, Avast is now required to delete the web browsing data transferred to Jumpshot and any products or algorithms created from that data. Additionally, Avast must obtain explicit, affirmative consent from consumers before selling or licensing browsing data from non-Avast products to third-parties for advertising purposes. This provision highlights the increasing demand for businesses to be transparent with their data practices and to obtain clear consent from customers before sharing their information with third-parties.
Furthermore, the FTC’s order mandates that Avast notify the consumers whose data was sold without their consent, informing them about the legal action and steps the company is taking to remedy the situation. Avast must also implement a comprehensive privacy program to prevent future violations and ensure that consumer data is handled responsibly and ethically going forward.
For businesses, especially those handling large volumes of consumer data, this case is a critical lesson. It emphasizes that transparency in how data is collected and used is no longer optional. Customers want to know that their information is safe, and if companies fail to live up to those expectations, they risk not only legal consequences but also a significant loss of reputation. Companies that collect or sell data must ensure they are fully transparent with their customers, clearly outlining what data is being collected, how it will be used, and with whom it may be shared.
Additionally, this case underscores the importance of implementing strong privacy programs. For businesses, staying ahead of these changes is essential to avoid costly fines and to maintain customer trust. A comprehensive privacy program should include clear data collection policies, secure data storage practices, and methods for obtaining explicit consumer consent.
The Avast settlement is a strong reminder for businesses of all sizes about the critical importance of consumer privacy. Companies must adopt transparent data practices, respect consumer consent, and ensure their privacy programs are up to the task of safeguarding sensitive information. Failure to do so not only exposes businesses to legal action but also threatens their long-term success in an increasingly privacy-conscious world.
If you would like to read more about this case and others, visit our Case Studies Library.
(Image Credit: iStock Photo)
This article is for information purposes only. It is not intended to be and should not be relied on as legal advice for any particular matter.