- The FTC has issued a proposed order against Avast Limited and its subsidiaries (collectively “Avast”) to resolve allegations that the company violated the FTC Act when it unfairly collected and indefinitely stored consumer browsing data and sold such data to third-parties despite promising that its software would protect users from online tracking.
- In its complaint, the FTC alleged that Avast sold software that the company claimed would protect consumer privacy by blocking third party tracking, only to then sell the same browsing data it promised to protect to third-parties, often without proper consumer disclosure. In addition, the FTC claims that, on the occasions that Avast disclosed its data handling practices, the company misrepresented that the data would be shared in an anonymized and aggregated form, while the data was actually re-identifiable. The FTC alleges that Avast sold such data to more than 100 third parties through one of its subsidiaries.
- Under the terms of the proposed order, Avast must pay $16.5 million for consumer redress. The order also prohibits the company from selling browsing data for advertising purposes and from making further misrepresentations about the data. Avast must also obtain affirmative express consent from consumers before selling or licensing browsing data and delete the web browsing data transferred to its subsidiary along with any products or algorithms derived from that data. In addition, Avast must implement a comprehensive privacy program subject to biennial third-party assessments and notify consumers about the FTC order.