FTC Finalizes $16.5M Settlement with Avast Over Sales of Browsing Data for Ad Targeting
by: Benjamin Stein
On June 27, 2024, the Federal Trade Commission (FTC) finalized its settlement against software provider Avast. The settlement stems from a February 2024 complaint brought by the FTC based on allegations that, from 2014 to 2020, Avast and its subsidiaries sold web-browsing data collected from users of Avast products to third parties for targeted-advertising purposes and did so in a manner that violated representations Avast had made to its users.
Avast offers antivirus software and browser extensions. The FTC alleged that Avast amassed a vast trove (more than 8 petabytes, or 8,000 terabytes in total) of consumer browsing data from its users and provided the data to its subsidiary Jumpshot.
Jumpshot then used the data to offer its customers data-feed products such as an “‘All Clicks Feed’ (all URLs clicked during particular consumers’ browsing sessions); … ‘Marketplace Feed’ (all consumer interactions with a particular product across multiple domains); and ‘Cookie Feed’ (consumer clickstream data filtered based on cookie values provided by Jumpshot’s customers, allowing Jumpshot’s customers to assess behavior on domains where the third party was not able to place a cookie directly).”
Jumpshot sold portions of the data to more than 100 customers. Some of those included major data-management platforms and similar adtech service providers, who in turn matched and appended user-level data to existing profiles, using the augmented data to help their own customers better target ads. In one transaction, Jumpshot sold to a buyer its “‘All Clicks Feed’ for 50% of its customers in the United States, United Kingdom, Mexico, Australia, Canada, and Germany,” along with the right to match this data with other data sources on an individual-user basis and then market to its own customers products derived from this amalgamated data.
Some Jumpshot contracts with its customers failed entirely to prohibit the buyer from re-identifying Avast users based on the data provided. (Per the FTC’s complaint, “Re-identifiable browsing information is sensitive data.”) Other Jumpshot agreements included only limited protections against re-identification.
While all of this was transpiring, the FTC alleged that Avast made prominent claims that its antivirus and browser-extension products would “protect consumers’ privacy by blocking third party tracking, but failed to adequately inform consumers that it would sell their detailed, re-identifiable browsing data.”
For example, before October 2018, Avast’s sale of consumer browsing data to third parties via Jumpshot was not disclosed at all in its privacy policy. Per the FTC’s complaint, Avast’s privacy policies prior to this time indicated that “browsing information would be collected only ‘to ascertain the source of [malware] infection’ and that these products ‘collect no more information than is required in order to provide full functionality.’ These policies stated that personally identifiable information would be provided to third parties only when required by law or in the context of a service provider.”
Later policies, according to the FTC, indicated that browsing data would be disclosed to third parties, but overstated the extent to which it would be de-identified.
After receiving a civil investigative demand from the FTC, Avast announced in 2020 that it would shut down the Jumpshot service.
In its February complaint, the FTC alleged that the collection and sale of this browsing data without adequate notice and without consumer consent constituted an unfair practice under the FTC Act. It also alleged that Avast deceptively failed to disclose its tracking and sale of consumer data and that it misrepresented its practices by indicating transferred data would be aggregated and anonymized.
To settle the claims, Avast agreed to pay $16.5M in penalties, as well as undertake a number of additional, fairly onerous compliance obligations. Per the FTC’s summary of the settlement, those include:
Prohibition on Selling Browsing Data: Avast will be prohibited from selling or licensing any browsing data from Avast-branded products to third parties for advertising purposes;
Obtain Affirmative Express Consent: [Avast] must obtain affirmative express consent from consumers before selling or licensing browsing data from non-Avast products to third parties for advertising purposes;
Data and Model Deletion: Avast must delete the web browsing information transferred to Jumpshot and any products or algorithms Jumpshot derived from that data;
Notify Consumers: Avast will be required to inform consumers whose browsing information was sold to third parties without their consent about the FTC’s actions against the company; and
Implement Privacy Program: Avast will be required to implement a comprehensive privacy program that addresses the misconduct highlighted by the FTC.
(Above bullets as quoted from https://www.ftc.gov/news-events/news/press-releases/2024/02/ftc-order-will-ban-avast-selling-browsing-data-advertising-purposes-require-it-pay-165-million-over)
Avast must also have its privacy program reviewed biannually by an independent assessor for the next 20 years.
This settlement underscores the need to ensure that representations made to consumers regarding data practices, including those made in your Privacy Policy, are complete and accurate.
Originally published by InfoLawGroup LLP. If you would like to receive regular emails from us, in which we share updates and our take on current legal news, please subscribe to InfoLawGroup’s Insights HERE.