Avast, the cybersecurity software company, is facing a $16.5 million fine after it was caught storing and selling customer information without their consent. The Federal Trade Commission (FTC) announced the fine on Thursday and said that it’s banning Avast from selling user data for advertising purposes.
From at least 2014 to 2020, Avast harvested user web browsing information through its antivirus software and browser extension, according to the FTC’s complaint. This allowed it to collect data on religious beliefs, health concerns, political views, locations, and financial status. The company then stored this information “indefinitely” and sold it to over 100 third parties without the knowledge of customers, the complaint says.
A joint investigation from Motherboard and PCMag first brought attention to Avast’s data privacy practices in 2020. Avast shut down its data harvesting arm, called Jumpshot, shortly after the reports emerged. Although Avast said it removed identifying information before selling user data, the FTC found it “failed to sufficiently anonymize consumers’ browsing information.” Instead, it sold data with unique identifiers for each browser, revealing websites visited, timestamps, the type of device and browser used, and location.
The FTC also claims Avast deceived users by saying its software would help eliminate tracking on the web — when it actually did the tracking itself. In addition to a $16.5 million fine, the FTC’s proposed order prevents Avast from misrepresenting what it does with the data it collects. It must stop “selling or licensing any browsing data” from Avast products to advertisers, as well as delete all of the web browsing data obtained by Jumpshot. Avast is also required to notify affected customers that their data has been sold without their knowledge. Avast didn’t immediately respond to The Verge’s request for comment.
The FTC has been cracking down on poor data privacy practices in recent weeks. In January, the FTC reached a settlement with Outlogic (formerly X-Mode Social) that prevents the data broker from selling information that can be used to track users’ locations. It banned InMarket from selling precise user locations as well.