With an unprecedented multi-million dollar fine that underscores the importance of digital privacy, the Federal Trade Commission (FTC) has taken decisive action against Avast, a leading antivirus software provider. This action comes after allegations surfaced that Avast, contrary to its promises of enhancing consumer privacy, was involved in the collection and sale of user browsing data through its subsidiary, Jumpshot. The settlement reached with the FTC not only imposes a significant financial penalty on Avast but also introduces stringent requirements aimed at safeguarding consumer privacy.

Key Allegations and Findings:

  • Avast was found to have engaged in the collection of detailed consumer browsing data, including sensitive information that could potentially reveal personal details about consumers’ health, political leanings, and financial status.
  • Despite assurances that its software would protect users from online tracking, Avast sold this data to over 100 third parties, without adequate disclosure or obtaining consent from consumers.

FTC’s Action:

The FTC’s enforcement action against Avast includes several critical components designed to rectify the misconduct and prevent future violations:

  • Monetary Penalty: Avast is required to pay $16.5 million, a sum expected to be used for redress to affected consumers.
  • Prohibition on Data Sales: The settlement prohibits Avast from selling or licensing browsing data from its products for advertising purposes.
  • Affirmative Consent Requirement: Avast must now obtain express consent from consumers before collecting or selling their browsing data for non-antivirus purposes.
  • Data and Model Deletion: Avast is mandated to delete all previously collected web browsing information and any derived models or algorithms.
  • Consumer Notification: The company is required to inform consumers whose data was sold without consent about the FTC’s enforcement action.
  • Privacy Program Implementation: A comprehensive privacy program addressing the misconduct identified must be implemented by Avast.

Implications and Takeaways

The scale of this fine marks a critical juncture in privacy enforcement, demonstrating the FTC’s growing commitment to holding companies accountable for violating consumer privacy rights, even without a federal privacy law. Companies should keep the following in mind as they effect their own privacy compliance programs:

  • Check, and re-check, your privacy policy. From GoodRx, to BetterHelp, Premom, and now Avast, companies continue to find themselves in hot water when their privacy policies failed to accurately and comprehensively disclose their data practices. It is the Golden Rule of privacy policies that companies must: (a) say what you do, and (b) do what you say.
  • If your site uses ad trackers, you’re almost certainly selling data. The use of advertising tracking technologies such as popular cookies and pixels from Facebook, Google, Double Click, and others means you are selling data. It is critical to disclose this activity in your privacy policy, and give consumers the right to opt-out.
  • Carefully consider your practices regarding sensitive data. Sensitive data, particularly health data, is under intense scrutiny at all levels of government. Any time your company does anything that could conceivably relate to data regarding children and consumer health data in particular have been under great scrutiny. Health data isn’t just that which is protected by HIPAA anymore, such as formal diagnoses and medications; instead, it should be considered anything that is linked or reasonably linkable to a consumer that identifies their past, present, or future physical or mental health status.