Avast promised to protect consumers from online tracking, FTC says

Consumers put their faith and trust in antivirus and other digital security companies to safeguard their devices and online activities and to keep personal information private.

When the Federal Trade Commission (FTC) announced Feb. 22 that it had fined antivirus software creator Avast $16.5 million to “settle charges that the company sold such information to third parties after promising that its products would protect consumers from online tracking,” some people may have been taken aback.

United Kingdom-based Avast Ltd., through a since disposed-of Czech subsidiary named Jumpshot, collected and stored consumers’ browsing information that it obtained through antivirus software and browser extensions. Without consumers’ consent, it sold that data to more than 100 third parties, including advertisers, marketing and data analytics companies, and data brokers, the FTC says.
‘It’s an irony not lost on the FTC’

“Avast promised users that its products would protect the privacy of their browsing data but delivered the opposite,” Samuel Levine, director of the FTC’s Bureau of Consumer Protection, said in a statement from the government agency. “Avast’s bait and switch surveillance tactics compromised consumers’ privacy and broke the law.”

The alleged activity took place from 2014 to 2020. As part of the punishment, the FTC also banned Avast from selling web browsing data for advertising.

“It’s an irony not lost on the FTC that Avast made … privacy promises while trafficking in consumers’ browser histories,” FTC attorney Lesley Fair wrote in a blog post about the fine.

In its own statement shared with AARP, Avast acknowledged that it “reached a settlement with the FTC to resolve its investigation of Avast’s past provision of customer data to its Jumpshot subsidiary that Avast voluntarily closed in January of 2020.”

“We are committed to our mission of protecting and empowering people’s digital lives,” Avast officials went on to say. “While we disagree with the FTC’s allegations and characterization of the facts, we are pleased to resolve this matter and look forward to continuing to serve our millions of customers around the world.”
How does the FTC’s action affect you?

The FTC plans to publish a consent agreement in the Federal Register soon. Then the public will have 30 days to comment on the agreement before it is made final.

The $16.5 million the FTC is demanding Avast pay will be used to provide redress to consumers, but details on how that might be distributed haven’t been determined.

Because Jumpshot was shut down more than four years ago, any immediate threat related to the complaint would appear to be long gone. Or as one security professional told AARP, it’s kind of along the lines of horses, after escaping the barn, finding a new home and being well cared for in another state.

Still, consumers should view the episode as just another reminder to practice proper security hygiene. That means creating robust passwords not repeated elsewhere, employing two-factor authentication, and carefully reading a company’s privacy policies as best you can as a layman. And yes, the advice goes even when dealing with security firms that are supposed to be looking out for your best interests.

Under the FTC order, Avast customers should be aware that the company must obtain your affirmative consent before it can sell or license data from non-Avast products to third parties for advertising. The company will be required to inform customers whose browsing activity previously was sold to third parties.

Avast must also “implement a comprehensive privacy program that addresses the misconduct highlighted by the FTC.”
Avast has new parent company

While the Avast brand survives, current customers also should consider that the Avast of today is not under the same ownership as during the period the FTC flagged in its complaint. In September 2022, Avast merged with NortonLifeLock and formed a company now named GenDigital with dual headquarters in Tempe, Arizona, and Prague, Czechia, formerly known as the Czech Republic.

Consumers should periodically review their relationships with any companies they use, asking themselves:

Am I happy with the service?
Am I happy with what I’m paying?
Am I satisfied with the privacy policy?

If any of the answers is no, look at other options.