Avast must pay 16.5 million dollars for data disclosure

Software from antivirus specialist Avast was supposed to protect customers from online surveillance. In fact, Avast collected and stored detailed data about customers' web browser usage through the program and browser plugins: Search terms, URLs retrieved including resources loaded in the background and even cookies including their content. The Avast subsidiary Jumpshot sold the data collected from "over 100 million users" from 2014 to 2020 to over 100 advertising companies – pseudonymized, but apparently re-identifiable. Following a data protection fine of around 13.9 million euros in the Czech Republic, Avast must now pay 16.5 million dollars in the USA (around 15.4 million euros).

Although the USA still lacks a uniform data protection law, the Federal Trade Commission (FTC) has found another legal lever in this case: It classifies the secret collection, storage and sale of the data as an unfair business practice and deception. In addition, Avast had not aggregated and anonymized the data contrary to its promises, which the FTC recognizes as a misrepresentation. All of this is prohibited under FTC law.

On this basis, the authority is ordering the company to pay 16.5 million US dollars. In contrast to the Czech fine, this is not a penalty, but a payment into an FTC fund from which victims are to be compensated. In addition, the authority imposes a long list of conditions: from a ban on the disclosure of browser data and false claims, a requirement to delete the data and inform affected US users, to a data protection program, audits by independent third parties, annually published self-certifications for 20 years and annual compliance monitoring for ten years.

The decision was taken unanimously with the votes of three FT Commissioners; the other two did not participate in the proceedings In the Matter of Avast Limited, Avast Software et Jumpshot, Case C-4805.

• The FTC-Beschluss and other procedural documents

(ds)