The U.S. Federal Trade Commission (FTC) has hit antivirus vendor Avast with a $16.5 million fine over charges that the firm sold users' browsing data to advertisers after claiming its products would block online tracking.
In addition, the company has been banned from selling or licensing any web browsing data for advertising purposes. It will also have to notify users whose browsing data was sold to third-parties without their consent.
The FTC, in its complaint, said Avast "unfairly collected consumers' browsing information through the company's browser extensions and antivirus software, stored it indefinitely, and sold it without adequate notice and without consumer consent."
It also accused the U.K.-based company of deceiving users by claiming that the software would block third-party tracking and protect users' privacy, but failing to inform them that it would sell their "detailed, re-identifiable browsing data" to more than 100 third-parties through its Jumpshot subsidiary.
What's more, data buyers could associate non-personally identifiable information with Avast users' browsing information, allowing other companies to track and associate users and their browsing histories with other information they already had.
The misleading data privacy practice came to light in January 2020 following a joint investigation by Motherboard and PCMag, calling out Google, Yelp, Microsoft, McKinsey, Pepsi, Home Depot, Condé Nast, and Intuit as some of Jumpshot's "past, present, and potential clients."
A month before, web browsers Google Chrome, Mozilla Firefox, and Opera removed Avast's browser add-ons from their respective stores, with prior research from security researcher Wladimir Palant in October 2019 deeming those extensions as spyware.
The data, which includes a user's Google searches, location lookups, and internet footprint, was collected via the Avast antivirus program installed on a person's computer without seeking their informed consent.
"Browsing data [sold by Jumpshot] included information about users' web searches and the web pages they visited – revealing consumers' religious beliefs, health concerns, political leanings, location, financial status, visits to child-directed content and other sensitive information," the FTC alleged.
Jumpshot described itself as the "only company that unlocks walled garden data," and claimed to have data from as many as 100 million devices as of August 2018. The browsing information is said to have been collected since at least 2014.
The privacy backlash prompted Avast to "terminate the Jumpshot data collection and wind down Jumpshot's operations, with immediate effect."
Avast has since merged with another cybersecurity company NortonLifeLock to form a new parent company called Gen Digital, which also includes other products like AVG, Avira, and CCleaner.
The development comes nearly a year after the company was fined €13.7 million by the Czech Republic's data regulator for violating E.U. GDPR data protection regulations by collecting and selling internet browsing data.
"Avast promised users that its products would protect the privacy of their browsing data but delivered the opposite," said Samuel Levine, director of the FTC's Bureau of Consumer Protection. "Avast's bait-and-switch surveillance tactics compromised consumers' privacy and broke the law."