As consumer
privacy
takes the centerstage, several countries are imposing fines on defaulters. Companies like Meta and Google have been fined millions of dollars for not protecting user data, and some cases are still running in multiple regions. In a similar case, the US Federal Trade Commission (FTC) has issued a fine of $16.5 million on the cybersecurity company Avast over
compromising
user privacy.
The agency said that the firm sold users’ browsing data to third parties after claiming its products would block online tracking.
What the FTC has to say
The firm did the opposite instead of what it claims, the FTC noted, highlighting that despite its promises to protect consumers from online tracking, it sold consumers' browsing data to third parties -- without users' knowledge or consent.
“Avast promised users that its products would protect the privacy of their browsing data but delivered the opposite. Avast’s bait-and-switch surveillance tactics compromised consumers’ privacy and broke the law," said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection.
The FTC alleged that the cybersecurity firm sold that data to over 100 third parties through its subsidiary, Jumpshot.
How Avast was collecting user data
The agency also noted that Avast has been collecting users’ browsing data through browser extensions since at least 2014. This data, the FTC said, can modify or extend the functionality of consumers’ web browsers, and through antivirus software installed on their computers and mobile devices.
“This browsing data included information about users’ web searches and the webpages they visited -- revealing consumers’ religious beliefs, health concerns, political leanings, location, financial status, visits to child-directed content and other sensitive information,” the agency said.
In addition to the $16.5 million fine, the agency is prohibiting Avast and its subsidiaries from misrepresenting how it uses the data it collects.
Other provisions of the proposed order include -- prohibition on selling browsing data, obtaining affirmative express consent, data and model deletion, notify consumers, and implementation of privacy programmes.