Stop Selling Data: Avast's Strategy Stymied by the FTC

February 29, 2024

Privacy Plus+

Privacy, Technology and Perspective

This week, let’s consider the Federal Trade Commission’s recent settlement with Avast Limited, based in the United Kingdom, its Czech subsidiary, and Jump, Inc., a Delaware corporation (collectively, “Avast”)—all of whom the FTC alleges engaged in a common enterprise to deceive consumers about their unfair data practices. Among other things, the settlement contains a $16.5 million penalty and bans the respondents from selling web browsing data for advertising purposes.

The Complaint:

According to the Complaint, Avast marketed consumer-facing security and privacy services to consumers,  including browser extensions and antivirus software that collected its users’ browser information and search queries without disclosing the fact that it collected and sold this information. Rather, Avast’s online marketing materials represented, among other things, that its products “block[] annoying tracking cookies that collect data on your browser activities.” In fact, the FTC alleged that Avast sold its users browsing information to third parties.

As regards the sale of data, the FTC alleged that Avast acquired Jumpshot in 2013, transforming it into an analytics company that sold the browsing data collected by Avast, including consumer behavior and website visits. Despite attempts to anonymize data, detailed information such as webpage visits and timestamps were sold, and contracts with companies like LiveRamp and Omnicom allowed for extensive use and re-identification of consumer data.

Following the FTC investigation, Avast announced the shutdown of Jumpshot in 2020, but according to the FTC, it never deleted the collected data.

The three-count Complaint alleges that Avast violated Section 5(a) of the FTC Act by:

  • (1)   unfairly collecting, retaining and selling consumers’ browsing information without adequate notice and without consumer consent;

  • (2)   misrepresenting that its software would stop the collection and sale of consumers’ data; and

  • (3)   misrepresenting that consumers’ browsing information would be transferred to Jumpshot and to third parties only in aggregate and anonymous form.

Accordingly, the FTC’s focuses on unfair collection, retention, and sale of personal information, deception in failing to disclose this, and misrepresentations regarding aggregation and anonymization.

A link to the Complaint follows: https://www.ftc.gov/system/files/ftc_gov/pdf/Complaint-Avast.pdf

The Settlement:

Under the terms of the proposed settlement, Avast (including its officers, agents and employers) must pay a $16.5 million penalty and also is prohibited from making misleading representations about its collection, use, disclosure and maintenance of data, banned from selling or disclosing browser information, and required to implement a number of comprehensive reforms, including:

  • + Mandatory Data Deletion: Avast must delete the Jumpshot Data and any models, algorithms, or software developed by Jumpshot based on this data;

  • + Providing Notice to Users: Avast must post a copy of the FTC’s Order on its website, and clearly and conspicuously inform its users that it collected their browser information; and

  • + Implementing a Written Privacy Program Requiring Board Oversight: Under the FTC’s Order the Board or governing body of Avast is charged with “evaluating” the written privacy program every 12 months.  In addition, the program must include mandatory employee training, technical measures to deidentify browsing information, and sufficient safeguards, including data retention limits.

For more on the settlement, you can click on the following to the Decision and Order: https://www.ftc.gov/system/files/ftc_gov/pdf/D%26O-Avast.pdf

Our Thoughts:

  1. We’re interested to see the FTC continuing to target derivative data products, like models, algorithms, and software derived from unlawfully collected data.  This remedy is one that potentially poses an existential threat to AI-driven businesses.

  2. Here, the ban on the sale of data doesn’t seem as significant. Avast shut down Jumpshot’s operations in 2020, so it appears that sales of data stopped when the FTC’s investigation started then.

  3. Finally, the Order’s express requirement that the Board oversee the company’s privacy program strikes us as significant.  Overtime, we have covered the issue of board oversight of cyber-risk and the potential of executive liability. For background, please click on the following link one such post on that subject:

https://www.hoschmorris.com/privacy-plus-news/cyber-liability-for-directors-and-officers

Oversight of a privacy program, however, is somewhat different. A privacy program primarily focuses on managing how personal information is collected, used, stored and shared, ensuring compliance with relevant laws, including the FTC Act, and various state and international privacy laws.  On the other hand, a cybersecurity program focuses on protecting the confidentiality, integrity and availability of information and information systems from cyber threats. Typically, cybersecurity implicates issues like preventing unauthorized access and data breaches, and ensuring resilience and recovery capabilities of information technology (IT) and operational technology (OT) systems. While both types of programs are complementary to each other, cybersecurity more clearly presents material risks to companies requiring board oversight. Oversight of legal and regulatory risks typically falls to the lawyers and compliance departments. Perhaps now when the FTC is involved, will privacy become a material risk? Or is, perhaps, the FTC is continuing to push the limits of its authority? We’ll see.

---

Hosch & Morris, PLLC is a boutique law firm dedicated to data privacy and protection, cybersecurity, the Internet and technology. Open the Future℠.

 

Previous
Previous

Security vs. Privacy: Unpacking L.A. County's Criminal Record Search Changes

Next
Next

AI Legal Ethics: Guidance from California and Florida, and a Proposed Rule from the Fifth Circuit