Avast must pay fine for sale of user data

Screen with Avast ad
Earlier this year US regulators also imposed a fine on the company, which sells antivirus software. (Source: Avast)

The antivirus software developer Avast must pay a fine of 13.9 million euros for violating data privacy regulations. The ruling marks the conclusion of a years-long case pursued by the Czech data protection authority.

Avast sells antivirus software and browser extensions. According to the investigation, during the timeframe under review, between April and July 2019, the company used its products to gather data from users and then shared that data with its subsidiary, Jumpstart. As the European Data Protection Board (EDPB) reported last week, however, the company engaged in this data processing “without due legal title.”

Roughly 100 million users were reportedly affected by the data transfer.

Information on websites visited

Specifically, Avast was found to have transferred the browsing histories of individual users, whose data was tied to a unique identifier. The Czech Supervisory Authority came to the conclusion “that internet browsing history, even if not complete, may constitute personal data, since re-identification of at least some of the data subjects could occur,” the EDPB reported.

Avast also falsely informed its customers about the data transfer, claiming that it was transferring anonymized data solely for “statistical trend analytics.” In fact, the data were not anonymized, and were sold via the subsidiary.

The Czech Supervisory Authority (SA) emphasized that the company’s violation of the GDPR was all the more egregious given that Avast advertises its expertise in cybersecurity and sells products meant to protect users’ data and privacy. Customers “could not have expected that this company in particular would transfer their personal data,” said the head of the Czech authority, Jiří Kaucký. “That is, data based on which not only an identity of someone can be discovered but also their interests, personal preferences, residence, wealth, profession, and other data concerning their privacy.”

Practice uncovered years ago

The Czech Supervisory Authority has jurisdiction over Avast because the company is headquartered in Prague. The SA initiated its investigation after media outlets first reported on the data sales in late 2019 and early 2020. There was also an anonymous tip.

The US news site Motherboard reported in January 2020 that the transferred data included information like Google searches and GPS coordinates from Google Maps. Other companies had paid millions of dollars for the data.

Not long after the reports were published, Avast shut down its Jumpstart subsidiary.

The Czech authority first ruled on the case in 2020, but Avast appealed the decision. The fine imposed last month represents the final ruling in the case.

Penalty in the United States as well

Earlier this year, in February, the US Federal Trade Commission (FTC) imposed a fine of $16.5 million on Avast for its selling of data. The FTC likewise accused the company of having exploited its software to unlawfully collect and sell browsing activities which could be used to identify users. Between 2014 and 2020, the FTC charged, Avant’s Jumpshot subsidiary sold this data to more than 100 companies.

The company made it possible for certain clients to identify users via the data it provided. “In fact, some of the Jumpshot products were designed to allow clients to track specific users or even to associate specific users – and their browsing histories – with other information those clients had,” the FTC reported. The data revealed for example which websites were visited when, and on what device; the user’s location was also revealed.

According to the FTC, the sale of data affected users in the US, UK, Mexico, Australia, Canada, and Germany, among other countries. (js)