FTC & State AG

FTC Warns Against Selling Re-Identifiable Browsing Information

Published: Mar. 18, 2024

The Federal Trade Commission (FTC) announced a proposed settlement with Avast, a browser extension and antivirus provider, to settle charges that the company collected users’ sensitive browsing information and then sold it to third-party advertisers despite promising its users that its software would be used to block online tracking.  The settlement included a $16.5 million fine, data deletion requirements, and a ban on selling or disclosing users’ browsing information to third-parties for advertising purposes without affirmative express consent.

The complaint alleges that from 2014 to 2020, Avast (including through its subsidiary and analytics platform, Jumpshot) collected users’ sensitive browsing information and then sold it to third-party advertisers.  More specifically, from 2014 until Avast shut down Jumpshot’s operations in 2020, Jumpshot allegedly sold Avast’s sensitive browsing information to over 100 third parties without users’ consent. Consistent with other recent FTC enforcement actions such as those against Outlogic (formerly X-Mode Social), InMarket, GoodRx, BetterHelp, and Premom, the complaint here focuses on both allegedly selling sensitive data and misrepresenting the anonymity of the data.

Sensitivity of Information

The FTC takes the position that “Re-identifiable browsing information is sensitive data.” Therefore, Avast’s consumers were harmed through their use of the company’s extensions, which tracked users’ browsing activities more extensively than ordinary tracking cookies, with information detailing webpages visited, precise timestamps, types of devices and browsers, and location. Avast’s browsing history revealed sensitive information such as users’ religious beliefs, health concerns, political leanings, location, financial status, dating interests, and visits to child-directed content. For instance, the FTC states that a sample of just 100 entries from trillions of records retained by Avast revealed users’ visits to webpages for symptoms of breast cancer, FAFSA (financial aid) applications, Google Maps directions, a Spanish-language children’s YouTube video, and a link to a French dating website with a unique member ID. The FTC further alleges that Avast data included a unique and persistent device identifier associated with each particular browser, allowing Avast and third-party buyers to trace individuals across multiple domains over time.  Moreover, the FTC claims that Avast understood and advertised this potential in its marketing materials stating, “[S]ee where your audience is going before and after they visit your site or your competitors’ sites, and even track those who visit a specific URL.”

Anonymization

The FTC challenges Avast’s anonymization claims, including those made through an online public forum by Avast’s Chief Technology Officer in 2015, on the grounds that Avast allegedly promised that user information would only be shared in “anonymous and aggregate” form and “there’s nothing that can lead back to a specific user.” Even though Avast used an algorithm to remove identifying information prior to each transfer of consumer browsing information, the FTC alleges that it knowingly marketed its products to those advertisers and others that would want to track specific users. The FTC notes that in some contracts with data buyers, Avast allegedly permitted their data buyers to link Avast’s browsing information with its own customer data “for marketing purposes, including targeting of digital advertisements and digital content.” Even in contracts where data buyers were prohibited from re-identifying the data, the FTC alleges Avast failed to audit or confirm that data buyers complied with the contractual limits.

Consent

The FTC takes issue with the transparency and substance of Avast’s representations to its users. The complaint alleges that Avast’s browser came with the Avast Browser Extension pre-installed, meaning that it was not visible to consumers and could not be uninstalled. Additionally, the Avast Online Security extension could be installed without viewing any disclosures about Avast’s collection or sale of browsing information or seeing a link to Avast’s privacy policy.

As we have seen in recent cases, consent remains a significant area of attention for the Commission. Chair Kahn, joined by Commissioners Slaughter and Bedoya, issued a statement stating that browser history data triggers heightened privacy obligations and failure to obtain affirmative permission from a consumer to sell or share that data could be grounds for a claim of deception or unfairness under Section 5 of the FTC Act.

For more guidance about what the FTC expects affirmative express consent to involve, the FTC has offered a few examples in its recent cases, and this one is no exception.