Cybersecurity and antivirus company Avast has been hit with a €13.7 million ($14.9 million) fine for processing customers’ data illegally as per GDPR requirements.
Spanish not-for-profit NGO Facua, which focuses on consumer rights matters, made Spain’s Agency for Data Protection aware that Avast had collected and sold private browsing data, including identifying data, without knowledge or authorization.
Facua credits PCMag and Motherboard for first bringing the matter to public attention, which saw Avast wrongly handling personal data under its subsidiary, Jumpshot.
Avast GDPR fine
Data packaged by Jumpshot from companies like Google, Microsoft, Yelp, Home Depot, Sephora, Loreal, and more, was sold on the pretense that it could “provide companies with a more complete view of the entire online user journey” (via Facua (opens in new tab)).
The NGO highlights some of the data that was collected by Avast, including Google Maps location searches and GPS coordinates, videos viewed on YouTube, profiles on LinkedIn, and even more broadly, Google web searches.
Having transferred the case to the Czech Republic, the Czech Administration has ruled that Avast has committed a number of violations against the GDPR relating to processing personal data, “failing to sufficiently inform the data subjects (users of the Avast antivirus program and its browser extension) at the time the data was obtained from them, about the purposes of the treatment for which they were intended and on the legal basis of the treatment in question.”
A Gen (opens in new tab) spokesperson told TechRadar Pro on behalf of Avast:
“Avast closed down Jumpshot in January 2020, and with this terminated the processing of customer data by Jumpshot, as stated in the blogpost (opens in new tab). The Czech DPA investigation relates to the historic processing of personal data before January 2020. The Czech DPA started its investigations in February 2020, and till today, the proceedings are still ongoing, a final decision has not been issued yet. Therefore, we cannot provide any comments.
Since January 2020, Avast reaffirmed its commitment to taking all necessary steps to keep its users’ data safe and private. Avast swiftly closing down Jumpshot demonstrates how seriously it has taken this situation. Avast has continued to take proactive measures to ensure that its privacy practices are a top priority and maintains active participation in global privacy-first organizations and initiatives, including partnering with industry-leading privacy advisors such as TrustArc (opens in new tab) through which Avast earned the TRUSTe privacy certification, and working closely with OneTrust (opens in new tab) and the Future of Privacy Forum (opens in new tab).”
