Data, Trust, and Accountability: Business Lessons from the Avast Settlement

Companies across industries increasingly gather customer data online for a wide range of operational and marketing needs. This often comes with strong assurances about privacy and security to make consumers feel more comfortable in revealing detailed info about themselves. However, those assurances carry real legal and reputational weight. The Federal Trade Commission’s (FTC) recent action against Avast, a widely used provider of consumer antivirus tools and browser-security extensions, illustrates how seriously regulators now treat gaps between what companies promise and what they actually do. Understanding how and why this case unfolded can help businesses and consumers better navigate evolving expectations around data handling and transparency.

Avast built its reputation on helping users protect their devices from malware and online threats. For many households and small businesses, Avast’s free and paid software has become synonymous with basic digital security. But Avast’s privacy practices did not match its public image.

The FTC has begun distributing approximately $15.3 million in refunds to consumers after concluding that Avast misled users about how their user browsing data was collected, stored, and monetized. The payments mark a significant chapter in a broader enforcement action aimed at ensuring greater transparency in the digital-security marketplace.

The FTC’s Allegations: Promises of Privacy, but Hidden Data Sales

In a complaint filed in February 2024, the FTC alleged that Avast promoted its antivirus software and browser extensions as tools designed to block online tracking and safeguard user privacy. At the same time, the FTC claimed that Avast was quietly gathering extensive browsing information from millions of users and then selling or licensing that data to third parties—conduct that was not clearly disclosed and was done without the level of user consent required under federal law.

Further compounding the issues, the browsing data sold by Avast was sufficiently detailed to be re-identified, raising concerns about consumer anonymity and data security. These practices, the FTC concluded, were at odds with the privacy promises Avast made in its marketing materials.

Under a June 2024 settlement, Avast agreed to halt the sale or licensing of browsing data for advertising purposes and to provide financial redress to affected consumers.

How Refunds Are Being Distributed

Refunds are being provided to 103,152 consumers who filed valid claims.

The FTC appointed Rust Consulting, Inc. to administer the refunds. Consumers with questions may contact Rust Consulting at 1-866-290-0165 or review the frequently asked questions on the FTC’s website.

Key Lessons for Businesses

The Avast case serves as a notable warning for companies that handle consumer data—particularly those that brand themselves as privacy-protective. Several takeaways emerge:

• Transparency must match marketing claims.
  Businesses should ensure that their privacy promises reflect actual data-handling practices and can be substantiated if questioned
• Consent must be meaningful.
  Collecting or sharing browsing data without clear and informed user consent invites regulatory scrutiny and undermine customer trust.
• Data monetization demands careful oversight.
  Companies should evaluate whether revenue models involving user data are compatible with their privacy commitments.

• Technological creep requires a constant and realistic assessment of privacy practices.
  Even anonymized or de-identified data can be targeted and potentially re-identified, creating legal and reputational risk due to technology’s ability to correlate and associate seemingly innocuous user information and data.
• Privacy compliance is becoming a competitive necessity.
  Regulators, consumers, and business clients increasingly expect companies to meet heightened privacy standards and demonstrate that compliance in their operations and documentation

As regulators continue to scrutinize data practices across industries, companies should treat privacy concerns as operational obligations, not aspirational statements. This includes regularly evaluating how data is collected, managed, and shared, along with ensuring that those practices match what is communicated externally. That will go a long way to avoid the kinds of legal exposure and reputational harm highlighted by this case.