FTC Finalizes Order With Avast Over Data Collection Without Consent

Want to receive these privacy recaps that matter to consent management, adtech and martech in your inbox? Sign up for our privacy newsletter, A Little Privacy, Please.

USA

FTC Finalizes Order With Avast Over Data Collection Without Consent

The FTC announced its finalization of a $16.5MM Order against Avast settling allegations the UK-based software provider unfairly collected consumer browsing information through its browser extensions and antivirus software and sold it to advertising, marketing and data analytics companies and data brokers without adequate notice or consumer consent.

In addition to the monetary fine, Avast will be prohibited under the Order from selling or licensing any browsing data from Avast-branded products to third parties for advertising purposes and will be required to obtain affirmative express consent from consumers before selling or licensing browsing data from non-Avast products to third parties for advertising purposes.

The company will also be required to delete all web browsing data previously transferred to its subsidiary, Jumpshot (through which the data was sold to third parties) and any products or algorithms Jumpshot derived from that data, and it will be required to inform previous customers about the FTC order.

TAKEAWAY

Following its original announcement of the proposed Avast Order in February 2024, the FTC posted on its blog a summary of takeaways from its proposed settlements with Avast, InMarket and X-Mode (all of which have since been finalized), making the bolded statement, “Browsing and location data are sensitive. Full stop” and warning that “Collecting, storing, using, and sharing people’s sensitive information without their informed consent violates their privacy.”

The FTC has since announced two proposed orders against alcohol addiction treatment service Monument and online mental health service Cerebral, in both cases based on allegations the services shared health data with third parties for advertising through use of third-party tracking tools without consumer consent. 

Rhode Island Enacts Data Transparency and Privacy Protection Act

The Rhode Island Governor transmitted H 7787 to the Secretary of State without signature or veto, making the bill a law taking effect January 1, 2026. Rhode Island is the nineteenth state (or twentieth if you count Florida) to enact a comprehensive privacy law.

TAKEAWAY

Rhode Island’s privacy bill is missing certain elements common to most other state comprehensive privacy laws, such as an obligation to recognize universal opt out mechanisms and a data minimization requirement, but it contains one unique element: a requirement to identify, in a controller’s customer agreement or another conspicuous location on its website or online service, all third parties to whom the controller has sold or may sell customers’ personally identifiable information (which is not defined).

This goes one step further than a similar requirement under Oregon and Minnesota laws, which give customers the right to request a list of third parties but do not require a public posting of the list.

Looking for guidance on all the U.S. States’ privacy regulation? Download Sourcepoint’s Ultimate Guide to U.S. State Privacy Laws.

EUROPE

Avanza Bank Receives SEK 15MM Fine For Misconfiguring a Meta Pixel

The Swedish Privacy Protection Agency (IMY) announced a penalty fee of SEK 15MM against Avanza Bank based on allegations the bank transferred personal data to Meta due to incorrect settings of the Meta pixel on its website and app, activating new sub-functions by mistake. The error allegedly caused consumer banking details, such as data on securities holdings and value, loan amounts, account numbers and social security numbers, to be transferred to Meta. The fine was issued based on alleged violations of GDPR for not having taken appropriate technical and organizational measures to ensure an appropriate level of security for the personal data of its website visitors and app users. 

TAKEAWAY

This likely won’t be the first action of its kind based on misuse of the Meta pixel. In its announcement, the IMY specified that it “has several other ongoing reviews based on reported personal data incidents where personal data has been transferred to Meta over a longer period of time.” In such cases, the IMY says it “examines what has happened and what routines the companies have in place to have control over the users’ personal data”. 

Want more of the privacy highlights that matter for consent management, adtech and martech? Sign up for our privacy newsletter, A Little Privacy, Please.

A Little Privacy, Please weekly recaps are provided for general, informational purposes only, do not constitute legal advice, and should not be relied upon for legal decision-making. Please consult an attorney to determine how legal updates may impact you or your business.