Blog
FTC Finalizes Order With Avast Over Data Collection Without Consent
July 1, 2024
Want to receive these privacy recaps that matter to consent management, adtech and martech in your inbox? Sign up for our privacy newsletter, A Little Privacy, Please.
USA
FTC Finalizes Order With Avast Over Data Collection Without Consent
The FTC announced its finalization of a $16.5MM Order against Avast settling allegations the UK-based software provider unfairly collected consumer browsing information through its browser extensions and antivirus software and sold it to advertising, marketing and data analytics companies and data brokers without adequate notice or consumer consent.
In addition to the monetary fine, Avast will be prohibited under the Order from selling or licensing any browsing data from Avast-branded products to third parties for advertising purposes and will be required to obtain affirmative express consent from consumers before selling or licensing browsing data from non-Avast products to third parties for advertising purposes.
The company will also be required to delete all web browsing data previously transferred to its subsidiary, Jumpshot (through which the data was sold to third parties) and any products or algorithms Jumpshot derived from that data, and it will be required to inform previous customers about the FTC order.
TAKEAWAY
Following its original announcement of the proposed Avast Order in February 2024, the FTC posted on its blog a summary of takeaways from its proposed settlements with Avast, InMarket and X-Mode (all of which have since been finalized), making the bolded statement, “Browsing and location data are sensitive. Full stop” and warning that “Collecting, storing, using, and sharing people’s sensitive information without their informed consent violates their privacy.”
The FTC has since announced two proposed orders against alcohol addiction treatment service Monument and online mental health service Cerebral, in both cases based on allegations the services shared health data with third parties for advertising through use of third-party tracking tools without consumer consent.
Rhode Island Enacts Data Transparency and Privacy Protection Act
The Rhode Island Governor transmitted H 7787 to the Secretary of State without signature or veto, making the bill a law taking effect January 1, 2026. Rhode Island is the nineteenth state (or twentieth if you count Florida) to enact a comprehensive privacy law.
TAKEAWAY
Rhode Island’s privacy bill is missing certain elements common to most other state comprehensive privacy laws, such as an obligation to recognize universal opt out mechanisms and a data minimization requirement, but it contains one unique element: a requirement to identify, in a controller’s customer agreement or another conspicuous location on its website or online service, all third parties to whom the controller has sold or may sell customers’ personally identifiable information (which is not defined).
This goes one step further than a similar requirement under Oregon and Minnesota laws, which give customers the right to request a list of third parties but do not require a public posting of the list.
Looking for guidance on all the U.S. States’ privacy regulation? Download Sourcepoint’s Ultimate Guide to U.S. State Privacy Laws.
EUROPE
Avanza Bank Receives SEK 15MM Fine For Misconfiguring a Meta Pixel
The Swedish Privacy Protection Agency (IMY) announced a penalty fee of SEK 15MM against Avanza Bank based on allegations the bank transferred personal data to Meta due to incorrect settings of the Meta pixel on its website and app, activating new sub-functions by mistake. The error allegedly caused consumer banking details, such as data on securities holdings and value, loan amounts, account numbers and social security numbers, to be transferred to Meta. The fine was issued based on alleged violations of GDPR for not having taken appropriate technical and organizational measures to ensure an appropriate level of security for the personal data of its website visitors and app users.
TAKEAWAY
This likely won’t be the first action of its kind based on misuse of the Meta pixel. In its announcement, the IMY specified that it “has several other ongoing reviews based on reported personal data incidents where personal data has been transferred to Meta over a longer period of time.” In such cases, the IMY says it “examines what has happened and what routines the companies have in place to have control over the users’ personal data”.
Want more of the privacy highlights that matter for consent management, adtech and martech? Sign up for our privacy newsletter, A Little Privacy, Please.
A Little Privacy, Please weekly recaps are provided for general, informational purposes only, do not constitute legal advice, and should not be relied upon for legal decision-making. Please consult an attorney to determine how legal updates may impact you or your business.
Latest Blog Posts
FTC and Sensitive Location Data; New Pen Register Class Actions
December 9, 2024FTC takes action against the sale of sensitive data...
California CPPA Issues Notice of Proposed Rulemaking
November 25, 2024News out of California this week. The CPPA moved...
Mitigating risk under the Video Privacy Protection Act (VPPA)
November 23, 2024Because VPPA is just one of many tools being...
Latest White Papers
E-book: Enterprise Guide To Cookie management & Tracker List Curation
July 1, 2024How to review the tracking tech on your websites...
Benchmark Report: US Privacy Compliance
August 19, 2022The current state of publisher compliance with CCPA, and...
Keep in touch
Sign up for our newsletter to keep up with privacy news for adtech and martech,
plus occasional company news.