The U.S. Federal Trade Commission (FTC) will mandate Avast to pay $16.5 million and prohibit the firm from selling customers’ web surfing data or licensing it for advertising.

The case alleges that Avast infringed upon the rights of millions of consumers by gathering, retaining, and trading their browsing data without their awareness and approval, while deceiving them about the devices’ ability to prevent online tracking.

FTC Chair Lina M. Khan criticized Avast for marketing its products as protecting people’s browsing records and data from tracking, only to later sell that information, which she found particularly offensive given the FTC’s focus on holding firms accountable for misrepresenting their data practices.

“In addition, Avast released a massive amount of data, with the complaint stating that by 2020, Jumpshot had collected over eight petabytes of browsing data dating back to 2014.”

The FTC alleges that Avast Limited, a UK-based corporation, collected consumers’ web surfing data without their permission through Avast browser extensions and antivirus software starting in 2014.

The Avast data feeds contained distinct identifiers for each web browser, together with a compilation of data on visited websites, timestamps, device and browser types, and the users’ location details such as city, state, and country. The organization inaccurately stated that it would only share customers’ personal information in an aggregated and anonymous manner when discussing its data-sharing procedures.

According to the FTC, Avast kept this data forever and distributed it to more than 100 third parties from 2014 to 2020 via their Jumpshot subsidiary.