Avast Slapped with $14.8 Million GDPR Fine

The Czech cybersecurity firm Avast has been fined $14.8 million for violating the GDPR. The fine was imposed by the Czech Office for Personal Data Protection (ÚOOÚ) following an investigation into the activities of Avast’s Czech subsidiary, Jumpshot.

The ÚOOÚ found that in 2019, Avast processed the personal data of its antivirus users and browser extension users without permission. The data of over 100 million users were transferred to Jumpshot, which among other things, engaged in selling analytics on user behavior online to third parties.

According to the ÚOOÚ, Avast misled users by claiming it used reliable data anonymization methods, while in reality, some of the information could still be used to identify users.

The ÚOOÚ emphasized that Avast, being a leader in cybersecurity and offering the public tools for data protection and privacy, should not have transferred personal data that could reveal not only the identities but also the interests, preferences, residence, financial status, profession, and other private life-related information of its clients.

In response to the regulator’s decision, a representative from Avast stated that the company disagrees with the ÚOOÚ’s conclusions and characterization of the facts, and is considering further legal action. The company also affirmed its commitment to protecting client data and stated that measures have been taken to ensure that privacy practices are prioritized. Avast continues to actively participate in international initiatives focused on data privacy.

It should be noted that in February, Avast agreed to pay $16.5 million to settle similar charges by the U.S. Federal Trade Commission. In 2020, the company ceased Jumpshot’s operations and committed not to sell browsing data for advertising purposes.