Avast Faces $14.8 Million Penalty for Data Protection Violations

Avast GDPR Violations

Czech cybersecurity software leader Avast has been hit with a hefty $14.8 million fine by the Czech Republic’s Office for Personal Data Protection (ÚOOÚ) for alleged violations of the European Union’s General Data Protection Regulation (GDPR).

The decision stems from an investigation into how Avast and its subsidiary, Jumpshot, handled data collected from Avast’s antivirus software and browser extensions. The ÚOOÚ determined that in 2019, Avast processed sensitive personal data without user consent and funneled it to Jumpshot, where it was sold to third parties for analytics purposes. This extensive data set, affecting over 100 million users, could potentially reveal private details such as browsing habits, interests, location, and financial status.

At the core of the issue is Avast’s claim that it employed reliable anonymization techniques. The ÚOOÚ concluded that, in practice, this approach failed to guarantee full user privacy, as some data could still link back to individuals. This contradicts the core principles of the GDPR, which requires clear user consent and robust data protection measures.

The ÚOOÚ emphasized that as a cybersecurity company promoting data protection tools, Avast should uphold the highest privacy standards. This fine sends a strong message that even industry leaders will face consequences for failing to rigorously prioritize user privacy.

This isn’t the first time Avast’s data collection practices have drawn fire. In February 2024, the company settled similar allegations with the U.S. Federal Trade Commission, agreeing to pay $16.5 million. These back-to-back incidents underscore the growing global focus on corporate data ethics.

In a statement, Avast expressed disagreement with the conclusions drawn by the ÚOOÚ, indicating that it’s considering further legal action. The company also underscored its commitment to data protection and pledged to improve its privacy practices.

The Avast case highlights the increasingly stringent enforcement of data privacy regulations. Companies, particularly those with a large digital footprint, must make user consent and data protection central to their operations. Failure to do so carries significant financial and reputational risks.