Czechs Investigating Avast Over Data Collection Policies

The Czech Republic’s Office for Personal Data Protection (DPA) said in a brief statement today that it has launched a preliminary investigation into Avast Software s.r.o., following reports that the Prague-based antivirus company collected data from users of its free AV product and sold it via a separate business division.

“At the moment we are collecting information on the whole case. There is a suspicion of a serious and extensive breach of the protection of users’ personal data,” said Ivana Janu, president of the Czech Office for Personal Data Protection, in an official statement. “Based on the findings, further steps will be taken and general public will be informed in due time.”

In October 2019, researcher Wladimir Palant published a blog post warning that Avast browser extensions (and those from its subsidiary AVG) would log users’ IDs along with information on the websites they visited. This caused Google, Mozilla and Opera to remove these extensions until Avast implemented new privacy protections.

Avast was reportedly gathering the data and passing it along to to its marketing analytics subsidiary Jumpshot, which sold the data to third-party brands and market research companies. While Avast claimed it “de-identified” the data by removing personal details, a joint investigation by PCMag and Motherboard found that the modified data could be combined with additional information to still identify users and match them to real individuals. On Jan. 30 Avast announced it was shutting down its Jumpshot business.

“We are in receipt of the DPA’s request, and we will diligently work with the DPA in full cooperation, said an Avast spokesperson in an official statement. “We take concern about our users’ privacy very seriously, which is why we voluntarily made changes to our privacy policy in December, and made the decision to close Jumpshot last month. Avast’s core mission is to keep its users’ data safe online, and any practice that jeopardizes user trust is unacceptable. Protecting user privacy is embedded in everything we do in our business, and as such we remain focused on continuing to innovate our products for the benefit of our users and their privacy.”