The Federal Trade Commission (FTC) ordered Avast to pay about $15.3 million in damages after finding that the company collected and sold users’ browsing data without adequate notice or consent. Avast is a global cybersecurity company known for its antivirus software and consumer security tools. The FTC said the company misled users by promoting its products as privacy protective while gathering detailed information about online activity.
The refund program marks the final stage of a settlement announced earlier. Payments are being issued to more than 100,000 eligible consumers who filed valid claims. Refunds are delivered by cheque, PayPal, or Zelle. The settlement also requires Avast to stop selling or licensing browsing data collected through its products and to introduce a comprehensive privacy compliance program.
Regulators said Avast used its antivirus software and browser extensions to collect browsing histories, search queries, metadata, and device information. The data was transferred to a subsidiary that sold it to advertisers and data brokers. The FTC said users were not properly informed that their activity would be tracked and that the collected information was not anonymised sufficiently to prevent identification.
The FTC argued that marketing claims about blocking tracking and protecting privacy were misleading because the company engaged in the type of data collection that users sought to avoid. Regulators said this conduct violated consumer protection standards because users could not give informed consent. They added that the scale of data distribution created risks, including the possibility that third parties could match browsing records to specific individuals.
The settlement requires Avast to delete previously collected browsing data and to ensure that future products comply with privacy obligations. The company must document how it gathers, shares, and stores user information, and must submit regular compliance reports. Regulators described the case as an example of increasing scrutiny of data practices in the consumer cybersecurity sector.
Consumers who believe they were affected are advised to review official notices from the FTC or the refund administrator. Officials said no fee is required to receive a payment. They warned users to be cautious of fraudulent messages that claim to offer compensation but request personal or financial information.
Privacy specialists said the case underlines the importance of reviewing data collection terms before installing security software. They said free or low-cost tools may rely on data sharing to generate revenue, and that unclear privacy statements should prompt caution. They added that companies offering security products are expected to meet higher standards because users trust them to safeguard sensitive information.