Avast Software, s.r.o. – €14,040,000 Fine (Czech Republic, 2024)
Avast Software was fined for selling users' browsing data without proper consent. The company collected and shared this data with another firm, which used it for marketing purposes. This case shows that companies must be transparent about how they use personal data and get users' permission first.
What happened
Avast Software collected and sold users' browsing data linked to about 100 million users without proper consent.
Who was affected
Users of Avast's antivirus software and browser extensions whose browsing data was collected were affected.
What the authority found
The Czech data protection authority found that Avast violated GDPR by processing data without a legal basis and failing to meet transparency obligations.
Why this matters
This ruling highlights the need for companies to be clear and honest about their data practices. It serves as a reminder that users have a right to know how their data is being used.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
On a basis of an anonymous complaint submitted on 22 February 2020 and a major media case, the DPA started an investigation against Avast Software s.r.o. (‘the controller’ or ‘Avast’), a company providing antivirus software services and browser extensions (‘add-ons’). For at least two months in 2019, Avast allegedly collected and sold a portion of their users’ browsing data with a company called Jumpshot, INC. Specifically, they shared pseudonymised browsing history linked to a unique identifier of approximately 100 million users through the add-ons. Jumpshot, INC. claimed to provide this data to marketers, offering insights into consumer online behavior and ‘atomic-level’ user browsing tracking. The decision-making process consisted of 2 parts – first instance ruling by the DPA and second instance ruling by the Appellant Body within the same DPA. First instance decision Due to the cross-border nature of the processing, the DPA authority of first instance submitted a draft decision with other supervisory authorities concerned in the framework of One Stop Shop mechanism. None of the supervisory authorities raised a relevant and reasoned objection to the draft decision. On 14 March 2022 the DPA found the controller was guilty for committing the abovementioned offences. In particular, the controller processed data without legal basis under Article 6(1) GDPR and in violation of transparency obligations in the privacy policy under Article 5(1)(a) and 13 GDPR. The DPA in the first instance did not dispute that the accused had legal authority to collect personal data, but claims that it had no legal basis for transmitting it to Jumpshot, INC. The controller filed an appeal arguing that : * they used robust anonymization techniques for processing; * the average user was aware that their data was processed for statistical purposes; * the purpose of transmission of data to Jumpshot INC. was compatible with the primary purpose of the processing pursuant to recital 50 and Ar
Violations (1)
The cookie banner uses misleading language to trick or pressure users into accepting cookies (dark patterns).
Art. 7 GDPR
Related Enforcement Actions (0)
No other enforcement actions found for Avast Software, s.r.o. in CZ
This is the only recorded action for this entity in this jurisdiction.
Similar Cases
Enforcement actions with similar violations
Details
Fine Date
10 April 2024
Authority
Úřad pro ochranu osobních údajů
Fine Amount
€14,040,000
351,000,000 CZK
GDPRhub ID
gdprhub-7820About this data
Cite as: Cookie Fines. Avast Software, s.r.o. - Czech Republic (2024). Retrieved from cookiefines.eu
Last updated: