The Federal Trade Commission (FTC) proposed Avast pay $16.5 million and be prohibited from selling any browser data to settle charges the software provider sold consumer information to third parties after promising it would not.

The commission voted 3-0 to issue an administrative complaint against Avast and accept a proposed consent agreement. A description of the consent agreement package will be published in the Federal Register and subject to public comment for 30 days, after which the agency will decide whether to finalize the order.

The details: U.K.-based Avast Limited collected the private browsing preferences of consumers, stored it “indefinitely,” and sold the data without notifying the consumers or obtaining their consent, the FTC alleged in its complaint published Thursday.

These practices occurred following Avast’s 2013 acquisition of Jumpshot. From 2014 through January 2020, Jumpshot sold browsing information that Avast collected to clients, including consulting firms, investment companies, advertising companies, marketing data analytics companies, individual brands, search engine optimization firms, and data brokers, per the complaint.

Avast deceived consumers by telling them it would block third-party tracking, among other privacy-related assurances, the agency said. It claimed Avast violated Section 5 of the FTC Act regarding unfair practices.

“Exposing people’s detailed browsing data in ways that can be traced back to them marks an invasion of privacy and is likely to cause substantial injury. Because it is intrinsically sensitive, browsing data warrants heightened protection. Businesses that sell or share browser history data without affirmatively obtaining people’s permission may be in violation of the law,” FTC Chair Lina Khan and the agency’s two other commissioners said in a joint statement.

Compliance considerations: The proposed order will prohibit Avast and its subsidiaries from selling browsing data. The company also must put in place a comprehensive privacy program aimed at preventing any similar FTC violations in the future.

It also must obtain affirmative express consent from consumers before selling data and delete personal web browsing information it collected.

In their joint statement, Khan and the commissioners noted the $16.5 million was the highest monetary remedy in a de novo (“anew”) privacy violation case.

Company response: “Avast has reached a settlement with the FTC to resolve its investigation of Avast’s past provision of customer data to its Jumpshot subsidiary that Avast voluntarily closed in January of 2020,” said the company in an emailed statement. “… While we disagree with the FTC’s allegations and characterization of the facts, we are pleased to resolve this matter and look forward to continuing to serve our millions of customers around the world.”