Recent FTC and California State decisions shed light on prohibited practices in consumer data selling. These proposed settlements underscore the legal obligations companies face concerning consumer data privacy, particularly when engaging in the sale or transfer of collected personal information.
FTC proposed settlement with Avast:
On February 22, 2024, the Federal Trade Commission (FTC) has announced a proposed settlement with Avast, imposing a $16.5 million fine for violating consumer data privacy. Avast is a cybersecurity firm known for its freeware antivirus and security software and extensions. The settlement addresses Avast’s misleading representations of privacy protection while concurrently selling its customers browsing data to third parties.
According to the FTC complaint, Avast collected extensive user data through the use of its products, consisting of browsing data which could reveal sensitive personal information such as religious beliefs, health conditions, political affiliations, and financial status. Avast did so, while presenting its products as “privacy-protecting solutions”, while in reality Avast funneled the collected browsing data to its subsidiary, Jumpshot, which then sold it to third parties, including advertisers and analytics firms.
The FTC’s original complaint, identifies several violations of Section 5(a) of the FTC Act, including:
- Unfair Acts and Practices: Avast’s extensive data collection and its sale to third parties, executed without sufficient consumer notice, were deemed unfair due to the risk and harm they posed to consumers.
- Deceptive Representations: Marketing its software as “tools for privacy”, while simultaneously selling the user data collected through such tools, led to charges of deceptive practices against Avast.
- Anonymization and Aggregation Misrepresentations: Avast claimed in its terms and privacy policy, that any further use of the data will be subject to anonymization and aggregation. However, those claims were undermined by contractual loopholes in Avast’s data selling agreements, that allowed possible re-identification of the data by the acquiring third parties. The FTC stipulated that though Avast has included in certain circumstances some contractual restrictions on re-identification, those restrictions were specifically narrow, ignoring the possibility of correlating non-personally identifiable information with user activities — a gap some of Avast’s
clients appeared to exploit while re-identifying data subjects. Moreover, the FTC highlighted Avast’s obligation to supervise and enforce its buyers’ adherence to these restrictions.
In addition for the $16.5 million fine, the settlement includes several key provisions: Avast is prohibited from selling or licensing browsing data for advertising purposes, must obtain explicit consent before using browsing data from non-Avast products, and is required to delete collected web browsing information and any derived products or algorithms.
California Attorney General Settlement with DoorDash:
On February 21, 2024, the State of California Attorney General has published it has reached a stipulated judgement with DoorDash, Inc., regarding its compliance with the California Consumer Privacy Act (“CCPA”) and the California Online Privacy Protection Act (“CalOPPA”). DoorDash is a technology company providing food delivery services and platform, connecting users with local restaurants for food delivery (similarly to Wolt, which was acquired by DoorDash during 2022).
The California AG asserted that DoorDash engaged in marketing cooperatives (“co-ops“), wherein DoorDash provided consumers’ personal information to the co-op members. Upon receiving this data, the co-op members combined it with their information, cross-analyzed it, and facilitated the distribution of mailed advertisements to potential prospect customers. This data sharing was deemed a “sale” under the CCPA due to DoorDash receiving “valuable consideration” for providing customer data to the co-op, notably the opportunity to advertise its services directly to customers of other participating companies.
In accordance with the stipulated judgment, DoorDash allegedly violated the CCPA and CalOPPA in two main ways:
- Inadequate Notice at Collection: DoorDash did not provide consumers with clear, up-to-date information about the data being collected and its purpose, including its sale as part of DoorDash participation in the co-ops.
- Lack of Opt-Out Mechanisms: DoorDash failed to implement and maintain an easy and accessible process for opting-out of that sale of data.
To resolve these violations, DoorDash agreed to a stipulated judgment with California authorities, requiring the implementation of a comprehensive compliance program, establishing a robust opt-out mechanism, and the payment of a $375,000 penalty to the California AG Office.
These two decisions, together with the FTC’s previous action against InMarket Media (detailed in our previous Client Update, accessible here), demonstrates growing scrutiny surrounding the sale of personal data. These developments highlight several important considerations:
- The “sale” of data is no longer limited to direct transactions or cookie-based methods. It extends even to intercompany transfer of personal data among subsidiaries or data sharing arrangements in collaborative ventures such as DoorDash co-ops;
- Any form of data sale or further processing necessitates careful attention to ensure compliance with disclosure requirements, consent protocols, and the provision of opt-out mechanisms.
- While data aggregation and de-identification can offer solutions, they must be reinforced by robust technical and contractual safeguards to prevent re-identification. Additionally, effective supervision mechanisms should be implemented to ensure compliance, including with respect to contractual third parties.
We will keep you updated on the development of such matters.
APM Technology and Regulation Team.
This document is intended to provide only a general background regarding this matter. It should not be regarded as setting out binding legal advice but rather as a practical overview based on our understanding.
