The Czech Republic’s Office for Personal Data Protection (DPA) said in a brief statement today that it has launched a preliminary investigation into Avast Software s.r.o., following reports that the Prague-based antivirus company collected data from users of its free AV product and sold it via a separate business division.
“At the moment we are collecting information on the whole case. There is a suspicion of a serious and extensive breach of the protection of users’ personal data,” said Ivana Janu, president of the Czech Office for Personal Data Protection, in an official statement. “Based on the findings, further steps will be taken and general public will be informed in due time.”
In October 2019, researcher Wladimir Palant published a blog post warning that Avast browser extensions (and those from its subsidiary AVG) would log users’ IDs along with information on the websites they visited. This caused Google, Mozilla and Opera to remove these extensions until Avast implemented new privacy protections.
Avast was reportedly gathering the data and passing it along to to its marketing analytics subsidiary Jumpshot, which sold the data to third-party brands and market research companies. While Avast claimed it “de-identified” the data by removing personal details, a joint investigation by PCMag and Motherboard found that the modified data could be combined with additional information to still identify users and match them to real individuals. On Jan. 30 Avast announced it was shutting down its Jumpshot business.