Highlights:
- Privacy regime convergence: The FTC aligns its UDAP enforcement authority with GDPR principles in the absence of a U.S. federal privacy regime.
- Privacy violations have international consequences: companies should prepare for greater cooperation between global privacy regulators.
GDPR’s U.S. Impact: Lessons from the FTC-Avast Case
In 2024, the Federal Trade Commission (FTC) fined global antivirus provider Avast $16.5 million for collecting and selling user data through a subsidiary to over 100 third-party companies without users’ consent and in contravention of data protection guarantees it made to consumers. Shortly thereafter, Czech regulators brought a second action against Avast for violations of the European Union’s General Data Protection Regulation (GDPR) stemming from the same practices. These cases reveal the growing trans-Atlantic flow of data privacy theories and enforcement.
Avast marketed its antivirus software to “block annoying tracking cookies” and “shield users’ privacy”1. However, the FTC alleged that Avast sold browsing data collected from users of its products to various clients in a re-identifiable form, including users’ visited web pages, device and browser types, and location. Re-identifiable browsing information is considered sensitive personal data subject to heightened standards by the FTC, as it may reveal “consumers’ religious beliefs, health concerns, political leanings, location, financial status, visits to child-directed content, and interest in prurient content.”2
Avast is one of a string of recent actions in which the FTC has enforced GDPR-influenced privacy principles even in the absence of a national privacy regime by classifying acts prohibited by the GDPR “unfair and deceptive” under the FTC Act. Businesses should be aware that the FTC is moving in the direction of interpreting any conduct that violates the GDPR as unlawful in the United States.
The impact of the FTC’s decision was felt across the Atlantic in the Czech Republic, where Avast is headquartered, as the country’s Office for Personal Data Protection (ÚOOÚ) imposed a fine of approximately $14.8 million on the company for violating the GDPR 2 months after the FTC filed its complaint.3
This case shows the growing interrelatedness between American and European privacy enforcement, even in the absence of a U.S. federal privacy regime. Companies should prepare for greater international cooperation between privacy regulators and ensure that their compliance programs are similarly global in reach.
*Disclaimer: The content provided in this blog is for informational purposes only and does not constitute legal advice. Reading this blog does not create an attorney-client relationship with Ivory Law Group or any of its attorneys. For legal advice, please consult with a qualified attorney directly.
Complaint, FTC v. Avast, No. 2023033 (F.T.C. 2024), https://www.ftc.gov/system/files/ftc_gov/pdf/Complaint-Avast.pdf- Complaint, FTC v. Avast, No. 2023033 (F.T.C. 2024), https://www.ftc.gov/system/files/ftc_gov/pdf/Complaint-Avast.pdf
- Úřad pro ochranu osobních údajů, Decision No. UOOU-01025/20-121, April 10, 2024, https://uoou.gov.cz/media/rozhodnuti/rozhodnuti-predsedy/2024/uoou-0102520-121-aj.pdf
Ivory Law Group
Latest posts by Ivory Law Group (see all)
- What’s on the Legal Checklist for Successful M&A in Growth-Stage Companies? - April 9, 2026
- How Do You Increase Contract Velocity Without Increasing Legal Risk? 6 Proven Tactics - March 5, 2026
- Legal Ops for Non-Lawyers: 6 Ways Finance & Operation Leaders Build Scalable Legal Systems for Growth - February 6, 2026
