The collected data is then reportedly repackaged and sold by Jumpshot, which says on its website that it's able to deliver data on users actions behind "the Internet's most valuable walled gardens." Some past and present Jumpshot customers, as well as potential clients, include Google, Yelp, Microsoft, Pepsi, Home Depot, Intuit and others, according to the report, which cites "leaked user data, contracts and other company documents."
In an emailed statement Monday, a spokeswoman for Avast said Jumpshot doesn't acquire "personal identification information, including name, email address or contact details," and that users have always had the option to opt out of sharing data with Jumpshot.
"As of July 2019, we had already begun implementing an explicit opt-in choice for all new downloads of our AV, and we are now also prompting our existing free users to make an opt-in or opt-out choice, a process which will be completed in February 2020," said the spokeswoman, adding that the company understands and takes seriously "the responsibility to balance user privacy with the necessary use of data for our core security products."
Avast reportedly asks users to opt in to data collection via a pop-up message in the antivirus software. However, "multiple" users told Motherboard they were unaware that their browsing data was then sold.
Jumpshot didn't respond to a request for comment.
Originally published Jan. 27, 8:27 a.m. PT.
Update, 9:28 a.m.: Adds comment from Avast.
Correction, Jan. 28: An earlier version of this story listed Sephora as a Jumpshot customer. The company on Tuesday said, "Sephora is not a client and has not worked with Avast/Jumpshot."