– The #FTC found that Avast anonymization measures were insufficient to prevent re-identification. Even when contracts contained prohibitions on re-identification, the language allowed customers to join their first-party data to the data purchased from Avast.
– FTC has confirmed that anonymized has a concrete technical definition consistent with the de-identified and anonymized data exemptions in state & global data protection laws.
– Cannot claim the data is anonymized if it can be joined with other data assets.
– Shared pseudonyms and IDs that allow parties to share and combine their data will be considered de facto personal information where each party holds identifiable information about users.
– Even if both parties otherwise de-identify data before joining, the resulting data sets will often be identifiable to both parties.
– #Anonymization post-join and pre-processing will be necessary.
– FTC also pointed out that #storingdata indefinitely is not acceptable.
– FTC said the #breach of #customertrust is egregious especially when you market yourself as doing something and end up doing the opposite.
Settlement amount: $16.5 million