The Federal Trade Commission’s 2024 enforcement action and settlement with Avast—a global antivirus and browser-extension provider—offers important lessons for dealers that deploy digital tools on their website, and engage third-party vendors to collect consumer information. The FTC announced in December 2025 that Avast would pay more than $15.3 million to be distributed to over 103,000 consumers affected by Avast’s alleged deceptive and unfair practices.
Although the case stems from the software industry, its underlying principles directly apply to any business with a website that engages in targeted advertising, including automotive retail. The FTC’s focus on undisclosed data collection, misuse of sensitive information, and misleading privacy claims demonstrates that regulators remain deeply concerned with how companies handle consumer data, regardless of industry.
Background
According to the FTC, Avast marketed its antivirus and browser tools as privacy-protective—claiming they would block tracking and shield users from online monitoring—while simultaneously collecting highly detailed browsing information from those very users. This information allegedly included URLs visited, search queries, background resource URLs, cookie data, and persistent identifiers that allowed third parties to track individuals across the internet over time. Despite representing that any shared data was “anonymous,” the FTC alleged that Avast, in fact, transferred granular, re-identifiable information to advertising firms, data brokers, and analytics companies. The Commission concluded that Avast failed to obtain meaningful consent and, in many cases, failed to disclose these practices altogether.
Lessons for Dealers
Dealership websites routinely deploy a variety of digital retailing tools, chatbots, marketing pixels, embedded vendor scripts, and other technologies, which can all capture sensitive information about consumers—sometimes without the dealer even knowing what data is being collected. Just as the FTC viewed browsing data as sensitive because it can reveal health concerns, financial circumstances, political leanings, or other private attributes, dealership-related browsing behavior can contain similar types of insights. When a vendor collects this type of data through the dealership’s website or digital tools, the dealer may unknowingly be responsible for the same types of practices the FTC alleged in Avast.
The Avast case reinforces a broader principle that dealers must understand: public representations about privacy must match actual practices. Avast’s tools were advertised as blocking “annoying tracking cookies” and protecting user privacy, yet the company allegedly sold the very information it claimed to safeguard. Dealers face similar risks when their websites or privacy notices state that they do not sell or share personal information without consent, but their third-party vendors use tracking technologies that do exactly that.
Another important takeaway is the FTC’s continued reliance on its Section 5 authority to pursue these cases. There is no federal statute that explicitly defines browsing data as sensitive or requires companies to obtain consent before processing it. Yet the FTC still alleged that collecting and selling certain browsing information without consent was both deceptive and unfair. This mirrors the Commission’s approach in recent geolocation and data-security cases and signals that sensitive data must be treated with heightened care. Dealers should not assume that the absence of a specific federal law governing browsing data, cookies, or digital advertising exempts them from liability. The FTC has made clear that it is willing to treat these practices as unlawful when consumers are misled or harmed.
This is in addition to the massive increase in enforcement of state UDAP and privacy law requirements related to website tracking technologies by state regulators. This type of state-level enforcement is expected to continue, particularly with the establishment of a multi-state privacy regulator task force that is working together to bring enforcement actions against businesses of all kinds.
What Should Dealers Do?
For dealers, this means that a proactive, rigorous approach to data oversight is essential. First and foremost, dealers need a properly functioning cookie banner and a privacy policy that meets the complicated requirements of state law and properly addresses dealer sharing practices.
In addition, dealers should evaluate every digital tool and vendor embedded on their websites to understand what data is collected, whether that data is shared downstream, and how it is used. Dealers must ensure that privacy notices are accurate and not contradicted by hidden data flows, and that consent management tools (like cookie banners) operate as they say they do. Consent should be meaningful, clearly presented, and specific—not buried in lengthy policies or obtained through pre-checked boxes or bundled terms. Dealerships should also conduct thorough due diligence on third-party vendors to ensure that those partners follow strict data-handling protocols, do not sell or repurpose dealership-derived data, and provide transparency into their practices.
The FTC’s actions against Avast serve as a strong reminder that companies in every industry can be held accountable for misleading data practices. As dealerships continue to modernize their online experiences, integrate new technologies, and rely more heavily on consumer data, they must ensure that privacy considerations remain central to their operations and partnerships.
ComplyAuto provides dealers with the best and most comprehensive suite of Privacy tools available. As the industry’s leading privacy and Safeguards Rule compliance tool, ComplyAuto Privacy offers customizable configurations to manage disclosures, consent, and vendor oversight in alignment with both federal and state privacy requirements. By adopting strong compliance tools and best practices, dealers can confidently navigate this complex regulatory landscape.