The policy, which AVG’s website says will come into effect in October 2015, has apparently been changed to explicitly allow the collection and sale of personal information relating to browsing history, searches, location and meta-data. Previous policies indicated that the firm only collected browsing data when a person used their their web site as well as information about any malware on the user’s machine.
The site does not offer a list of changes made to the policy other than to provide a link to PDFs of previous versions.
Under the heading “What do you collect that cannot identify me” AVG’s new policy states:
“We collect non-personal data to make money from our free offerings so we can keep them free, including: Advertising ID associated with your devices Browsing and search history, including meta data; Internet service provider or mobile network you use to connect to our products; and Information regarding other applications you may have on your device and how they are used.
“Sometimes browsing history or search history contains terms that might identify you. If we become aware that part of your browsing history might identify you, we will treat that portion of your history as personal data, and will anonymize this information. We may also aggregate and/or anonymize personal data we collect about you.
“For instance, although we would consider your precise location to be personal data if stored separately, if we combined the locations of our users into a data set that could only tell us how many users were located in a particular country, we would not consider this aggregated information to be personally identifiable.”
“Anti-virus software runs on our devices with elevated privileges so it can detect and block malware and other threats,” he says. “It is wholly unacceptable for an anti-virus software vendor to abuse those privileges to build detailed browsing, location and search profiles. It places AVG squarely into the category of spyware – which is what they are supposed to stop not what they are supposed to be.”
Hanff goes on to say that the terms of the policy may also put AVG in contravention of forthcoming EU data-protection legislation.
“AVG’s definition of identifiable data does not match the official opinion of the Article 29 Working Party, which states that any data that can be used to single out an individual (such as a user ID, IP address or device fingerprint) is classed as identifiable information,” he told Computing.
“Secondly, under Article 5(3) of the ePrivacy Directive, any company that collects data about individuals by accessing files on their device must obtain the informed consent of that individual.
Hanff goes on to mention possible antitrust issues, given that AVG actively blocks other companies who collect data to profile users’ behaviour for the purpose of selling it to advertisers. This could potentially be used to give the company a competitive advantage, he argues, urging users to uninstall the product.