Antivirus and security firm Avast has made the headlines on several occasions lately, and it’s not because of its security software, but rather due to the privacy practices that the company embraced going forward.

The developer of Adblock Plus, one of the most popular ad blockers for the likes of Google Chrome and Mozilla Firefox, revealed earlier this year that extensions developed by Avast collected user data, such as website address, page title, browser and version, operating system, and more.

Wladimir Palant shared more findings in early December when he requested Mozilla and Google to ban Avast’s extensions from their add-on stores, something that eventually happened in the case of the Firefox maker. Google, on the other hand, still allows the extensions in the store despite the privacy concerns.

And while Palant warns that these extensions collect a massive amount of data from users’ devices, Avast claims all data is anonymized and aggregated (article originally cited Avast as saying this wasn't considered a privacy concern - see the update posted below).

“No privacy issue”

Avast chief executive Ondrej Vlcek explained in a recent interview with Forbes that user data is indeed collected and sold, but emphasized the whole process is anonymized. In other words, the data that is collected by Avast’s software can’t be tracked back to you because the company employs a dedicated system that removes identifiable user information from the batch of data.

Avast says the data isn't only anonymized, but also aggregated.

“Avast collects browsing data which is sent to our servers for examination in order to protect users against web-based threats in real time. This process relies on the use of artificial intelligence (AI) to parse through volumes of data to detect patterns and issues in ways that would be nearly impossible for human agents," the company told Softpedia in a statement.

"With a subset of this data, which users can opt out of sharing, Avast uses patented technology to strip personally identifiable information (PII) from the URLs of websites visited by users. This information is aggregated in a way that no individual person can be identified within the dataset and used by our subsidiary, Jumpshot Inc., to discern commercial insights into consumer behaviour. At no time is personal information sold to third parties."

Avast explains it uses Jumpshot to anonymize the collected information before it’s sold to a series of customers, which Vlcek says aren’t ad companies, but investors.

The new Avast CEO claims this controversial data collection system only generates some 5% of the company’s revenue. And while at first glance it may not seem much, it actually is.

Revenue for the first half of 2019 reached $426.8 million, so if the 5% figure is accurate, Avast made $21.3 million just by collecting and selling user data. Avast reported $811.5 million in 2018 revenue, so last year, the data collection accounted for $40.5 million.

According to Avast’s own figures, the company has more than 435 million “global active users of our security, privacy, and performance products.”

Article updated on December 19, 2019 with the Avast statement and further clarifications regarding Ondrej Vlcek's statements. Avast says Vlcek never said "there's no privacy concern," and this was just an editorial interpretation, rather than his own words.