The computer manufacturer Lenovo has reached a settlement with the Federal Trade Commission and 32 state attorneys general over charges that preloaded software on its laptops compromised user privacy.

Acting FTC Chairman Maureen Ohlhausen said that the third-party software was able to intercept browsing data from Lenovo’s users, even when they visited encrypted web pages.

“Lenovo compromised consumers’ privacy when it preloaded software that could access consumers’ sensitive information without adequate notice or consent to its use,” Ohlhausen said in a statement. “This conduct is even more serious because the software compromised online security protections that consumers rely on.”

ADVERTISEMENT

From August 2014 to February 2015, Lenovo’s laptops came preloaded with software called VisualDiscovery, a “man-in-the-middle” program developed by a company named Superfish.

VisualDiscovery delivered pop-up ads to users from its retail partners. The FTC alleged that the program accessed consumers’ sensitive information like Social Security numbers, medical information and financial data.

Ohlhausen told reporters on Tuesday that around 750,000 computers with VisualDiscovery were sold in the U.S.

While the FTC's settlement with Lenovo did not include any monetary penalties, New Jersey Attorney General Christopher Porrino announced that the company agreed to pay $3.5 million in a separate agreement with his office and 31 other state offices.

The agreements require Lenovo to be more forthcoming to consumers about software on its devices and to obtain opt-in permission before implementing any programs

In a statement, Lenovo directed consumers to a guide on removing the software from their devices.

“While Lenovo disagrees with allegations contained in these complaints, we are pleased to bring this matter to a close after 2-1/2 years,” the company said in its statement, adding that it stopped pre-installing the software after becoming aware of the privacy concerns.

“To date, we are not aware of any actual instances of a third party exploiting the vulnerabilities to gain access to a user’s communications.”

—Updated at 12:16 p.m.