‘Free’ Software, Anti-Virus, GDPR And Business

If anything online is “free” then simply YOU, or rather YOUR PRIVACY, is the product. As the old saying goes “there is no such thing as a free lunch”. Purveyor of Free Anti-Virus come bloat-ware AVG made this abundantly clear this when it announced a new Privacy Policy in 2015 and with GDPR now in force the issue of what data you and your organisation give away could not be more important!

In summary: if you use its free software, it will be harvesting and then selling your data or rather, the personal data of anyone you work with or for! This last fact is incredibly significant in light of GDPR.  As AVG and other ‘Pay With Privacy’ (PWP) Products and services collect data about you throughout your working day they are also collecting data about your customers, contacts or anyone who entrusts their data to you, however ‘inadvertent’ that data collection may, or may not be.

This Data Collection is not just limited to Free AntiVirus software, Google and Microsofts  Free Gmail service, BT Connect Email Addresses and Many other “free” IT products all work in the same way.  The Data collected is used to target advertising at you and potentially your customers.

If you choose to use ‘Free’ Pay With Privacy products and services in your business you have to ask yourself why and what are the legal implications. There will almost certainly be a commercial or genuinely Open Source, Business to Business (B2B) product that is suitable. Therefore, it is often down to price, particularly with small businesses and Third Sector Organisations. In which case you really can not make the argument that you did not knowingly resell your customer’s data and breach their privacy. You are receiving a product or service for a consideration, that consideration, in this case, being ‘free’ or a ‘Pay With Privacy’ (PWP) Product. Therefore my simple questions is this, do your Terms of Business make it clear to customers that you are selling their data and what implications does this have in light of GDPR?

This practice has long been dubious at best however the introduction of GDPR creates additional legal implications which could be putting your organisation at risk.  As yet we have not seen significant action taken in the UK by authorities in relation to GDPR breaches. However, everyone in the industry expects that to change swiftly once the BREXIT chaos is out of the way! The Information Commissioners Office (ICO) has stated on many occasions that it will initially seek to create test cases and to tackle ‘low hanging fruit’.  The use of these privacy-busting applications and services would appear to fulfil both criteria as a significant test case and low hanging fruit!


So perhaps your thinking well this is all a little Mella-dramatic and I won’t deny it is. Or perhaps your thinking well, we’re a small business, we’re insignificant in the grand scheme of things, we don’t handle sensitive data. Perhaps some or all of these are true, and I will be happy to listen to you explain that to your most privacy-conscious customer, when they discover the data breach and report it to the Information Commissioner, or even worse in a court of law.

My point is simple given the low cost of basic Business Anti-Virus, Basic Google for Business Email services or even our professionally monitored and managed Secure, Monitor, Protect product I ask is it a risk worth taking?

For further information about AVG’s changes read Rhodri Marsden’s take on AVG’s Privacy Policy. AVG announced the changes, a blog post. The updated policy is here, or take a look at this extract:

We collect non-personal data to make money from our free offerings so we can keep them free, including

* Advertising ID associated with your device.
* Browsing and search history, including metadata.
* Internet service provider or mobile network you use to connect to our products.
* Information regarding other applications you may have on your device and how they are used.
* AVG will also collect data about apps on your computers & mobile devices.

BT, Yahoo & Sky Email’s T&C’s also make it clear that they collect your data and use that data to allow advertisers to better target you, full Terms here: https://policies.oath.com/ie/en/oath/privacy/partnercontrollers/index.html

Secure, Monitor, Protect from Welgo provides Businesses with a Business level Security platform monitored and maintained by Welgo’s professional Edinburgh IT Consultancy.  We provide Business protection, monitoring your computers live and dealing with threats as they occur so that your team are not interrupted with pop up messages and are unsure how to respond.  

Welgo provides Business Email, collaboration and cloud services from both Google for work and Microsoft 365. For more information or to inquire about Business IT Support and Consultancy from Welgo Click here.  We work with Small Businesses and Third Sector Organisations thought the UK.

If you have any questions, please call Welgo helpline on 0131 667 0195 or raise a support request via the Welgo Support Portal.

If you are not already a Welgo Customer please call us and one of the team will be happy arrange an appointment to discuss how Welgo can help you with your Business IT needs.