What just happened? Avast says its Jumpshot subsidiary was 100 percent GDPR compliant and operated independently from the main firm, but now it's shutting it down to protect user privacy. The company seems intent on winning back the trust of users, but it's also letting go of hundreds of employees in the process.

Earlier this week, news broke that Avast was using its free antivirus to harvest and sell users' (supposedly anonymized) browsing data to advertisers through a subsidiary called Jumpshot. The revelations came as a result of a joint investigation from Vice and PCMag, who also found the results of the data mining was then sold to companies like Microsoft, Google, and Pepsi.

Now, the company says it will shut down Jumpshot, which will effectively terminate the data collection operations for users of Avast and AVG's free products.

Avast acquired Jumpshot in 2013 to integrate the latter's cleanup tool into its software suite. Fast forward to 2015 and Jumpshot's new focus was data analytics and market intelligence. And while nothing is inherently wrong with trying to gauge how consumers spend their money, the problem was the firm did so without informing them, nor a proper mechanism to fully anonymize the data.

There are no less than 400 million people around the world using Avast products, and Jumpshot essentially put their online identity at risk. Avast CEO Ondrej Vlcek apologized to users and investors in a blog post, noting that "protecting people is Avast’s top priority and must be embedded in everything we do in our business and in our products. Anything to the contrary is unacceptable."

The company's initial response was that users have always been able to opt out of its data collection, and that it recently changed that to opt-in. After collecting what could only be described as a treasure trove for advertisers, it now says Jumpshot operated independently -- albeit with the right hooks set in Avast's products.

Vlcek says he's spent the last seven months reviewing every aspect of Avast's business, and at some unspecified point concluded that data collection was not in line with "our privacy priorities as a company in 2020 and beyond."