On April 30, 2018, the Federal Trade Commission announced that BLU Products, Inc. (“BLU”), a mobile phone manufacturer, agreed to settle charges that the company allowed ADUPS Technology Co. Ltd. (“ADUPS”), a third-party service provider based in China to collect consumers’ personal information without their knowledge or consent, notwithstanding the company’s promises that it would keep the relevant information secure and private. The relevant personal information allegedly included, among other information, text message content and real-time location information. On September 6, 2018, the FTC gave final approval to the settlement in a unanimous 5-0 vote.

The FTC’s complaint alleged that BLU falsely claimed that the company (1) limited third-party collection of data from users’ devices to information needed to perform requested services, and (2) implemented appropriate physical, technical and administrative safeguards to protect consumers’ personal information. The FTC alleged that BLU in fact failed to implement appropriate security procedures to oversee the security practices of its service providers, including ADUPS, and that as a result, ADUPS was able to (and did in fact) collect sensitive personal information from BLU devices without consumers’ knowledge or consent. ADUPS allegedly collected text message contents, call and text logs with full telephone numbers, contact lists, real-time location data, and information about applications used and installed on consumers’ BLU devices. The FTC alleged that BLU’s lack of oversight allowed ADUPS to collect this information notwithstanding the fact that ADUPS did not need this information to perform the relevant services for BLU. The FTC further alleged that preinstalled ADUPS software on BLU devices “contained common security vulnerabilities that could enable attackers to gain full access to the devices.”

The terms of the proposed settlement prohibit BLU from misrepresenting the extent to which it protects the privacy and security of personal information and requires the company to implement and maintain a comprehensive security program. The company also must undergo biannual third-party assessments of its security program for 20 years and is subject to certain recordkeeping and compliance monitoring requirements.