On April 30, 2018, the U.S. Federal Trade Commission (FTC) released for public comment an administrative complaint and proposed consent agreement with mobile phone manufacturer BLU Products Inc. and its owner and president. Although the FTC has entered into many settlements relating to privacy and data security, this proposed settlement is particularly noteworthy for two reasons: (1) the FTC allegation that a company’s failure to implement appropriate security procedures to oversee a vendor’s security practices (including a lack of vendor due diligence) can violate Section 5 of the Federal Trade Commission Act; and (2) the proposed remedy includes a separate notice and affirmative opt-in consent relating to collection, use, and sharing of certain consumer information. BLU does not admit or deny any of the FTC’s allegations.
Background
According to the FTC’s complaint, BLU Products, which has sold millions of mobile devices worldwide through online as well as brick-and-mortar retailers, outsourced the actual manufacture of the devices to third parties. At least since 2015, BLU licensed software from ADUPS Technology Co., LTD (a company based outside the U.S.) for the purpose of providing firmware over-the-air update services, which allow the device manufacturers to issue security patches or operating system upgrades to the devices via wireless or cell networks. BLU directed the manufacturers to preinstall the ADUPS software on its devices, which granted ADUPS full administrative access and control of those devices (to enable the installation of the patches and upgrades).
BLU’s posted privacy policy stated that it limits disclosure of consumers’ information only to third parties BLU uses to fulfill its obligations to the consumers, and that these companies would have access to personal information needed to perform their services. BLU’s privacy policy also stated that the company implemented “appropriate physical, electronic, and managerial security procedures to help protect the personal information that you provide us.”
The FTC complaint states that, between 2015 and November of 2016, the ADUPS software transmitted personal information about consumers to ADUPS servers without their knowledge or consent. Among the information transmitted: full text messages, real-time cell tower location data; call and text message logs with complete telephone numbers; contact lists, and lists of applications used and installed on each device.
In November of 2016, reports about the ADUPS collection and sharing of consumer information became public. In response, BLU posted a security notice on its website, stating that ADUPS had updated its software to halt those data collection practices. According to the FTC, some consumers stopped using BLU’s devices while others “expended time and effort disabling the ADUPS software from their devices,” which had the effect of leaving them “with a device unable to receive critical security updates.” Furthermore, the FTC alleged “BLU continued to allow ADUPS to operate on its older devices without adequate oversight.”
The Complaint
The complaint alleged that, contrary to BLU’s posted privacy policy, ADUPS “had access to personal information that was not needed” to perform the patches and updates. Paragraph 21 of the complaint related to vendor management and stated:
21. In fact, Respondents did not implement appropriate physical, electronic and managerial security procedures. For example, Respondents failed to implement appropriate security procedures to oversee the security practices of their service providers, such as by:
a. failing to perform adequate due diligence in the selection and retention of service providers; for example, Respondents failed to assess or evaluate the privacy or security practices of ADUPS prior to entering into an agreement with that company’;
b. failing to adopt and implement written data security standards, policies, procedures or practices that apply to the oversight of their service provider, including ADUPS’;
c. failing to contractually require their service providers to adopt and implement data security standards, policies, procedures or practices; and
d. failing to adequately assess the privacy and security risks of third-party software, such as ADUPS.
The FTC issued a 2-count administrative complaint. In the first count, the FTC alleged the BLU’s privacy policy representation that it limited disclosure of users’ information to third-party service providers only to the extent necessary to perform services was false or misleading under Section 5 of the FTC Act. In the second count, the FTC alleged that BLU’s privacy policy representation that it implemented appropriate physical, electronic and managerial security procedures to protect consumers’ personal information was also false or misleading under Section 5 of the FTC Act. BLU does not admit or deny any of the FTC’s allegations.
The Proposed Order
In its proposed 20-year Order, the FTC would require BLU to adopt several practices and to agree to certain prohibitions that are common to the FTC’s other data privacy and security consent agreements, including : a prohibition against misrepresentations about security and privacy, a mandated data security program, a biennial requirement for third-party data security assessments, compliance report and notices, recordkeeping requirements, and compliance monitoring. What was unusual in this proposed Order was a new requirement relating to notice and affirmative express consent.
This new requirement would apply prior to collecting or disclosing any “Covered Information.” The term “Covered Information” is defined to mean “the following information from or about a consumer or their device”:
1. Precise location data of an individual or mobile device, including but not limited to GPS-based, WIFi-based, or cellular-based location information or
2. Content of text messages, audio conversations, photographs, or video communications.
Under this new requirement, prior to collecting or disclosing any Covered Information, BLU would be required to
A. clearly and conspicuously disclose to the consumer, separate and apart from any “privacy policy,” “terms of use” page, or similar document:
(1) the categories of Covered Information that Respondents collect, use, or share;
(2) the identity of any third parties that receive any Covered Information; and
(3) all purposes for Respondents’ collection, use, or sharing of the Covered Information; and
B. obtain the consumer’s affirmative express consent.
Would your company be prepared to obtain a separate affirmative opt-in consent from consumers prior to collecting photos or location data, and be willing to identify all third parties that receive that data?
Comments on the proposed Order are due to the FTC by May 30, 2018.
