On April 30, 2018, the U.S. Federal Trade Commission (FTC) released for public comment an administrative complaint and proposed consent agreement with mobile phone manufacturer BLU Products Inc. and its owner and president. Although the FTC has entered into many settlements relating to privacy and data security, this proposed settlement is particularly noteworthy for two reasons: (1) the FTC allegation that a company’s failure to implement appropriate security procedures to oversee a vendor’s security practices (including a lack of vendor due diligence) can violate Section 5 of the Federal Trade Commission Act; and (2) the proposed remedy includes a separate notice and affirmative opt-in consent relating to collection, use, and sharing of certain consumer information. BLU does not admit or deny any of the FTC’s allegations.
According to the FTC’s complaint, BLU Products, which has sold millions of mobile devices worldwide through online as well as brick-and-mortar retailers, outsourced the actual manufacture of the devices to third parties. At least since 2015, BLU licensed software from ADUPS Technology Co., LTD (a company based outside the U.S.) for the purpose of providing firmware over-the-air update services, which allow the device manufacturers to issue security patches or operating system upgrades to the devices via wireless or cell networks. BLU directed the manufacturers to preinstall the ADUPS software on its devices, which granted ADUPS full administrative access and control of those devices (to enable the installation of the patches and upgrades).
The FTC complaint states that, between 2015 and November of 2016, the ADUPS software transmitted personal information about consumers to ADUPS servers without their knowledge or consent. Among the information transmitted: full text messages, real-time cell tower location data; call and text message logs with complete telephone numbers; contact lists, and lists of applications used and installed on each device.
In November of 2016, reports about the ADUPS collection and sharing of consumer information became public. In response, BLU posted a security notice on its website, stating that ADUPS had updated its software to halt those data collection practices. According to the FTC, some consumers stopped using BLU’s devices while others “expended time and effort disabling the ADUPS software from their devices,” which had the effect of leaving them “with a device unable to receive critical security updates.” Furthermore, the FTC alleged “BLU continued to allow ADUPS to operate on its older devices without adequate oversight.”
21. In fact, Respondents did not implement appropriate physical, electronic and managerial security procedures. For example, Respondents failed to implement appropriate security procedures to oversee the security practices of their service providers, such as by:
a. failing to perform adequate due diligence in the selection and retention of service providers; for example, Respondents failed to assess or evaluate the privacy or security practices of ADUPS prior to entering into an agreement with that company’;
b. failing to adopt and implement written data security standards, policies, procedures or practices that apply to the oversight of their service provider, including ADUPS’;
c. failing to contractually require their service providers to adopt and implement data security standards, policies, procedures or practices; and
d. failing to adequately assess the privacy and security risks of third-party software, such as ADUPS.
The Proposed Order
In its proposed 20-year Order, the FTC would require BLU to adopt several practices and to agree to certain prohibitions that are common to the FTC’s other data privacy and security consent agreements, including : a prohibition against misrepresentations about security and privacy, a mandated data security program, a biennial requirement for third-party data security assessments, compliance report and notices, recordkeeping requirements, and compliance monitoring. What was unusual in this proposed Order was a new requirement relating to notice and affirmative express consent.
This new requirement would apply prior to collecting or disclosing any “Covered Information.” The term “Covered Information” is defined to mean “the following information from or about a consumer or their device”:
1. Precise location data of an individual or mobile device, including but not limited to GPS-based, WIFi-based, or cellular-based location information or
2. Content of text messages, audio conversations, photographs, or video communications.
Under this new requirement, prior to collecting or disclosing any Covered Information, BLU would be required to
(1) the categories of Covered Information that Respondents collect, use, or share;
(2) the identity of any third parties that receive any Covered Information; and
(3) all purposes for Respondents’ collection, use, or sharing of the Covered Information; and
B. obtain the consumer’s affirmative express consent.
Would your company be prepared to obtain a separate affirmative opt-in consent from consumers prior to collecting photos or location data, and be willing to identify all third parties that receive that data?
Comments on the proposed Order are due to the FTC by May 30, 2018.