A recent FTC settlement highlights the need for companies to oversee their service providers, with respect to both collection of personal information and data security practices.

On April 30, 2018, the U.S. Federal Trade Commission (“FTC”) announced a settlement with BLU Products, Inc. (“BLU”), a Florida-based mobile device manufacturer, resolving allegations that BLU shared sensitive consumer data with a third-party service provider in violation of BLU’s privacy policy and the FTC Act.  

According to the FTC’s complaint released with the settlement:

• From at least 2015 to November 2016, BLU mobile devices came pre-installed with software from ADUPS Technology Co., LTD (“ADUPS”), a service provider BLU had contracted with to issue security and operating system updates to BLU’s devices.
• BLU’s privacy policy stated that BLU limits its disclosure of personal information to third-party service providers, who “have access to personal information needed to perform their services … but may not use it for other purposes.” However, ADUPS, through the preinstalled software, had full administrative access to BLU devices and collected and transmitted personal data to its servers in China – including text messages, contact lists, and real-time location information (none of which was necessary for ADUPS to perform its services) – without end consumers’ knowledge and consent.
• BLU’s privacy policy also stated that BLU implements “appropriate physical, electronic, and managerial security procedures” to “help protect” its end consumers’ personal information. However, preinstalled software on BLU devices contained commonly known security vulnerabilities.  Thus, BLU failed to implement appropriate security procedures to oversee the security practices of its service providers.

The complaint charges that these practices constituted false or misleading representations by BLU regarding both disclosure of personal information and data security practices, in violation of the FTC Act.

Under the proposed settlement, BLU must:

• Abstain from misrepresenting the extent to which it collects, uses, shares or discloses personal data;
• Implement and maintain a comprehensive, written information security program reasonably designed to address security risks associated with its devices and protect consumer personal information;
• Undergo third-party assessments of this information security program every two years for the next 20 years; and
• Provide consumers with clear and conspicuous notice of, and obtain consumers’ affirmative, express consent for, collection of geolocation data or the content of text messages, photos, video communications, or audio conversations.

The proposed settlement order will remain open for public comment through May 30^th.

In conjunction with Monday’s settlement, FTC staff released guidance for companies concerned with the privacy and security risks that arise from sharing data with third-party service providers, urging them to “[k]eep a watchful eye on . . . service providers.”  Specifically, the guidance encouraged companies to (i) conduct adequate due diligence on service providers, in order to understand how their services work, what data they will be able to access, and what needs to be done to conform their conduct to the companies’ privacy promises; (ii) clearly set out security and privacy expectations in contracts; and (iii) build in procedures to enable ongoing monitoring of compliance with those agreements.