Skip to content

Discerning Data

  • About Us
  • Additional Resources
  • Contact Us

DISCERNING DATA

A Faegre Drinker Blog Covering the Latest in Privacy, Cybersecurity and Data Strategy
  • Privacy
  • Cybersecurity
  • Data Strategy
  • Disruptionware

Mobile Phone Maker BLU Products Settles with FTC Resolving Allegations of Lax Data Security Practices

Share

Mobile phones are ubiquitous extensions of our personal and professional lives and few think deeply about the tangled webs of software and hardware providers that formulate components to mobile phone fabricators.  However, the Federal Trade Commission’s recent settlement with BLU Products represents an important reminder of the importance of appropriate vendor oversight in all phases of the manufacturing and sales process.

BLU Products, Inc. a Florida based consumer electronic company and its co-owner, entered into an FTC settlement resolving allegations that it misled consumers by falsely claiming that they limited third party collection of data from users of BLU’s devices to only the information needed to perform requested services.   BLU allowed a China-based, third-party service provider to collect detailed personal information about consumers, including text message contents and real-time location information, without  consumers’ consent and despite representations that such information would be kept secure and private.

BLU sold over 50 million mobile devices that run on Android software all over the world.  In the U.S., these were sold to consumers through retailers such as Amazon, Walmart, and Best Buy.  BLU outsourced the device manufacturing process to a number of original device manufacturers (ODMs).  The ODMs manufacture the devices branded with the BLU name according to BLU’s instructions and after receiving purchase orders.  In order to provide firmware updating services, BLU licensed software from ADUPS Technology and directed ODMs to preinstall this software on all ODM BLU devices.

Data collection without consumer consent    

ADUPS is a China-based company that offers advertising, data mining and firmware over-the-air (FOTA) update services to mobile and Internet of Things connected devices.  FOTA updates allow device manufacturers to issue security patches or operating system upgrades to devices over wireless and cellular networks.  BLU contracted with ADUPS  to perform FOTA update services on its devices.

According to the complaint, until November 2016, the ADUPS software on BLU devices transmitted personal information about consumers to ADUPS servers without consumers’ knowledge and consent.  The type of information transmitted included the full content of text messages, real-time cellular tower location data, call and text message logs with telephone numbers, contact lists, and lists of applications used and installed on each device.  The complaint alleges that ADUPS software collected and transmitted consumers’ text messages to its servers every 72 hours and location data was transmitted every 24 hours.

Press reports surfaced in November of 2016 about this unexpected collection and sharing of personal data from BLU devices.  Some consumers who became aware of these practices disabled the ADUPS software from their devices; however by taking that action, they were then unable to receive critical updates through FOTA.  BLU posted a security update on its website informing consumers that ADUPS had updated its software to cease this unexpected data collection, but according to the complaint, BLU continued to allow ADUPS to operate on its older devices without adequate oversight to ensure that the data mining had ceased.

The FTC Complaint and Consent Order

The FTC’s two count complaint alleges that the respondents violated Section 5 of the FTC Act by deceiving consumers about BLU’s data collection and sharing practices as well as BLU’s data security practices.  The FTC relies on representations made in BLU’s privacy policy which provides that BLU limits the disclosure of consumer’s information to third party service providers only to the extent necessary to perform their services or functions on behalf of BLU and that such service providers only have access to personal information needed to perform their services or functions and for no other purposes.

According to the complaint, ADUPS had access to personal information that was not needed to perform FOTA updates, the only service BLU contracted with ADUPS to perform.    In addition, the complaint alleged that BLU did not implement appropriate data security practices and referenced its failure to oversee the security practices of its service providers.  Specifically, the complaint identifies that BLU failed to:

  • Perform adequate due diligence in the selection and retention of service providers such as failing to assess or evaluate the privacy or security practices of ADUPS prior to entering into an agreement with that company.
  • Adopt and implement written data security standards, policies, procedures or practices that apply to the oversight of service providers.
  • Contractually require their service providers to adopt and implement data security standards, policies, procedures or practices.
  • Adequately assess the privacy and security risks of third-party software such as ADUPS.

The proposed consent order   prohibits the respondents from misrepresenting the extent to which they collect, use, share or disclose personal information, the extent to which consumer may exercise control over the collection, use or disclosure of personal information, and the extent to which they implement physical, electronic, and managerial security procedures to protect personal information.  In addition, the order requires that prior to collecting or disclosing any covered information respondents clearly and conspicuously disclose—separate and apart from the privacy policy, terms of use page or similar document—the categories of information collected and shared, the identity of any third parties that receive such informationand the purposes for collecting the information, as well as obtaining affirmative express consent.

The consent order also requires BLU to implement and maintain a comprehensive security program that is reasonably designed to address security risks related to the development and management of new and existing covered devices; one that protects the security, confidentiality and integrity of personal information.  This program must be fully documented, and contain administrative technical and physical safeguards appropriated to the respondent’s business.

The consent order also requires that BLU obtain an assessment and report from a qualified, independent third-party professional covering the first 180 days after issuance of the order and each two year period for 20 years.

The proposed complaint and consent agreement will be out for public comment for 30 days.  The FTC will then review and comments receive before issuing the consent order in final form.

 

About the Author: Laura Phillips

Laura Phillips leads the firm’s telecommunications & mass media team. She counsels technology entrepreneurs and represents these clients on issues related to the development of new technologies. View Laura's full bio on the Faegre Drinker website.

Receive Email Alerts to New Articles

SUBSCRIBE

May 9, 2018
Written by: Laura Phillips
Category: Cybersecurity, FTC, Privacy
Tags: ADUPS, BLU Products, China, consumers, data, FTC, personal data, personal information, privacy

Post navigation

Previous Previous post: Smart Uses of Data Analytics for In-House Counsel
Next Next post: CMS Proposed Rule, Rebranding of Medicare and Medicaid Electronic Health Records Incentives Program Shifts Focus to Interoperability and Patient Access

Search the Blog

Sign Up for Email Alerts

PODCASTS

Faegre Drinker on Law and Technology

©2022 Faegre Drinker Biddle & Reath LLP. All Rights Reserved. Lawyer Advertising.

  • About Us
  • Additional Resources
  • Contact Us
We use cookies to improve your experience with our website. By browsing our site, you are agreeing to the use of cookies. For more information about how we use cookies, please review our privacy policy and cookie policy. OK
Privacy & Cookies Policy

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Non-necessary
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
SAVE & ACCEPT