On April 30, 2018, BLU Products, Inc. (“BLU”) reached a settlement with the Federal Trade Commission (“FTC”) over allegations that BLU allowed ADUPS Technology Co. LTD (“ADUPS”) to collect detailed personal information about BLU’s consumers without their knowledge or consent, despite BLU’s assurances that it would keep the information secure and private, and that BLU generally failed to implement appropriate security procedures to oversee the security practice of its service providers, in violation of the Federal Trade Commission Act.
- Complaint. The FTC’s complaint against BLU alleges that the company:
- misled consumers by falsely claiming it limited third-party collection of data from users of BLU’s devices to information needed to perform requested services;
- falsely represented that it had implemented “appropriate physical, electronic, and managerial security procedures to protect the personal information provided by consumers” by:
- failing to perform adequate due diligence in the selection and retention of service providers (for example, by failing to assess or evaluate the privacy or security practices of ADUPS prior to entering into an agreement with that company);
- failing to adopt and implement written data security standards, policies, procedures or practices that apply to the oversight of its service providers, including ADUPS;
- failing to contractually require its service providers to adopt and implement data security standards, policies, procedures or practices; and
- failing to adequately assess the privacy and security risks of third-party software, such as ADUPS.
- Settlement. Under the proposed settlement agreement, BLU must implement a comprehensive data security program designed to prevent unauthorized access to consumers’ personal information and to address security risks related to BLU devices. The settlement agreement also prohibits BLU from misrepresenting the extent to which it protects the privacy and security of personal information. Pursuant to the proposed settlement agreement, BLU will be subject to record keeping and compliance monitoring requirements, and its security program will undergo third-party assessments every two years for 20 years. BLU will also be required to obtain express affirmative consent from consumers before collecting or disclosing their geolocation information or the content of their communications. The proposed settlement agreement will be subject to public comment for 30 days, ending May 30, 2018, after which the FTC will decide whether to make the proposed consent order final.
- Observations on Vendor Implications. Per the FTC blog post “Lesson of BLU: Make the right privacy, security calls when working with service providers,” there are certain key lessons companies can learn from this settlement:
- “Spell out your privacy and security expectations to service providers.” The FTC warns that before hiring a third party to process sensitive data, companies should perform adequate due diligence on such third parties to understand how their services work, what they are being given access to, and what should be done to conform their conduct to the promises made to customers. They also recommend corresponding terms be built into third party agreements accordingly.
- “Monitor contractors’ compliance.” The FTC recommends designing procedures to monitor what service providers are doing on companies’ behalf.
- “Review your privacy promises from the perspective of a potential service provider.” The FTC suggests companies reassess their privacy policies when considering bringing on a new service provider that will have access to sensitive information.
- “The discovery of a data mistake should motivate a company to look forward – and back.” Upon a privacy or security breach or lapse, the FTC says it is important companies reassess policies and practices currently in place to protect against repeat breaches in the future. They also advise thinking about what needs to be done to protect existing customers in such a situation.
The authors gratefully acknowledge the assistance of law clerk Mikaela Dealissia in preparing this entry.