On April 30, 2018, the Federal Trade Commission (“FTC”) reached a settlement with BLU Products Inc., a Florida-based cellphone reseller, after BLU admitted it allowed a third party, China-based ADUPS Technology Co. Ltd., to collect data from BLU customers’ phones. The settlement follows an administrative complaint by the FTC alleging that BLU and its CEO, Samuel Ohev-Zion, misled consumers with false representations about its protections for consumer data.
According to the FTC, BLU falsely claimed it “limited third-party collection of data from users of BLU’s devices to only information needed to perform requested services.” Instead, BLU had allowed ADUPS to collect text messages, real-time location data, call and message logs, contact lists, and data about the applications installed and used on customers’ devices. ADUPS was permitted to “collect detailed personal information about consumers, such as text message contents and real-time location information, without their knowledge or consent despite promises by the company that it would keep such information secure and private,” the FTC release said.
The complaint alleged that BLU did not apply due diligence in selecting ADUPS before contracting with it to provide firmware updates and had no formal written data security policy to provide oversight of the ADUPS relationship. BLU violated the Federal Trade Commission Act by misrepresenting its data security practices and failing to protect consumer data, the complaint stated.
Under the terms of the proposed settlement, BLU will have to inform consumers of steps actually taken to safeguard data and will have to implement a robust security program on new and existing devices. BLU is also subject to third-party assessments of its security measures every two years for the next two decades.