A recent FTC settlement highlights the need for companies to oversee their service providers, with respect to both collection of personal information and data security practices.
According to the FTC’s complaint released with the settlement:
- From at least 2015 to November 2016, BLU mobile devices came pre-installed with software from ADUPS Technology Co., LTD (“ADUPS”), a service provider BLU had contracted with to issue security and operating system updates to BLU’s devices.
The complaint charges that these practices constituted false or misleading representations by BLU regarding both disclosure of personal information and data security practices, in violation of the FTC Act.
Under the proposed settlement, BLU must:
- Abstain from misrepresenting the extent to which it collects, uses, shares or discloses personal data;
- Implement and maintain a comprehensive, written information security program reasonably designed to address security risks associated with its devices and protect consumer personal information;
- Undergo third-party assessments of this information security program every two years for the next 20 years; and
- Provide consumers with clear and conspicuous notice of, and obtain consumers’ affirmative, express consent for, collection of geolocation data or the content of text messages, photos, video communications, or audio conversations.
The proposed settlement order will remain open for public comment through May 30th.
In conjunction with Monday’s settlement, FTC staff released guidance for companies concerned with the privacy and security risks that arise from sharing data with third-party service providers, urging them to “[k]eep a watchful eye on . . . service providers.” Specifically, the guidance encouraged companies to (i) conduct adequate due diligence on service providers, in order to understand how their services work, what data they will be able to access, and what needs to be done to conform their conduct to the companies’ privacy promises; (ii) clearly set out security and privacy expectations in contracts; and (iii) build in procedures to enable ongoing monitoring of compliance with those agreements.