Mobile phone manufacturer Blue Products, Inc. and its co-owner and President, Samuel Ohev-Zion (collectively, “BLU”), reached a settlement with the Federal Trade Commission (“FTC”) over allegations that BLU misled consumers by allowing a China-based third party to collect detailed personal information about consumers. The FTC alleged that the Chinese entity collected U.S. consumers text message content, real-time location information, call logs, and contact lists, without consumers’ knowledge or consent, despite promises by BLU that it would keep such information private and secure.

The FTC alleged that BLU (i) mislead consumers by falsely claiming it limited third-party collection of data from users of BLU’s devices to only information needed, and (ii) failed to implement appropriate physical, electronic and managerial procedures to protect consumer’s personal information, including failing to perform due diligence of service providers, failing to have written data security procedures regarding service providers, and failing to adequately asses the privacy and security risks of third-party software on BLU devices.

Under the terms of the settlement order, BLU is not only prohibited from misrepresenting the extent to which it protects the privacy and security of personal information, but is also required to implement and maintain a comprehensive data security program that addresses security risks associated with its mobile devices and protects consumer information. In addition, BLU will be subject to third-party assessments of such data security policy along with record keeping and compliance requirements for twenty (20) years.

Takeaway: The FTC appears to be ramping up its enforcement against companies who share data with third party vendors. All companies that engage third party data analytics vendors should review the agreements and practices of those vendors to ensure compliance with a company’s privacy policies and practices.