US smartphone player Blu Products settled with the Federal Trade Commission (FTC), following allegations it allowed a Chinese partner to collect user data without consent.
The company must now implement “a comprehensive data security programme to help prevent unauthorised access of consumers’ personal information” and address security risks related to Blu devices. It will be subject to third-party assessments of its security programme every two years for 20 years, along with “record keeping and compliance monitoring requirements”.
Florida-based Blu had a deal with Chinese company Adups Technology, related to the provision of over-the-air updates to Blu devices. However, the FTC said Adups collected and transferred “far more information than needed to do its job”, including the full content of text messages, real-time location data, call and text logs, contact lists and lists of applications installed and used on smartphones.
The watchdog said Blu and co-owner and president Samuel Ohev-Zion misled consumers by falsely claiming data was only collected as needed to perform the requested services. It also “falsely represented they had implemented ‘appropriate’ physical, electronic and managerial procedures to protect consumers’ personal information”.
The security issues, identified by security company Kryptowire as far back as 2016, led to Amazon pulling Blu devices from its store: Blu had been an Amazon Prime Phones partner.
Blu said Adups had updated its software and stopped its unexpected data collection practices, but the FTC said the smartphone company continued to allow Adups to operate on older devices “without adequate oversight”.