The Federal Trade Commission (FTC) announced that it settled with a mobile phone manufacturer for alleged privacy and data security violations which occurred when the manufacturer allegedly allowed a foreign third-party service provider to collect consumer data without consumers’ knowledge or consent. No monetary penalty was imposed. However, the consent order requires the manufacturer to institute a more stringent data security program and submit to compliance monitoring and periodic assessments of its privacy and security initiatives.
The FTC alleged that the manufacturer and its co-owner misled customers when it promised to keep consumer information secure and private, claimed to have limited third-party collection of data to the information needed to perform requested services, and represented that it had implemented appropriate procedures to protect consumers’ personal information. The FTC maintains that, in actuality, the manufacturer and its co-owner gave a third-party software company access to more customer data than was necessary to perform security and operating system updates when it provided the company with access to sensitive consumer information, including: the content of consumers’ text messages, real-time location data, call and text message logs with full telephone numbers, contact lists, and lists of applications used and installed on consumers’ devices. Further, the FTC took issue with the manufacturer’s failure to implement adequate security procedures with regard to its third party servicers’ actions—it allegedly failed to perform due diligence as to its servicers’ activities, institute written data security procedures, and adequately assess privacy and security risks posed by third-party software.
Under the settlement, the manufacturer and its co-owner are prohibited from misrepresenting the extent of its privacy and security protocols, and it must institute a comprehensive security program which protects consumer data and addresses security risks associated with various mobile devices. The manufacturer must also submit to periodic third-party assessments of its security program, every two years for the next 20 years. If the manufacturer violates any of these mandates, it will be required to pay a per-violation civil penalty of up to $41,484.
The consent order is accessible here.