Mobile phone manufacturer BLU Products, Inc. entered into a settlement agreement with the FTC last week to resolve allegations that one of BLU’s China-based vendors collected personal information about its consumers without proper consent.

The settlement agreement, which took the form of a consent order, applies not only to BLU but also to its CEO and any other companies he owns and controls.  It requires that the company clarify its disclosures regarding customer data use and protection. It also requires BLU to implement a new data security program. In the new security program, BLU must address security risks related to the development and management of new and existing covered devices and must better protect the security, confidentiality, and integrity of personal information. These improved protections include developing and using reasonable steps to select and retain service providers capable of appropriately safeguarding consumer personal information. “Personal information” is defined in this context to include persistent identifiers such as cookies.

The action follows reports that ADUPS Technology Co, LTD, a China-based software company that BLU contracted with for its firmware-over-the-air service updates, used its preinstalled software to gain full administrative access and control over BLU’s mobile and Internet of Things connected devices.  ADUPS was alleged to have transmitted sensitive consumer personal data, including full text message content and real-time location information, from their mobile devices to its servers without consumer knowledge or consent.

Interested parties have until May 30th to comments on the proposed consent order before it is finalized by the agency.