` FTC Comments on Vendor Due Diligence and Compliance after BLU Settlement - Clarip Privacy Blog
ENTERPRISE    |    CONSUMER PRIVACY TIPS    |    DATA BREACHES & ALERTS    |    WHITEPAPERS

FTC Comments on Vendor Due Diligence and Compliance after BLU Settlement

The FTC offered a “key compliance tip” to companies in a recent blog post following the BLU privacy settlement: “Keep a watchful eye on your service providers.”

At the end of April, the FTC announced a settlement with mobile phone manufacturer BLU Products over allegations that the company allowed a third-party service provider in China to collect personal information about consumers without their knowledge or consent. It seems likely that the FTC seized on the opportunity to issue a statement about vendor due diligence and third-party privacy practices on a case before it so that it could issue guidance quickly following the Facebook – Cambridge Analytica news. The facts of the BLU case made it a good one to do so.

The BLU privacy policy said that they limited information provided to third-parties to data necessary to perform their services. However, the FTC found that the Chinese company acting as a service provider received additional information beyond what was necessary to do its job. This included the full content of user text messages as well as real-time location data.

According to the FTC, BLU also failed to perform due diligence on service providers, failed to have written procedures with them, failed to implement appropriate oversight of security, and failed to perform assessments of the privacy risks.

As part of the settlement, BLU will have to avoid misrepresenting their practices, implement a comprehensive security program, allow third-party assessments every two-years for 20 years, and meet other record-keeping and compliance obligations. The vote was 2-0 by the FTC commissioners, before the new commissioners were approved by the U.S. Senate.

ftcblackboard

What advice did the FTC spell out for companies on vendor due diligence and compliance in its related blog post?

Conduct Due Diligence and Communicate Expectations to Service Providers.
The United States may not have implemented the GDPR to require companies to have data-sharing agreements with their vendors, but it is clear from the latest statements from the FTC that they think they are a good idea. The FTC is recommending companies conduct due diligence on providers before hiring them to process sensitive data and build into the contracts information about what data they will receive and how it should be protected given the controller’s privacy policies.

Monitor Third-party Compliance.
The FTC expects companies to ensure that their service providers are living up to their privacy and security commitments. In the words of the FTC, “The ink may be dry, but the job has just begun.”

Revisit Your Privacy Policy Regularly.
The FTC guidance is now to review the the privacy policy whenever a third-party provider is being brought on board who will have access to sensitive data.

Correct Data Mistakes for All Customers.
Organizations need to ensure that processes are put in place to protect all customers when a privacy issue is discovered, not just future customers or those customers that take action to correct the particular issue. BLU allowed data sharing for customers with older devices even after the data collection and sharing became public and customers were told that the practice had stopped.

The problem of third-party data sharing for privacy isn’t going away anytime soon. Call Clarip at 1-888-252-5653 for help starting the process of evaluating your business risks. Specifically, ask for a demo of our data risk intelligence website scanner!

Discover the Benefits of Privacy Management Software with Clarip

The Clarip data privacy software and team are available to help improve privacy and trust at your organization. Click here to contact us (return messages within 24 hours) or call 1-888-252-5653 to schedule a demo or speak to a member of the Clarip team.

If you are working towards GDPR compliance, try our modular GDPR software. Start with our automated GDPR data mapping software, enhance your privacy program with DPIA software, and meet ePrivacy requirements with the cookie consent manager.

If California Consumer Privacy Act compliance in 2020 is on your radar, ask us about our CCPA software. Improve efficiency of responses to data subject access requests with our DSAR Portal, or provide the right to opt out of the sale of personal information with our consent software.

Click here to contact us (return messages within 24 hours) or call 1-888-252-5653 to schedule a demo and speak to a member of the Clarip team.
More Blog Posts on the FTC:

Google Plus Privacy Breach: Senator Blumenthal Calls for FTC Investigation
FTC Asks for More Public Comments on Privacy
FTC Commissioner Phillips on Balance Between Privacy Law and Competition
House Subcommittee Asks FTC Commissioners About Consumer Privacy
FTC to Hold Hearings on Privacy and Consumer Protection
FTC Chair Testimony Highlights Privacy Enforcement Priorities
Senate Confirms FTC Commissioners
Oath to Pay $5 Million in Record COPPA Settlement

Contact

  • 1521, Concord Pike, Suite #301,
    Wilmington, DE 19803 USA
  • 20 Montchanin Road, Suite 20,
    Greenville, DE 19807 USA
  • Contact Online

888-252-5653

About

Consumers

Businesses

The pixel
Show Buttons
Hide Buttons