A recent class action lawsuit is alleging that cell phone manufacturer Blu Products, Inc. (“Blu”) and firmware providers Shanghai Adups Technology Co., Ltd. and Adups USA LLC (“Adups”) violated several federal privacy laws by selling cell phones containing firmware that collected user’s sensitive personal information and transmitted that information to servers in China. This complaint followed from a November 15, 2016 New York Times story, which reported that mobile security firm Kryptowire discovered several models of mobile devices that  were using Adups firmware to collect sensitive personal data about users and transmit that data to third-parties without user consent.

Kryptowire’s announcement of the discovery noted that the Adups firmware transmitted information such as “the full-body of text messages, contact lists, call history with full telephone numbers, [and] unique device identifiers including the International Mobile Subscriber Identity (IMSI) and the International Mobile Equipment Identity (IMEI).” In the New York Times report, Blu acknowledged that 120,000 phones were affected by this firmware and said that the impacted phones’ software was updated to eliminate the data collection feature. Blu Chief Executive Officer Samuel Ohev-Zion told the Times that the firmware issue “was obviously something that we were not aware of. We moved very quickly to correct it.”

The lawsuit is being brought by an Alabama man who purchased a Blu R1 cell phone on September 30, 2016, and is on behalf of purchasers or owners of certain Blu cell phones containing Adups firmware versions 5.0x to 5.3x. The suit claims that Blu and Adups purposely concealed the existence of the firmware from users and illegally collected and transmitted personal user data without consent. The plaintiff is seeking damages and injunctive relief for alleged violations of the Wiretap Act, the Electronic Communications Privacy Act, the Magnuson-Moss Warranty Act, as well as common law invasion of privacy and trespass to chattels.

Takeaway: Mobile device manufacturers and software providers should remain vigilant of the firmware in their devices and provide proper notice to consumers before collecting customer data.