Blu has reached a settlement with the Federal Trade Commission over allegations that it afforded Adups, a Chinese device management firm, inordinate access to personally identifiable user information. The FTC's complaint said that Blu misled its customers when the company claimed it had taken appropriate measures to protect user privacy.

Adups was contracted to provide software updates on Blu devices. In November 2016, though, it was found that Adups was collecting private information, like text messages, location data, and full contacts lists. Following initial reports, Blu promised to fix the problem, and issued a statement saying Adups had stopped the unwarranted data collection. The FTC alleges that, even after its statement, Blu let Adups continue to operate on older phones "without adequate oversight."

Per the settlement, Blu will have to implement a new security program to address security risks in its products, with an emphasis on protecting user information, and will be subject to outside assessments of its security practices every other year for the next 20 years. The company is also explicitly prohibited from misrepresenting how it protects user privacy—which seems like it should have always been the case.

You can peruse the FTC's full decision here.