Laptop-maker Lenovo (United States), Inc. agreed to a no-fault settlement with the Federal Trade Commission and 32 states over allegations that it installed ad software that compromised customers’ web security and invaded users’ privacy.
As part of the Consent Order, Lenovo agreed that it would:
- Not misrepresent any feature of installed software related to consumer internet browsing-based advertising
- Obtain affirmative user consent before installing such software on computers
- Provide instructions for how the consumer may revoke consent to the covered software’s operation, which can include uninstalling the covered software; and
- Provide a reasonable and effective means for consumers to opt out, disable or remove all of the covered software’s operations, which can include uninstalling the covered software.
The company also must implement and maintain a comprehensive data security software program that is reasonably designed to (1) address software security risks related to the development and management of new and existing application software, and (2) protect the security, confidentiality, and integrity of covered information. Lenovo is required to report to the FTC regarding biennial assessments for the next 20 years.
Lenovo agreed to pay 32 state attorneys general $3.5 million under a separate state agreement. The FTC may seek civil fines if the company fails to abide by the Consent Order.
According to Acting FTC Chairman Maureen K. Ohlhausen, the settlement “sends a very important message” to companies that “everyone in the chain really needs to pay attention” to data security and collection, use, and promises made regarding the data.
A copy of the Lenovo Consent Order can be viewed here.
These recent FTC settlements are an important reminder to all businesses that privacy and security obligations should not be taken lightly.