DLC (Device Lock Controller) Policy

MBA Device Lock Policy

  • Prominent disclosure and consent requirement
    MBAs distributed with the device whose primary purpose is to manage the device locking function for a device may be excluded from the ransomware category provided they successfully meet requirements for secure lock and management, and adequate user disclosure and consent requirements as detailed below. In addition, adequate user disclosure and consent requirements are required each time the account owner changes until the device is paid in full.
  • The disclosure:
    • MUST be presented without the need for the user to navigate into a menu or settings.
    • MUST NOT be placed in a lengthy, off-device privacy policy or Terms of Service (ToS).
    • MUST include a request for user consent (#device-lock-consent).
    • MUST include a request for user consent regarding location tracking, explaining that location data is used to provide anti-theft features and similar security benefits. Users may choose to not permit location tracking, but this may limit the effectiveness of certain anti-theft functions.
  • Explicit user consent
    • MUST accompany and immediately follow the disclosure.
    • MUST present the consent dialog clearly and unambiguously.
    • MUST require an affirmative user action (for example, tap to accept, select a checkbox) to accept.
    • MUST NOT interpret navigation away from the disclosure (including tapping away or pressing the Back or Home button) as a consent.
    • MUST be presented until there’s an affirmative action and not use auto dismissing or expiring messages.
  • User notifications before device lock applicable to financed devices and subsidy devices
    The device users must be given a warning period in which to take action before the device is locked. See the table below for the minimum warning periods.
Payment planMinimum warning period before device is locked
Monthly7 days