Free Enterprise - The FindLaw Small Business Law Blog

After Data Mishaps and FTC Charges, Uber Agrees to 20 Years of Privacy Audits

Following the revelations that multiple Uber policies failed to track employee access to customer data -- including its so-called "God view" that let employees spy on the rideshare app's users in real time -- the company has agreed to implement a comprehensive privacy program in order to settle Federal Trade Commission charges. The policy must be in place for the next 20 years, and includes regular, independent privacy audits.

The FTC had been investigating Uber's response to the "God view" program (which FTC attorneys claim was only enforced for about eight months) and a massive data breach in May 2014 wherein over 100,000 names and license numbers of Uber drivers were stolen.

Insecurity

"Uber failed consumers in two key ways," said FTC Acting Chairman Maureen K. Ohlhausen when announcing the settlement. "First by misrepresenting the extent to which it monitored its employees' access to personal information about users and drivers, and second by misrepresenting that it took reasonable steps to secure that data." According to the FTC:

In the wake of news reports alleging Uber employees were improperly accessing consumer data, the company issued a statement in November 2014 that it had a "strict policy prohibiting" employees from accessing rider and driver data - except for a limited set of legitimate business purposes - and that employee access would be closely monitored on an ongoing basis. In December 2014, Uber developed an automated system for monitoring employee access to consumer personal information, but the company stopped using it less than a year after it was put in place. The FTC's complaint alleges that Uber, for more than nine months afterwards, rarely monitored internal access to personal information about users and drivers.

Uber also allegedly failed to provide reasonable security required to prevent unauthorized access to consumers' personal information, which was stored with a third-party cloud provider, despite its claims that data was "securely stored within our databases."

Uber Harsh

Under the settlement agreement Uber is prohibited from misrepresenting how it monitors internal access to consumers' personal information and how it protects and secures that data, and is required to implement a comprehensive privacy program that addresses privacy risks related to new and existing products and services and protects the privacy and confidentiality of personal information collected by the company. The company must also submit to independent, third-party audits of the new privacy program every two years for the next 20 years.

"This case shows that, even if you're a fast growing company," Ohlhausen added, "you can't leave consumers behind: you must honor your privacy and security promises."

Related Resources: