In House - The FindLaw Corporate Counsel Blog

After Data Mishaps, Uber Agrees to 20 Years of FTC Privacy Audits

The FTC and Uber agreed to a settlement as a result of an investigation into the ride hailing company's mishandling of customer data, as well as privacy and security issues in 2014 and 2015. Part of that settlement includes 20 years worth of monitoring and privacy audits to ensure the company does not repeat the complained of behavior.

For Uber, entering into a settlement that requires extensive and long-term monitoring could actually be beneficial at this point. Due to the number of scandals that have plagued it recently, embracing the monitoring requirement could actually lead to regaining some of the lost public goodwill and trust the company once held.

Details of Investigation

The recently settled investigation dated back to 2014 and involved the fabled Uber "God mode" which would allow any Uber employee (but not drivers) to see customer live and historical GPS data. After this was discovered, Uber instituted new policies to prevent the misuse of this technology, but failed to actually provide any staff for monitoring and enforcing the policies. Also, the investigation looked into a serious data breach that went unreported for several months and exposed many drivers and customers personal data to theft.

Additionally, the investigation discovered that many employees would share a single data access key, which meant that the company could not track who was accessing certain data. To make matters worse, the company failed to restrict permissions, which meant that many employees with no need to access sensitive data could do so without oversight or restriction.

Details of the Settlement

Although Uber had policies prohibiting employees from misusing data, when it comes to large companies handling sensitive user information, it is incumbent on the company to do more than just create policies. The settlement requires Uber to actually enforce the policies it has created, as well as create better policies to make monitoring privacy and consumer security easier.

In addition to creating and enforcing these policies, Uber has agreed to submit to external audits every other year, as well as create internal compliance reports pursuant to the FTC settlement.

Related Resources: