Uber has agreed to implement a “comprehensive privacy program” as part of a settlement with the US Federal Trade Commission over a complaint regarding data-handling problems at the embattled ride-hailing company. The program must “address privacy risks related to new and existing products and services for consumers,” as well as “protect the privacy and confidentiality of personal information,” the FTC’s order reads.
The FTC alleged that the San Francisco-based firm failed to closely monitor employees who had access to consumer and driver data, and that it deployed “reasonable measures” to secure personal information it stored on a third-party cloud provider’s servers.
“if you’re a fast growing company, you can’t leave consumers behind.”
“Uber failed consumers in two key ways: First by misrepresenting the extent to which it monitored its employees’ access to personal information about users and drivers, and second by misrepresenting that it took reasonable steps to secure that data,” said FTC acting chairman Maureen K. Ohlhausen in a statement. “This case shows that, even if you’re a fast growing company, you can’t leave consumers behind: you must honor your privacy and security promises.”
Under the settlement, Uber is also prohibited from “misrepresenting how it monitors internal access to consumer’s personal information.” This would appear to be a reference to the misuse of the so-called “god view” tool that allowed some employees to spy on the whereabouts of people using the Uber app.
Uber will also be subject to third-party audits of its privacy and data security measures within 180 days “and every two years after that for the next 20 years.”
News of an investigation by the FTC into Uber’s privacy practices first came to light in mid-June, days before Travis Kalanick resigned as CEO of the company. Recode reported that the agency’s investigative staff “appears to have focused its attention on some of the data-handling mishaps that have plagued the company in recent years.” This followed an earlier agreement by Uber to pay $20 million to settle a complaint by the FTC that it misled drivers about earnings and vehicle financing.
As part of this recent settlement, Uber “neither admits nor denies” any wrongdoing, but has agreed to implement the changes ordered by the FTC. “We are pleased to bring the FTC’s investigation to a close,” a spokesperson for Uber said. “The complaint involved practices that date as far back as 2014. We’ve significantly strengthened our privacy and data security practices since then and will continue to invest heavily in these programs. In 2015, we hired our first Chief Security Officer and now employ hundreds of trained professionals dedicated to protecting user information. This settlement provides an opportunity to work with the FTC to further verify that our programs protect user privacy and personal information.”
Of course, this is only the latest headache for Uber amid a series of scandals and reports of board chaos and investor in-fighting. And “god view” wasn’t the only time Uber courted controversy with its approach to private information. Last June, a top Uber executive obtained the medical records of a woman who, in 2014, had been raped by an Uber driver in India. The records were shared with Uber CEO Travis Kalanick and senior vice president Emil Michael, and others, both of whom have since been ousted from the company.
Uber is also being sued by a former employee who claims he was fired after blowing the whistle about insecure data practices at the company.