Over the last couple years, Uber has become virtually synonymous with legal troubles. They’ve faced case after case on everything from employment law to trade secret issues to sexual harassment lawsuits to simple failure to comply with DMV registration requirements. However, their most recent legal hot water has dealt with privacy law, the Federal Trade Commission (FTC), and false representations. Just a few weeks ago, these issues culminated in an FTC settlement agreeing to-among other things-20 years of FTC oversight.
As part of the settlement, Uber has agreed to overhaul their privacy policies and the implementation of those policies. One of the first of these changes has involved the removal of a much criticized rider tracking feature. For a while included a much criticized default feature that tracked user location for five to ten minutes after they got out of the car. You can already see how this might be abused. However, the feature was made even more of an issue by the fact that users had to jump through in-app hoops each time they looked for a ride if they wanted to not be tracked. The feature was apparently meant as a security measure for riders. However, the combination of Uber never really explaining the purpose of the feature to users and-as you’ll see as we discuss the settlement-Uber’s less than stellar track record when it comes to securing user data made pulling the rider tracking a near necessity.
This is likely the first step of many Uber will take in response to the FTC oversight it will face for the next couple decades. Let’s take a look at the problems that got them in this situation in the first place-the charges brought against them by the FTC, exactly what the settlement does, and how you can avoid Uber’s mistakes.
The FTC Charges
The FTC is an agency, created by the Federal Trade Commission Act, with the goal of eliminating unfair competition and promoting consumer protection. They do this in a number of way but primarily by bringing charges against companies that either deceive or treat consumers unfairly. This includes things like false advertising, false business claims, breach of contract, scams, product defects, and more.
In Uber’s case, the charges brought by the FTC dealt with privacy issues. However, privacy at a federal level is a tricky concept. There’s no real guaranteed rights to privacy beyond the expectation of privacy which limits how the government may search and seize you and your property. When it comes to private companies, privacy protections exist but mainly as a web of federal statutes which apply piecemeal to specific situations such as credit reporting, finances, health information, etc. This being said, an enormous number of companies in this day and age have privacy policies which dictate their own stance on how they will behave regarding customers private information. This usually deals with the handling of personally identifiable information-things which can tell people who you are or where you are-rather than more general metadata. However, when a company represents that they will treat private information in a certain way then doesn’t follow its own privacy policies this creates a false representation situation. This was the gist of the FTC’s charges.
First, the FTC charged Uber with misrepresenting the extent to which it monitored its employees’ access to personal information about users and drivers. Second, they said that Uber represented the things they did to protect that information-no surprise given that Uber had an enormous 100,000 user data breach back in 2014.
Uber has said, both through its privacy policy and statements to the press, that they have a strict policy of prohibiting their employees from accessing rider or driver data. This general rule is subject to an exception of legitimate business purposes. However, despite having the policy in place, Uber didn’t take all the steps you would expect to follow through on this promise. They didn’t even have a system in place at all to see if employees viewed personal data until after the privacy policy was published. Even after the system was in place, it was nowhere near large enough or well-staffed enough to keep track of all the employees in such an enormous company. Then, in 2015, it stopped using the system altogether for months on end. This obviously wasn’t in line with what their policy represented, even if they had a system in place the FTC treated their policy promises as false because their infrastructure was nowhere near enough to reasonably follow through on their policy position.
Uber’s privacy policy also included statements about the security measures they provided to their users-encryption, firewalls, and the like. They promised that information would be stored safely and used only for authorized purposes. They promised the most up to date, industry standard, data security measures. They further promised that all personal information was kept secure to the “highest security standards available.” However, in the wake of the Uber data breach, their security measures came across a little lacking compared to their promises. They didn’t use all the security tools available, allowed engineers easy access to data with a single access code, didn’t store any information in an encrypted format until March 2015. Then there was the way the breach itself actually occurred-an Uber engineer posted the single code required for total access to all the information on Git Hub. The FTC felt that, while Uber did take some steps to protect information, they didn’t take reasonably priced security steps that could have prevented the breach-or simply allowed them to live up to their promises. Thus, the FTC brought this as another charge of false representation.
Avoiding Uber’s Mistakes
To make these charges go away, Uber agreed to a settlement with the FTC which forbids them from misrepresenting their privacy positions and security measures, implement a comprehensive privacy policy addressing the security risks they created, and submit to 20 years of FTC audits. If this sounds like a serious blow for a business to take, you’re quite correct. This is just one of the many shakeups Uber is facing, having just recently replaced its original CEO Travis Kalanick with Dara Khosrowshahi. However, they have publically stated a new commitment to improving their privacy policies. What’s more, their mistakes can be instructive for protecting your own business.
First and foremost, if you have a privacy policy follow your own policies. This doesn’t mean just following the letter of your promises. You will be expected to take reasonable steps to implement programs to ensure the protection of private information. This will usually be enough to comply with the basic level of privacy requirements placed on a private business. However, in this age of tech and internet it’s often worth consulting with a privacy professional. What’s more, if you are in a privacy sensitive field such as banking, credit reporting, health care and several other fields, there may be more laws that apply to your business. Uber has been committing an enormous number of resources to ensuring that it doesn’t run afoul of privacy law or the FTC again. Ultimately, this sort of situation is one where an ounce of prevention can be worth more than a pound of cure–protect your company by ensuring you have well drafted policies that you carefully follow.