July 19, 2019

July 19, 2019

Subscribe to Latest Legal News and Analysis

July 18, 2019

Subscribe to Latest Legal News and Analysis

July 17, 2019

Subscribe to Latest Legal News and Analysis

FTC Finalizes Settlement with Uber

Uber and the Federal Trade Commission (FTC) have at long last finalized a settlement related to two major data breaches the company suffered in 2014 and 2016. The initial breach in 2014 revealed problems with the way the ride-sharing service used and stored rider and driver data, and resulted in an FTC complaint over Uber's alleged failure to protect the personal information of both riders and drivers. To make matters worse, the company was under investigation by the FTC in relation to this hack when a second, larger data breach occurred in October-November 2016 that Uber neglected to disclose for over a year. As a result of Uber's failures, the FTC revised and expanded an initial settlement agreement whose terms have been folded into the finalized agreement. We previously reported on the settlement agreement here.

The final agreement requires that Uber implement a comprehensive privacy program, conduct third-party privacy audits for 20 years, provide the FTC with the auditors' reports, and retain records of bug bounty reports related to unauthorized access to consumer data. It also prohibits Uber from misrepresenting its privacy measures.

The FTC voted 4-0-1 to approve the settlement (Commissioner Christine Wilson did not participate). Although third-party audit requirements are now a common remedy for privacy and security violations, Commissioners Rohit Chopra and Rebecca Slaughter, the two Democrats on the Commission, issued individual statements in which they advocated for requiring the release of Uber's mandated third-party audit results. Their reasoning is that Uber is a repeat violator and public interest in the case is significant.

Slaughter's comments suggest that the FTC needs greater rulemaking and enforcement authority. Echoing recent testimony given by FTC Chair Joseph Simons, a Republican, before the Senate Subcommittee on Digital Commerce and Consumer Protection last July, Slaughter called for legislation that would give the Commission the ability to seek civil penalties, jurisdiction over non-profits and common carriers, and authority to issue implementing rules under the Administrative Procedure Act. The continued expression of bipartisan support for broader privacy and security authority will likely mean action on the legislative and regulatory front in 2019.

© 2019 Keller and Heckman LLP


About this Author

Sheila Millar, Keller Heckman, advertising lawyer, privacy attorney

Sheila A. Millar counsels corporate and association clients on advertising, privacy, product safety, and other public policy and regulatory compliance issues.

Ms. Millar advises clients on an array of advertising and marketing issues.  She represents clients in legislative, rulemaking and self-regulatory actions, advises on claims, and assists in developing and evaluating substantiation for claims. She also has extensive experience in privacy, data security and cybersecurity matters.  She helps clients develop website and app privacy policies,...

Tracy Marshall, Keller Heckman, regulatory attorney, for-profit company lawyer

Tracy Marshall assists clients with a range of business and regulatory matters.

In the business and transactional area, Ms. Marshall advises for-profit and non-profit clients on corporate organization, operations, and governance matters, and assists clients with structuring and negotiating a variety of transactions, including purchase and sale, marketing, outsourcing, and e-commerce agreements.

In the privacy, data security, and advertising areas, she helps clients comply with privacy, data security, and consumer protection laws, including laws governing telemarketing and commercial e-mail messages, contests and sweepstakes, endorsements and testimonials, marketing to children, and data breach notification. Ms. Marshall also helps clients establish best practices for collecting, storing, sharing, and disposing of data, and manage outsourcing arrangements and transborder data flows. In addition, she assists with drafting and implementing internal privacy, data security, and breach notification policies, as well as public privacy policies and website terms and conditions.

As to intellectual property matters, Ms. Marshall helps clients protect their copyrights and trademarks through registration, enforcement actions, and licensing agreements.

She also represents clients in proceedings before the Federal Communications Commission and Federal Trade Commission.

Ms. Marshall is a Certified Information Privacy Professional (CIPP/US) through the International Association of Privacy Professionals (IAPP) and a contributing author of Beyond Telecom Law Blog and Consumer Protection Connection.

Education: Washington and Lee University (B.A., 1997); American University, Washington College of Law (J.D., 2002).

Admissions: District of Columbia; Maryland

Memberships: American Bar Association