June 1, 2020

May 30, 2020

Subscribe to Latest Legal News and Analysis

May 29, 2020

Subscribe to Latest Legal News and Analysis

Uber Settles with FTC Over Allegations of False Privacy and Security Claims

Uber has had a rough ride when it comes to data privacy and security. In 2014, a security breach resulted over 100,000 driver names and license numbers being hacked. Then, in 2015, Uber was fined $20,000 after an investigation by the New York Attorney General into charges that company executives used an internal aerial tracking tool, referred to as the "God View," that displayed the personal information of Uber passengers. This violated Uber's assertion that "all employees at every level" were prohibited from viewing the personal information of drivers and passengers (except where necessary for legitimate business purposes). Now, the car service has settled with the Federal Trade Commission (FTC) over allegations relating to Uber's privacy and data security practices, agreeing to implement a detailed written program and to test it through third party audits for 20 years.

In its complaint, the FTC alleged that:

  • Uber did not continuously monitor and audit its employees' access to the personal information of both Rider and Driver accounts since November 2014. The FTC's order broadly defines personal information as "individually identifiable information collected or received, directly or indirectly" by the company about consumers, including name, address, email, telephone number, Social Security number, driver's license, bank account number; personal identifiers used on devices, and "precise geo-location data of an individual or mobile device, including GPS-based, WiFi-based, or cell-based location information."

  • Uber failed to follow up on automated alerts concerning the potential misuse of consumer personal information, and for approximately six months, only monitored access to account information belonging to select internal high-profile users, such as Uber executives.

  • Customer service personnel hyped the strength of Uber's security practices when talking to consumers, including claiming that personal information "will be stored safely and used only for purposes you've authorized." However, the company failed to take reasonable steps to prevent access to driver and passenger personal information by Uber employees, and allowed multiple employees to use a single key that provided broad administrative access to files of sensitive personal information.

Pursuant to the terms of the settlement, Uber must refrain from making any misrepresentation about the quality and level of its privacy and data security practices. In addition, the company must implement and maintain a comprehensive privacy program that protects the personal information of drivers and passengers and addresses "privacy risks related to the development and management of new and existing products and services for consumers." Uber will be required to undergo third-party audits of its privacy program initially and biennially, using individuals with at least three years of experience who are approved by FTC staff. Uber must also keep detailed accounting, personnel, and consumer complaint records for the next 20 years, plus all underlying records relied upon to prepare the independent assessments for three years, and all records demonstrating non-compliance with the order for 5 years.

Acting FTC Chairman Maureen Ohlhausen said, "Uber failed consumers in two key ways: First by misrepresenting the extent to which it monitored its employees' access to personal information about users and drivers, and second by misrepresenting that it took reasonable steps to secure that data. Even if you're a fast-growing company, you can't leave consumers behind: you must honor your privacy and security promises."

The Uber order adds to a growing body of consent agreements involving alleged privacy and security lapses. The proposed consent order will be subject to public comment for 30 days (until September 15, 2017), and comments may be submitted electronically here. 

© 2020 Keller and Heckman LLP


About this Author

Tracy Marshall, Keller Heckman, regulatory attorney, for-profit company lawyer

Tracy Marshall assists clients with a range of business and regulatory matters.

In the business and transactional area, Ms. Marshall advises for-profit and non-profit clients on corporate organization, operations, and governance matters, and assists clients with structuring and negotiating a variety of transactions, including purchase and sale, marketing, outsourcing, and e-commerce agreements.

In the privacy, data security, and advertising areas, she helps clients comply with privacy, data security, and consumer protection laws, including laws governing telemarketing and...

Sheila Millar, Keller Heckman, advertising lawyer, privacy attorney

Sheila A. Millar counsels corporate and association clients on advertising, privacy, product safety, and other public policy and regulatory compliance issues.

Ms. Millar advises clients on an array of advertising and marketing issues.  She represents clients in legislative, rulemaking and self-regulatory actions, advises on claims, and assists in developing and evaluating substantiation for claims. She also has extensive experience in privacy, data security and cybersecurity matters.  She helps clients develop website and app privacy policies, data security and access procedures, manage trans-border data flows, respond to data breaches and create training programs. She assists clients on digital media issues, helping them develop social media, blogging and user-generated content policies, and to understand advertising technology and online behavioral advertising issues.  Ms. Millar also works with clients to navigate the array of federal and state requirements governing contests and sweepstakes, and advises on gift cards, coupons and rebates.  She represents clients on advertising and privacy matters before the Federal Trade Commission (FTC), the Children’s Advertising Review Unit (CARU), the National Advertising Division (NAD), as well as in connection with investigations by state regulatory bodies and Attorneys General.