Risk & Compliance

Uber Settles FTC Case Over Privacy Violations

"Our order requires a culture of privacy sensitivity for Uber," Acting FTC Chair Maureen Ohlhausen says of the settlement.
Matthew HellerAugust 15, 2017

Uber has agreed to submit to regular audits of its privacy safeguards to settle allegations that it failed to monitor employee access to customers’ personal information and reasonably secure sensitive consumer data stored in the cloud.

The settlement announced Tuesday concludes a U.S. Federal Trade Commission investigation that began after media reports in late 2014 revealed an Uber program called “God View,” which allowed company employees to monitor the real-time locations of customers who had requested a ride through the app.

Uber insisted it had adopted a “strict policy” that prevented employees from inappropriately spying on customers. But according to the FTC, the company enforced that policy for only about eight months.

“Uber failed consumers in two key ways: First by misrepresenting the extent to which it monitored its employees’ access to personal information about users and drivers, and second by misrepresenting that it took reasonable steps to secure that data,” FTC Acting Chairman Maureen K. Ohlhausen said in a news release.

As part of the consent order settling the case, the company is required to obtain within 180 days, and every two years after that for the next 20 years, independent, third-party audits certifying it has a privacy program in place that meets or exceeds the FTC’s requirements.

“Our order requires a culture of privacy sensitivity for Uber,” Ohlhausen said on a call with reporters. “It’s going to make them take privacy into account every day.”

In addition to improper monitoring of customers’ locations, the FTC alleged, Uber’s inadequate data security breaches allowed a hacker to personal information about Uber drivers in May 2014, including more than 100,000 names and driver’s license numbers.

“Uber did not take reasonable, low-cost measures that could have helped the company prevent the breach,” the commission said, noting that it did not require engineers and programmers to use distinct access keys to access personal information stored in the cloud.

The company said the settlement “provides an opportunity to work with the FTC to further verify that our programs protect user privacy and personal information.”