The FTC’s Uber Consent Order: A Warning to Fast-Growing Companies
By Cynthia Larose and Brian Lam
Recently, Uber agreed to a proposed Federal Trade Commission (FTC) consent order (“Consent Order”) to settle charges in an FTC complaint (“Complaint”) regarding behavior stemming back to at least 2014. Acting Chairman Maureen K. Ohlhausen has stressed the implications this has for other companies:
“Uber failed consumers in two key ways: First by misrepresenting the extent to which it monitored its employees’ access to personal information about users and drivers, and second by misrepresenting that it took reasonable steps to secure that data,” and further explained that “This case shows that, even if you’re a fast growing company, you can’t leave consumers behind: you must honor your privacy and security promises.”
Implications of the Complaint: The Complaint provides invaluable insight into the activities that the FTC considers unfair or deceptive acts that violate Section 5(a) of the FTC Act. At a high level, the FTC has alleged that:
Uber Collected a Lot of Personal Data: Uber collects data from both transportation providers (“Drivers”) and consumers of these services (“Riders”). From Drivers, Uber collects personal information including consumer names, email addresses, phone numbers, postal addresses, profile pictures, Social Security numbers, driver’s license information, bank account information (including domestic routing and bank account numbers), vehicle registration information, and insurance information. From Riders, Uber collects personal information including names, email addresses, postal addresses, profile pictures, and detailed trip records including precise geolocation information. Furthermore, Uber also collects geolocation data describing the route of the trip from a Driver’s mobile device and associates it with a specific rider. While the collection itself was not a violation, Uber’s collection and use (or misuse) of this data formed the basis for much of the allegations that followed.
Uber May Have Misused Personal Data: Articles published in November of 2014 alleged that Uber used what Uber termed a “God View” to display the personal information of Riders, including potentially that of journalists who had criticized Uber.
Uber Broke Its Own Privacy Promises: The FTC alleges that Uber failed to follow through on promises it made to consumers, including those made through a November 2014 statement on its website promising that there was a “strict policy prohibiting all employees at every level from accessing a rider or driver’s data” except for a “limited set of legitimate business purposes” and that “access to rider and driver accounts is being closely monitored and audited by data security specialists on an ongoing basis.” The FTC has alleged that Uber did not cause data security specialists to closely monitor and audit internal access to consumers’ personal information, thus failing to follow its own promises.
Uber Failed to Provide Reasonable Security for Rider and Driver Personal Information: Uber used an Amazon resource, called an Amazon S3 Datastore, to store personal information for Riders and Drivers. Via statements on its website, its privacy policy, and through customer service representatives, Uber promised that it would provide reasonable security for Rider and Driver personal information. The FTC alleges that Uber failed to provide reasonable security by allowing engineers to use a single access key instead of access keys by individual, failing to restrict access based on job function, not having a written information security program, and storing personal information without encryption, among other issues.
Uber Consent Order Obligations: The Consent Order, which will remain in effect for a 20-year period once approved, defines Personal Information broadly to mean individually identifiable information collected or received, directly or indirectly, by Uber from or about an individual consumer, and includes persistent identifiers associated with a particular consumer or device as well as precise geolocation data of an individual or mobile device, including GPS-based, WiFi-based, or cell-based location information. Uber will be obligated to undertake a detailed compliance program as outlined below:
Prohibition Against Misrepresentation: Uber is prohibited from misrepresenting the extent to which it monitors or audits internal access to consumer Personal Information, as well as its protection of the privacy, confidentiality, security, or integrity of any Personal Information.
Mandated Privacy Program: Uber must establish and maintain a privacy program for new and existing services for consumers, including protecting Personal Information, identifying foreseeable risks, and implementing appropriate controls.
Privacy Assessments by Third Party: Uber must undertake third party assessments with each individual selected to conduct such an assessment to be approved by the Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission, at his or her sole discretion, with the assessment to cover the first 180 days, as well as each 2 years after for 20 years.
Recordkeeping: Uber is required to maintain records pertinent to the order, including disseminated representations such as privacy policies, materials necessary for privacy assessments, and relevant consumer complaints.
Consent Order - Lessons Learned: Companies that interact with consumers, and collect, use, store, or transfer information, should pay close attention to the Complaint and resulting Consent Order. While every business model may present different challenges, the Complaint and Consent Order demonstrate that there are certain activities the FTC will not tolerate. Below are areas of common interest that most every company will wish to consider:
The FTC Views Personal Information Expansively: Within the Consent Order, the FTC defined Personal Information to mean individually identifiable information collected or received, directly or indirectly, by Uber from or about an individual, including persistent identifiers associated with a particular consumer or device as well as precise geolocation data of an individual or mobile device, including GPS-based, WiFi-based, or cell-based location information. This confirms that companies should consider how they are using and protecting collected mobile device identifiers and location-based information.
The FTC Expects Companies to Understand and Follow Company Policies and Statements: FTC allegations that Uber failed to follow statements on its own website and privacy policy, as well as statements made by its own company representatives, formed a key aspect of the Complaint. Companies understandably want to be able to reassure consumers regarding Company privacy and data security measures. However, companies have to make sure to actually meet any promises made. The FTC will not tolerate companies that fail to meet their own policies and statements: As we continue to advise, say what you mean and mean what you say.
Companies Will Not Be Excused From Responsibility for Appropriate Privacy and Security Protections by Using Third Party Vendors: Uber used an Amazon offering, specifically the Amazon S3 Datastore, to store Personal Information from Riders and Drivers. Through the Complaint, the FTC alleged that Uber failed to provide reasonable security to prevent unauthorized access to Driver and Rider Personal Information stored in the Amazon S3 Datastore. At times, certain companies seem to think that using a third party provider may relieve them of their responsibility to provide appropriate security. Per the Complaint, the FTC considers companies responsible for their own privacy and security protections, regardless of the use of third parties.
If you have any questions regarding these issues, please do not hesitate to contact the Privacy team at Mintz.