Date: Aug 16, 2017
In its complaint, the FTC alleged that:
Pursuant to the terms of the settlement, Uber must refrain from making any misrepresentation about the quality and level of its privacy and data security practices. In addition, the company must implement and maintain a comprehensive privacy program that protects the personal information of drivers and passengers and addresses "privacy risks related to the development and management of new and existing products and services for consumers." Uber will be required to undergo third-party audits of its privacy program initially and biennially, using individuals with at least three years of experience who are approved by FTC staff. Uber must also keep detailed accounting, personnel, and consumer complaint records for the next 20 years, plus all underlying records relied upon to prepare the independent assessments for three years, and all records demonstrating non-compliance with the order for 5 years.
Acting FTC Chairman Maureen Ohlhausen said, "Uber failed consumers in two key ways: First by misrepresenting the extent to which it monitored its employees' access to personal information about users and drivers, and second by misrepresenting that it took reasonable steps to secure that data. Even if you're a fast-growing company, you can't leave consumers behind: you must honor your privacy and security promises."
The Uber order adds to a growing body of consent agreements involving alleged privacy and security lapses. The proposed consent order will be subject to public comment for 30 days (until September 15, 2017), and comments may be submitted electronically here.