Uber Settles FTC Allegations Over Deceptive Privacy and Data Security Claims

uber_nowords

Written By ESR News Blog Editor Thomas Ahearn

The Federal Trade Commission (FTC) has announced that Uber Technologies, Inc. agreed to settle FTC charges over deceptive privacy and data security claims that the ride-sharing company “deceived consumers by failing to monitor employee access to consumer personal information and by failing to reasonably secure sensitive consumer data stored in the cloud.”

The FTC complaint against Uber claimed the San Francisco-based firm – despite claims that data was “securely stored within our databases” – failed to closely monitor employee access to consumer and driver data and deploy reasonable measures to secure personal information stored on a third-party cloud provider’s servers. Under the agreement with the FTC, Uber is:

  • Prohibited from misrepresenting how it monitors internal access to consumers’ personal information;
  • Prohibited from misrepresenting how it protects and secures that data;
  • Required to implement a comprehensive privacy program that addresses privacy risks related to new and existing products and services and protects the privacy and confidentiality of personal information collected by the company; and
  • Required to obtain within 180 days, and every two years after that for the next 20 years, independent, third-party audits certifying that it has a privacy program in place that meets or exceeds the requirements of the FTC order.

After news reports claimed Uber employees were improperly accessing consumer data, the company issued a privacy statement in November 2014 that it had a “strict policy prohibiting” employees from accessing rider and driver data – except for a limited set of legitimate business purposes – and that employee access would be closely monitored on an ongoing basis.

Uber failed consumers in two key ways: First by misrepresenting the extent to which it monitored its employees’ access to personal information about users and drivers, and second by misrepresenting that it took reasonable steps to secure that data,” FTC Acting Chairman Maureen K. Ohlhausen stated in a press release about the settlement.

The FTC’s agreement with Uber will be subject to public comment until September 15, 2017, after which the Commission will decide whether to make the proposed consent order final. Interested parties can submit comments electronically by following the instructions in the “Invitation To Comment” part of the “Supplementary Information” section.

Privacy and Security of Consumer Data Important to ESR

Employment Screening Resources® (ESR) – a global background check firm – undergoes annual Service Organization Control (SOC) 2® Reports to ensure ESR meets standards set by the American Institute of Certified Public Accountants (AICPA) to ensure the privacy, security, and confidentiality of consumer information. To learn more, visit www.esrcheck.com/SOC-2/.

NOTE: Employment Screening Resources® (ESR) does not provide or offer legal services or legal advice of any kind or nature. Any information on this website is for educational purposes only.

© 2017 Employment Screening Resources® (ESR) – Making copies or using of any part of the ESR News Blog or ESR website for any purpose other than your own personal use is prohibited unless written authorization is first obtained from ESR.