Uber agrees to outside audits of its privacy program for the next 20 years to settle FTC charges it 'deceived customers'
The FTC's complaint alleged that the ride hailing service "rarely monitored internal access to personal information about users and drivers," despite claims to the contrary. This genesis of this complaint dates back to 2014, when an Uber manager was revealed to have used the "god view" tool to track a reporter's location.
In addition, the FTC alleged that Uber was at fault for the May 2014 data breach that saw an intruder gain access to to more than 100,000 names and driver's license numbers stored on a third-party cloud provider operated by Amazon. The FTC's complaint said the San Francisco-based company "did not take reasonable, low-cost measures that could have helped the company prevent the breach."
In a statement, FTC acting chairman Maureen K. Olhausen said that Uber had failed its customers in two ways.
"First by misrepresenting the extent to which it monitored its employees' access to personal information about users and drivers, and second by misrepresenting that it took reasonable steps to secure that data," she said. "This case shows that, even if you're a fast growing company, you can't leave consumers behind: you must honor your privacy and security promises."
Under the agreement, Uber will be "prohibited from misrepresenting how it monitors internal access to consumers' personal information" and "prohibited from misrepresenting how it protects and secures that data." In addition, the company will have to implement a new, comprehensive privacy program that directly addresses the risks related to new and existing products.
If Uber violates the agreement it will be hit with steep financial penalties.
Read the FTC's full press release here.