Uber Technologies agreed to be subjected to data privacy audits for the next 20 years, as required by the Federal Trade Commission after the company failed to protect the personal information of its customers and drivers in the past.
Uber Data Privacy Violations
In an FTC press release, the commission announced that Uber has agreed to implement a comprehensive privacy program and subject itself to regular independent audits.
The actions will serve as settlement for FTC's charges against the ride-hailing company for deceiving customers by failing to monitor the access of Uber employees on personal information of riders and for failing to secure sensitive customer information that is stored in the cloud.
The FTC vs Uber dispute started in late 2014, when media reports revealed the existence of program named God View. The software allowed Uber employees to monitor the real-time locations of riders as they travel in vehicles requested through the app.
Uber claimed in 2015 that it implemented a strict policy that prohibited its employees from accessing sensitive data of its drivers and customers. However, FTC staff attorney Ben Rossen said that the policy was only in effect for eight months.
The FTC also launched an investigation into a massive data breach that Uber suffered in May 2014. The compromised data included more than 100,000 names and license numbers of drivers working for the company. According to the FTC, Uber did not implement accessible measures to prevent such a data breach from happening.
Uber To Settle FTC Charges
In its agreement with the FTC to settle the charges related to the aforementioned disputes, Uber is prohibited from misrepresenting its manner of monitoring internal access to the personal information of customers and of protecting and securing the data.
The comprehensive privacy program that the company will implement, meanwhile, will look to address the privacy issues related to new and current Uber products and services, as well as to protect the privacy and confidentiality of the sensitive data that it collects.
Lastly, Uber will be required to acquire within 180 days from the agreement, and every two years afterward for the next 20 years, an independent, third-party audit which will certify that its privacy program follows or exceeds the FTC's orders.
The Uber settlement does not require a cash payment, which is typical for companies being charged with their first FTC complaint. However, if Uber is found to violate the settlement agreement, it could face fines of up to about $40,000 per violation.