Challenge to Uber’s Customer Privacy Policies Including its “God view”

21 November 2014 Internet, IT & e-Discovery Blog Blog
Author(s): Peter Vogel

Senate Al Franken asked Uber for clarification about an apparent “troubling disregard for customers’ privacy, including the need to protect their sensitive geolocation data.”  On November 19, 2014 Senator Franken sent a letter to Uber CEO Travis Kalanick about a tool known as “God view” which is:

… “widely available to most Uber corporate employees” and allows employees to track the location of Uber customers who have requested car service.

In at least one incident, a corporate employee reportedly admitted to using the tool to track a journalist. The journalist’s permission had not been requested, and the circumstances of the tracking do not suggest any legitimate business purpose. Indeed, it appears that on prior occasions your company has condoned use of customers’ data for questionable purposes

Senator Franken also had serious concerns:

…about the scope, transparency, and enforceability of Uber’s policies. Moreover, it is unclear what steps, if any, you have taken to ensure that your policies are adequately communicated to all employees, contractors, and affiliates, and to ensure that such policies are fully enforced.

The letter included these 10 questions about the Uber Privacy Policies:

1.      Mr. Michael, a senior executive, is reported to have made statements—suggesting that Uber might use private information to target journalists or others who have critiqued the company—that your company has since stated are flatly contrary to company policies. To what do you attribute such a failure at your company’s highest level to heed your own policies?

2.      What Mr. Michael is reported to have said sounds like it was intended to have a chilling effect on journalists covering Uber. Was any disciplinary action taken as a result of Mr. Michael’s statements?

3.      Where in your privacy policy do you address the “limited set of legitimate business purposes” that may justify employees’ access to riders’ and drivers’ data, including sensitive geolocation data?

4.      To whom is the so-called “God view” tool made available and why? What steps are you taking to limit access?

5.      Your privacy policy states that you may share customers’ personal information and usage information with your “parent, subsidiaries and affiliates for internal reasons.” On what basis do you determine what constitutes legitimate “internal reasons”? Why aren’t these standards set out for customers?

6.      Your privacy policy states that you may share “non-personally identifiable information” with third parties for “business purposes.” What does that mean exactly? Why aren’t customers asked to affirmatively consent to this use of their information? At a minimum, may they opt out of this information sharing?

7.      Your policies suggest that customers’ personal information and usage information, including geolocation data, is maintained indefinitely—indeed even after an account is terminated. Why? What limits are you considering imposing? In particular, when an account is terminated, why isn’t this information deleted as soon as pending charges or other transactional disputes are resolved?

8.      What training is provided to employees, as well as contractors and affiliates, to ensure that your company’s policies, as well as relevant state and federal laws, are being followed? In light of Mr. Michael’s recent comments, how do you plan to improve this training?

9.      Your spokeswoman has represented that your “policy is … clear that access to data is monitored and audited by data security specialists on an ongoing basis.” Where in your company policies is this discussed? How is this monitoring conducted? How frequently are audits completed? Are customers informed if their information has been inappropriately accessed?

10. Under what circumstances would an employee face discipline for a violation of Uber’s privacy policies? Have any disciplinary actions been taken on this basis?

It will be interesting to see how Uber responds and how federal agencies will follow-up on these alleged privacy issues

This blog is made available by Foley & Lardner LLP (“Foley” or “the Firm”) for informational purposes only. It is not meant to convey the Firm’s legal position on behalf of any client, nor is it intended to convey specific legal advice. Any opinions expressed in this article do not necessarily reflect the views of Foley & Lardner LLP, its partners, or its clients. Accordingly, do not act upon this information without seeking counsel from a licensed attorney. This blog is not intended to create, and receipt of it does not constitute, an attorney-client relationship. Communicating with Foley through this website by email, blog post, or otherwise, does not create an attorney-client relationship for any legal matter. Therefore, any communication or material you transmit to Foley through this blog, whether by email, blog post or any other manner, will not be treated as confidential or proprietary. The information on this blog is published “AS IS” and is not guaranteed to be complete, accurate, and or up-to-date. Foley makes no representations or warranties of any kind, express or implied, as to the operation or content of the site. Foley expressly disclaims all other guarantees, warranties, conditions and representations of any kind, either express or implied, whether arising under any statute, law, commercial use or otherwise, including implied warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Foley or any of its partners, officers, employees, agents or affiliates be liable, directly or indirectly, under any theory of law (contract, tort, negligence or otherwise), to you or anyone else, for any claims, losses or damages, direct, indirect special, incidental, punitive or consequential, resulting from or occasioned by the creation, use of or reliance on this site (including information and other content) or any third party websites or the information, resources or material accessed through any such websites. In some jurisdictions, the contents of this blog may be considered Attorney Advertising. If applicable, please note that prior results do not guarantee a similar outcome. Photographs are for dramatization purposes only and may include models. Likenesses do not necessarily imply current client, partnership or employee status.


Related Services