Uber Settles with the FTC, Tying Itself to the Agency For Up To 20 Years
On August 15, 2017, three years after it faced backlash from the media,
Uber has settled with the Federal Trade Commission (FTC) over allegations
that despite its representations, the company failed to secure customer data
and failed to monitor employee access to that data, thus engaging in unfair or
deceptive acts or practices affecting commerce in violation of the Federal
Trade Commission Act, 15 U.S.C. § 45(a). We cannot explain why it took three
years for the decision to be issued. Regardless, the decision is a reminder
that parties must accurately describe their security programs, must take
reasonable and appropriate steps to protect personal information, and must test
the efficacy of their privacy programs.
In 2014, news outlets reported that Uber employees had been accessing
consumer data. In response, Uber issued a statement that it had policies
restricting employee access to the data and that the company had developed a
system to review employee access to consumer information. However, Uber failed
to actually review employee access to this information and the company dropped
the system less than a year later. In addition, despite its assurances that its
data was secured, in May 2014, a hacker accessed personal information of Uber
drivers, including their drivers license numbers.
In response to these allegations, Uber
settled with the FTC and agreed to a number of requirements. First, Uber agreed that it and all of its
officers, agents, employees, and attorneys would not misrepresent the extent to
which the company actually monitors or audits access to consumers’ personal
information and the extent to which the company protects the privacy of any
Second, the company agreed to establish a privacy program, effective as
of the date of the Order, to address privacy risks and to protect the privacy
and confidentiality of personal information.
This privacy program must be assessed by an independent third-party
professional, approved by the FTC six months after the Order, and every two
years following for 20 years. The Order also requires this policy to be
regularly tested, evaluated and adjusted, and changed if the company undergoes
any alterations to its operations or business arrangements.
Third, in addition to the privacy program, the Order requires Uber to
submit a compliance report, one year after the Order, describing how the
company and each of its entities are in compliance with the Order. The report
must be supplemented if the company has a change in the designated point of
contact within the company or if the company undergoes any restructuring or
sale that directly or indirectly affects the compliance requirements of the
Order. In addition, the company must respond to the FTC within 10 days of
receipt of a written request with sworn records, additional compliance reports,
or requested information. The FTC can even interview individuals affiliated
with the company.
Fourth, Uber agreed to implement and maintain records for 20 years
following issuance of the Order. The Order requires Uber to create and retain
(for five years) accounting records, personnel information (including those of independent
contractors, which Uber considers its drivers to be), records of consumer
complaints, and records necessary to show compliance with the FTC Order. The company must also keep for three years
all documents it used to prepare each assessment ordered by the FTC and the
company must keep for five years all documents that demonstrate non-compliance
with the Order.
Of note, in the settlement, Uber did not admit or deny any of the
allegations in the Complaint. The Complaint
was published in the Federal
Registrar on August 21, 2017, with comments due on September 15, 2017.
Following the public comment period, the FTC will decide if the Consent Order