Set to take effect July 15, the new policy states that Uber “care[s] deeply about the privacy of our riders and drivers,” and represents that “users will be in control” of their privacy settings, with the ability to “choose whether to share the data with Uber.” The revised policy permits the company to collect geolocation information when the Uber app is in use or via an IP address when the app is running in the background. Access to users’ address books and other data would also be allowed under the revised policy.
EPIC objected. “These changes ignore the FTC’s prior decisions, threaten the privacy rights and personal safety of American consumers, ignore past bad practices of the company involving the misuse of location data, pose a direct risk of consumer harm, and constitute an unfair and deceptive trade practice subject to investigation by the Federal Trade Commission,” the group wrote to the agency.
Emphasizing Uber’s burgeoning business, EPIC said the collection of so much consumer data presents serious privacy concerns, particularly as users have less control than the company suggests. “[U]sers are not truly in control of the data they disclose to Uber,” EPIC wrote. “Uber retains the ability to track users even if users choose not to share location data with Uber.”
The collection of data “far exceeds” what customers would expect from the transportation service, the company argued. Users would not expect the company to collect location information when they are not actively using the app, the group said, and even allowing users to opt out of certain collections “places an unreasonable burden on consumers.”
The complaint charged Uber with a “history of abusing the location data of its customers,” and referenced news stories about employees misusing the so-called “God View” to obtain users’ real-time and historic locations without their knowledge.
EPIC also noted that the company suffered a data breach in spring 2014 that potentially exposed over 50,000 former and current drivers’ names and license plates, which suggests, in EPIC’s view, that the company also fails to take adequate security measures to protect its database of user information. The company even violates the Telephone Consumer Protection Act, according to the complaint, by “regularly” sending out unsolicited text messages to customers and their contact lists.
“There is a clear divide between Uber’s representations as to their consumers’ control over their personal information, and Uber’s actual business practices,” EPIC told the FTC. “Consumers are led to believe that they retain control over their personal data, when in fact they do not.” Consumers have no ability to opt-out of data collection and targeted advertising.
EPIC urged the FTC to halt Uber’s collection of geolocation information that is not required to deliver a service, that it require the company to delete location information once a ride has been completed, and that it put an end to the collection of user contact list information.
The group also urged the agency to initiate an investigation of Uber’s business practices and those of other companies engaged in similar practices.
To read the complaint and request for investigation filed by EPIC, click here.
Why it matters: Although the ride-sharing company has experienced tremendous growth over the last few years, Uber has faced a host of litigation, ranging from employment issues (drivers claiming to be employees and not independent contractors) to false advertising claims. Earlier this year, a coalition of 19 taxicab companies filed a lawsuit against the company asserting that consumers have been deceived by Uber’s claims that its rides are “safer than a taxi” and “the safest rides on the road.” Uber has also been on the receiving end of inquiries from legislators about its data practices.