Providing a lesson in how not to handle a privacy policy, car service app Uber is now facing questions from the Senate Subcommittee on Privacy, Technology and the Law.

The mess began when an Uber executive suggested that the company uses information gathered from its service to find dirt on journalists critical of the service. An element of the program dubbed the “God view” allows an employee to track the precise geolocation of passengers in Uber vehicles.

Trying to calm the storm, the company posted its previously undisclosed privacy policy online and a spokesperson stated that use of geolocation data as suggested by the executive would violate the policy.

But as the story went viral, Sen. Al Franken (D-Minn.), who was seemingly concerned with more than journalists, sent a letter to Uber CEO Travis Kalanick asking for answers about the company’s privacy policy and its use of geolocation data.

“To whom is the so-called ‘God view’ tool made available and why?” Sen. Franken asked in the letter. “What steps are you taking to limit access?”

Sen. Franken expressed “serious concerns” about “the scope, transparency, and enforceability of Uber’s policies,” since Uber has not submitted evidence that its practices match or support what the spokesperson stated.

The legislator wondered whether the executive faced disciplinary action, whether and under what circumstances an employee would face discipline for a violation of the privacy policies, and whether any employees had been disciplined on such a basis.

Sen. Franken also noted that the language of the policies suggests that Uber maintains personal information and geolocation data indefinitely, even after an account is terminated. “Why? What limits are you considering imposing?” the letter asked.

Uber must respond to the lawmaker by December 15.

To read Sen. Franken’s letter to Uber, click here.

Why it matters: What is the lesson from Uber’s situation? An undisclosed privacy policy and inopportune comments can result in a major PR nightmare and a legislative inquiry. Companies should recognize that privacy is a hot-button issue and act accordingly. They should establish and follow a policy, share it with customers, and refrain from making comments about using data inappropriately.