Privacy Alert: Privacy Lessons Learned From Uber
Privacy Lessons Learned From Uber
by Holly Miller and Ashley Bennett Ewald
It’s not just heath care companies, credit card companies, or big box retailers that need to be careful when it comes to privacy. Any company collecting user data from mobile apps—including geolocation data, user address books, passwords, or other personal information—needs to be careful and aware of privacy laws and regulations. Companies collecting information must also make sure employees understand company policies on the use of customer data to avoid improper uses of data that can lead to a public relations nightmare.
Ridesharing service Uber, headquartered in San Francisco, recently learned about these issues the hard way. On November 17, 2014 BuzzFeed reported that Uber’s Senior Vice-President of Business Emil Michael made comments indicating that Uber might mine private travel information collected by the company to target a journalist who had criticized Uber. This came only a month after Forbes magazine reported that Uber employees used an internal company tool to “stalk” VIP users of its car service. The latest incident led to a “#deleteuber” effort on social media platform Twitter, extensive national press coverage, and a letter from Minnesota Senator Al Franken publically questioning how Uber treats the location and ride history of its passengers. Uber spokeswoman Nairi Hourdajian wrote in a company blog post last week that Uber has a strict privacy policy prohibiting all employees at entry level from accessing rider or driver data, but it remains to be seen whether its policy is enough to halt the bad press and turn around public opinion.
Companies in a variety of spaces have developed mobile apps to connect with consumers and to provide easy access to goods and services via smartphones. If your company is in this space, here are seven ways to curb your risks when it comes to company use of consumer data:
- Know what personal data your software or mobile app is collecting.
- Know who at the company has access to such data and limit access to those with a “need to know.”
- Set clear guidelines on when sensitive data can be accessed and how it can be used, and provide ongoing training regarding this topic.
- Monitor and enforce compliance with the guidelines, up to and including disciplinary action for violations.
- Set out in your privacy policy the types of information that you collect and how you use the data collected.
- Make sure your privacy policy accurately reflects what is actually happening at the company with data collected.
- Have a public relations plan in place in the event a policy violation receives media attention.
If you have questions about how privacy laws and regulations impact your business, please contact Holly Miller at holly.miller@lathropgpm.com (612.632.3479) or Ashley Bennett Ewald at ashley.ewald@lathropgpm.com (612.632.3449).