BY MATT DAUS
What comes as no surprise to this industry was a shock to the general public: TNCs' control over consumer data has raised concerns about the privacy protections they offer and the applicability of the current U.S. privacy framework to the so-called "sharing economy."It's no secret that in order to operate, the likes of Uber and Lyft collect, retain, and process massive amounts of user data. This information may include a passenger's name, contact information, payment information, device location, device manufacturer and model, mobile operating system, pickup location, destination, trip history, contact information for those with whom customers wish to share information, and details on how they interact with TNCs' interfaces (e.g., browser types and IP addresses). Consequently, TNCs—which dictate the terms of service and privacy policies that every passenger must consent to before using their services—control a significant volume and variety of personal information. These data may be more valuable than the transportation services themselves, as it has the potential to become a significant source of revenue and/or business valuation for these companies.
On August 15, 2017, the Federal Trade Commission (FTC) announced it had reached an agreement with Uber to settle charges that the ride-hailing company deceived consumers by not only misrepresenting the extent to which it monitored employee access to passengers' and drivers' personal information, but also falsifying that it took reasonable steps to secure that data.
This article summarizes the findings of Matt Daus' report Transportation Network Companies: Passenger Data Security and Privacy Issues. Visit westlaw.com or email Daus at mdaus@windelsmarx.com to read the full report.The FTC's first allegation arose from a series of news articles published in November 2014 describing Uber employees' improper access to and use of consumer personal information, including geolocations. The second allegation stemmed from a data security breach Uber suffered in the spring of 2014 that potentially exposed drivers' names, license numbers, and Social Security numbers, as well as bank account and routing numbers. Uber did not discover the breach until September 2014, and only started notifying the affected drivers in February 2015.
Under its proposed agreement with the FTC, Uber is prohibited from misrepresenting how it monitors internal access to consumers' personal information as well as how it protects and secures that data. It is also required to both implement a comprehensive privacy program and obtain independent, third-party audits, first within 180 days and the every two years after that for the next 20 years. The FTC's announcement follows a settlement Uber reached with the New York State Attorney General's Office in January 2016 that required Uber to pay a $20,000 penalty for failure to provide timely notice of the breach to drivers and the Attorney General's Office, and adopt data security protection practices.
It is to be noted that on November 2, 2017, Attorney General Schneiderman introduced the Stop Hacks and Improve Electronic Data Security Act ("SHIELD Act") in a bid to close major gaps in New York's data security laws. Under the act, companies would have to adopt "reasonable" administrative, technical, and physical safeguards for sensitive data. The standards would apply to any business that holds New Yorkers' sensitive data (whether they do business in New York or not) and may also include TNCs.
Uber is not the only TNC whose privacy practices have come under scrutiny in the past few years. In November 2014, a reporter contended that a Lyft executive had purportedly accessed her trip log information. Lyft later announced a change in its internal privacy policies to limit employee access to user data by instituting "tiered access controls" that would limit user data access to a subset of employees and contractors, with access to ride location data restricted to an even smaller subset of people. Lyft has also been facing several lawsuits from individuals claiming that they received unsolicited text messages from this TNC in violation of the Telephone Consumer Protection Act.
While TNCs have sometimes failed to protect their users' privacy, these same companies often refuse to share their data with public authorities, citing privacy concerns. Government regulators and agencies need access to ground transportation data for compliance and planning purposes. Universities and academic researchers also crave TNC data for the purpose of study and analysis. In addition, granting access to open data platforms with anonymized data sets to private individuals and corporations could help spur innovation via the creation of new technological products and services. Consumers' privacy should, however, always be safeguarded.
In light of the many concerns raised, clear privacy legislation governing TNCs and providing for the implementation of fundamental privacy principles, together with effective enforcement mechanisms, needs to be adopted. Whether changes are on the way on a national legislative level, it is completely within the power of state and local legislators or government transportation regulators to require, as a condition of TNC licensure, that privacy protections be put in place and enforced. These could be inserted as amendments to state and local TNC legislation, or as part of implementing regulations by relevant state and local administrative government agencies. In sum, such amended laws and/or regulations should require TNCs to implement policies, subject to government audit and enforcement. A failure to comply by not enacting or implementing privacy policies properly would result in significant fines, and/or TNC license suspension or revocation.
It is to be noted that on November 2, 2017, Attorney General Schneiderman introduced the Stop Hacks and Improve Electronic Data Security Act ("SHIELD Act") in a bid to close major gaps in New York's data security laws."In addition, TNCs could be required to provide data in an anonymized format or lockbox via an approved third-party administrator hired by the government. The law can create an exemption from Freedom of Information Laws, and allow access exclusively to government regulators for specific investigatory or data collection purposes that are clearly defined. A third-party validator would collect, monitor, and audit items such as granular pickup and drop-off locations and times, collision or "black box" data, duration of trip, and test data accuracy, while protecting TNCs' trade secrets and consumers' privacy. This would enable regulators, researchers and the public to access information under conditions acceptable both to TNCs and consumers. [CD0318]
Matt Daus is A partner with the law firm Windels Marx, president of IATR, and a leading authority on ridesharing apps. He can be reached at mdaus@windelsmarx.com.