Late Friday, app-based taxi firm Uber announced the company will be strengthening its privacy program as the result of an outside privacy assessment by law firm Hogan Lovells, laid out in a 40-page review released to the public. According the review, Uber has in place a strong privacy practice but should augment that practice, especially as the company continues its rapid growth.
Uber retained Hogan Lovells Partner Harriet Pearson, CIPP/US, and her team last November after a number of reports surfaced about the company’s controversial use of consumer data, leading some to apply the name “Ubergate.”
Overall, the review of Uber’s privacy practices was positive but called for additional actions, including more employee privacy training, improved clarity for users to better understand how their data is being used and reinforced access controls.
During a call on Friday, Pearson said her team spent six weeks interviewing staff, including upper management, reviewing relevant documents and assessing Uber’s privacy program while comparing their findings to the “stated expectations” of Federal Trade Commission standards, the Fair Information Privacy Principles, the American Institute of CPA’s Generally Accepted Privacy Principles and “industry-leading practices.”
“Uber has put a very strong privacy program in place,” Pearson said. “Is there room for improvement? Yes. There is always room for improvement for every program or company."
Pearson highlighted three of the recommendations for Uber.
“Most importantly, keep the privacy program maturing,” she said. “Uber is growing fast; they will need to continue to grow and formalize their privacy program.”
Improved transparency, she noted, will also be key. “When consumers interact with Uber, they should be able to understand what happens to their data. Their current policy provides that, but we recommend they make it shorter and easier.” Also, Uber should continue to improve technical solutions to restrict employee access to user data.
Uber said it would implement all of Hogan Lovells’ recommendations.
Uber CEO Travis Kalanick wrote, “At Uber, protecting the personal information of riders is a core responsibility and company value. Delivering on that value means that privacy is woven into every facet of our business, from the design of new products to how we interact with riders, drivers and the public at large. We will continue to make it a priority to ensure that everyone at the company understands just how critically important it is to build this trust with all of these constituents.”
Reaction to the announcement has varied. On Twitter, Fusion reporter Kashmir Hill wrote:
‘UBER’S GREAT AT PRIVACY, BUT COULD BE A *LIL* BETTER,’ SAYS LAW FIRM PAID TO REVIEW UBER PRIVACY http://t.co/kJcBHBqpU4
— Kashmir Hill (@kashhill) January 30, 2015
While Future of Privacy Forum Cofounder Jules Polonetsky, CIPP/US, tweeted:
— Jules Polonetsky (@JulesPolonetsky) January 30, 2015
Uber's announcement comes just days after Sen. Al Franken (D-MN) sent the company a second letter demanding more clarification to his questions about the company’s use of consumer data. Uber Managing Counsel of Data Privacy Katherine Tassi said, “We are going to respond to Senator Franken and have provided him with Hogan’s review. We believe it contains most, if not all, of the information” he needs.
The Hogan Lovells review is a detailed account of its report and recommendations and likely serves as a helpful document for other rapidly growing digital start-ups.
In assessing Uber’s privacy program, Hogan Lovells focused on 12 core privacy practices, including governance; transparency; internal access controls; privacy by design; consumer access, inquiries and complaints; vendor management and third-party disclosures; personnel management; incident management and response; data retention; data security; training and awareness, and accountability.
In a blog post announcing the review, Uber noted it will “introduce mandatory, job-specific training on privacy and data security issues, including periodic refresher sessions to make certain all employees are up-to-date on policies.” Uber also announced, based on these recommendations, that it will release new privacy policies “soon” and will implement more granular access controls to user data.
If you want to comment on this post, you need to login.