Uber has to install a new privacy program—and submit to audits.
U.S. regulators said on Tuesday that Uber Technologies agreed to do more to protect the privacy of customer and driver data in settling allegations that the ride-hailing company had made deceptive privacy and data security claims.
In its complaint, the FTC alleged Uber did not, as it claimed, monitor employee access to customer and driver data. Uber had developed a system to monitor employee access in December 2014, but the company stopped using the system less than a year after it was put in place and rarely monitored employee access thereafter, the FTC alleged.
The settlement with the Federal Trade Commission is the latest setback for Uber, which is facing a divided board of directors and angry shareholders after an investor lawsuit was filed against the company’s ousted chief executive.
Under the agreement between Uber and the FTC, Uber cannot misrepresent its access to consumers’ personal information or how it secures that data, and must implement a privacy program and submit to audits of that program, the agency said.
“This case shows that, even if you’re a fast-growing company, you can’t leave consumers behind: you must honor your privacy and security promises,” said FTC Acting Chairman Maureen Ohlhausen.
An Uber spokesman said in an emailed statement that the San Francisco-based company was pleased the investigation had ended, adding: “We’ve significantly strengthened our privacy and data security practices since then and will continue to invest heavily in these programs.”
Uber noted that in 2015 it hired its first chief security officer and “now employ hundreds of trained professionals dedicated to protecting user information.”