by Matthew W. Daus, Esq.
TNCs’ control over consumer data has raised some concerns as to the privacy protections offered by TNCs, and the applicability of the current U.S. privacy framework to the so called new "sharing economy." 1
In order to operate, TNCs such as Uber and Lyft collect, retain, and process massive amounts of data with respect to their users. This information may include a passenger’s name, contact information, payment information, device location, device manufacturer and model, mobile operating system, pick—up location, destination, trip history and contact information for those with whom customers wish to share information. The information may also include information about how customers interact with the TNCs’ interfaces, e.g. browser types and IP addresses.2
TNCs, which dictate the terms of service and privacy policies that every passenger must consent to in order to use their services, consequently control a significant volume and variety of personal information. This data may be more valuable than the transportation services themselves, as it may become a significant source of revenue and/or business valuation for these companies.3
This article will summarize the findings of my report entitled Transportation Network Companies: Passenger Data Security and Privacy Issues, published on Westlaw. The full article can be accessed on Westlaw, or by contacting
On August 15, 2017, the Federal Trade Commission ("FTC") announced it had reached an agreement with Uber to settle FTC charges that the ride—hailing company deceived consumers by:
misrepresenting the extent to which it monitored employee access to passengers’ and drivers’ personal information, and
misrepresenting that it took reasonable steps to secure that data.4
The FTC’s first allegation arose out of a series of news articles published in November 2014 describing improper access and use of consumer personal information, including geolocation information, by Uber employees.5
The FTC’s second allegation stemmed from a data security breach Uber suffered in the spring of 2014 that potentially exposed drivers’ names, license numbers, and Social Security numbers, as well as bank account and routing numbers.6 Uber did not discover the breach until September 2014, and only started notifying the affected drivers in February 2015.7
Under its proposed agreement with the FTC, Uber is:
prohibited from misrepresenting how it monitors internal access to consumers’ personal information;
prohibited from misrepresenting how it protects and secures that data;
required to implement a comprehensive privacy program; and
required to obtain within 180 days, and every 2 years after that for the next 20 years, independent, third—party audits.8
The FTC’s announcement follows a settlement Uber reached with the New York State Attorney General’s Office in January 2016. The settlement required Uber to pay a $20,000 penalty for failure to provide timely notice of the breach to drivers and the Attorney General’s Office, and adopt data security protection practices.9
It is to be noted that on November 2, 2017, Attorney General Schneiderman introduced the Stop Hacks and Improve Electronic Data Security Act ("SHIELD Act") in a bid to close major gaps in New York’s data security laws. Under the Act, companies would have to adopt "reasonable" administrative, technical, and physical safeguards for sensitive data. The standards would apply to any business that holds sensitive data of New Yorkers, whether they do business in New York or not, and may also include TNCs.10
Uber is not the only TNC whose privacy practices have come under scrutiny in the past few years. In November 2014, a reporter contended that a Lyft executive had purportedly accessed her trip log information.11 Lyft later announced a change in its internal privacy policies to limit employee access to user data by instituting "tiered access controls". The controls would limit access to user data to a subset of employees and contractors, with access to ride location data restricted to an even smaller subset of people. 12
Lyft has also been facing several lawsuits from individuals claiming that they received unsolicited text messages from this TNC in violation of the Telephone Consumer Protection Act ("TCPA"). 13
While TNCs have sometimes failed to protect their users’ privacy, these same companies often refuse to share their data with public authorities citing privacy concerns:14
Government regulators and agencies need access to ground transportation data for compliance and planning purposes.
Universities and academic researchers also crave TNC data for the purpose of study and analysis.
In addition, granting access to open data platforms with anonymized data sets to private individuals and corporations could help spur innovation via the creation of new technological products and services. Consumers’ privacy should, however, always be safeguarded.
In light of the many concerns raised, clear privacy legislation governing TNCs and providing for the implementation of fundamental privacy principles, together with effective enforcement mechanisms, needs to be adopted. Whether changes are on the way on a national legislative level or not, it is completely within the power of state and local legislators or government transportation regulators to require, as a condition of TNC licensure, that privacy protections be put in place and enforced.
These protections could be inserted as amendments to state and local TNC legislation, or as part of implementing regulations by relevant state and local administrative government agencies. In sum, such amended laws and/or regulations should require TNCs to implement policies subject to government audit and enforcement. A failure to comply by not enacting or implementing privacy policies properly would result in significant fines, and/or TNC license suspension or revocation.
In addition, TNCs could be required to provide data in an anonymized format or lockbox via an approved third-party administrator hired by the government. The law can create an exemption from Freedom of Information Laws ("FOIL"),15 and allow access exclusively to government regulators for specific investigatory or data collection purposes that are clearly defined.
A third party validator would collect, monitor and audit items such as granular pick—up and drop-off locations and times, collision or "black box" data, duration of trip, and test data accuracy, while protecting TNCs’ trade secrets and consumers’ privacy. This would enable regulators, researchers and the public to access information under conditions acceptable both to TNCs and consumers.
Privacy concerns that arise due to the large amounts of data sharing economy platforms assemble were briefly addressed during a workshop held by the Federal Trade Commission in June 2015. See The "Sharing" Economy Issues Facing Platforms, Participants & Regulators, FTC Staff Report (Nov. 2016) https://www.ftc.gov/system/files/documents/reports/sharing-economy-issues-facing-platforms-participants-regulators-federal-trade-commission-staff/p151200_ftc_staff_report_on_the_sharing_economy.pdf.
Hogan Lovells: Review and Assessment of Uber’s Privacy Program (January 2015),p.3,https://newsroom.uber.com/wp-content/uploads/2015/01/Full-Report-Review-and-Assessment-of-Ubers-Privacy-Program-01.30.15.pdf.
Prableen Bajpai, How Uber is Selling all Your Ride Data, INVESTOPEDIA (Mar. 9, 2016), http://www.investopedia.com/articles/investing/030916/how-uber-uses-its-data-bank.asp?lgl=myfinance-layout-no-ads.; See also Anita Balakrishnan , These Uber business proposals show how data could help justify its $68 billion valuation, CNBC.COM (Apr. 4, 2017), http://www.cnbc.com/2017/04/04/these-uber-business-proposals-show-how-data-could-help-justify-its-68-billion-valuation.html.
FTC’s Press Release, Uber Settles FTC Allegations that It Made Deceptive Privacy and Data Security Claims (Aug. 15, 2017), https://www.ftc.gov/news-events/press-releases/2017/08/uber-settles-ftc-allegations-it-made-deceptive-privacy-data.
Federal Register / Vol. 82, No. 160 / Monday, August 21, 2017 / Notices, https://www.ftc.gov/system/files/documents/federal_register_notices/2017/08/uber_ published_analysis_8-21-17.pdf.
Uber Statement Update, Uber Newsroom (June 17, 2016), https://newsroom.uber.com/statement-update/.
Following the breach discovery, Uber filed a John Doe lawsuit in an attempt to identify the perpetrator of the breach (Uber Technologies, Inc. v. John Doe I, No. C 15-00908 LB (N.D. Cal., Mar. 16, 2015)); and a former Uber driver sued Uber over the breach (Sasha Antman v. Uber Technologies Inc., Case No. 3:15-cv-01175-LB (N.D. Cal, Oct. 19, 2015)).
The agreement was subject to public comment until September 15, 2017. The Commission will now review the agreement and the comments received, and will decide whether it should withdraw from the agreement or make final the agreement’s proposed order. In an effort to increase transparency about its data handling practices, Uber subsequently announced that it will no longer enable a controversial feature of its app that allows the collection of location data from the moment users request a ride until five minutes after their trip ends, including when the app is running in the background of the customer’s phone. See Selena Larson, Uber to give users better control over location data, CNN TECH (Aug. 29, 2017), http://money.cnn.com/2017/08/29/technology/uber-location-data/index.html.
See A.G. Schneiderman Announces Settlement with Uber to Enhance Rider Privacy, New York State Attorney General’s Website, https://ag.ny.gov/press-release/ag-schneiderman-announces-settlement-uber-enhance-rider-privacy.
A.G. Schneiderman Announces SHIELD Act To Protect New Yorkers From Data Breaches, New York State Attorney General’s Website, https://ag.ny.gov/press-release/ag-schneiderman-announces-shield-act-protect-new-yorkers-data-breaches.
Liz Gannes, It’s Not Just Uber: Tech Companies Snooping on Users Is All Too Common, RECODE (Nov. 20, 2014), http://www.recode.net/2014/11/20/11633100/tech-companies-snooping-on-users-creepy-and-common.
Liz Gannes, Lyft Limits Employee Access to Data After Re/code Report, RECODE (Nov. 21, 2014), http://www.recode.net/2014/11/21/11633164/lyft-limits-employee-access-to-data-after-recode-report.
e.g.: Bodie v. Lyft Inc., Case No. 3:16-cv-02558, U.S. District Court for the Southern District of California; Shari Lindenbaum v. Lyft Inc., case number 1:17-cv-01991, U.S. District Court for the Northern District of Ohio.
On October 10, 2017, the California Public Utilities Commission ("CPUC") held a workshop at its San Francisco headquarters to discuss the issues surrounding the sharing of TNC data, and local agencies’ interest in gathering data on TNC’s activities. The purpose of the discussion was to determine what role the CPUC should play in the exchange of information between TNCs and local government, if any; whether the TNCS are the best source of data; which types of data need to be provided; and what level of aggregation is necessary.
FOIL laws usually have provisions for information determined to be exempt from disclosure for public policy reasons. For instance, New York State’s FOIL Law contains exemptions for certain information including information that if disclosed would constitute an unwarranted invasion of personal privacy. (See NYS Public Officers Law §87(2)). The newly adopted New York State TNC law exempts from public disclosure the names and identifying information of TNC drivers obtained for an audit (See New York State Vehicle and Traffic Law §1698 2.).