EPIC Urges FTC to Give Red Light to Uber Over Update in Privacy Policy

FTC UberEarlier this year, the FTC held a workshop on the “sharing economy,” which includes companies like Uber and Airbnb.  Now, in the time following the FTC’s workshop, privacy group Electronic Privacy Information Center (“EPIC”) has filed a complaint at the FTC over Uber’s updates in the ride-hailing service’s privacy statement that purports to give Uber the right to track users even if they’re not currently using the app.  

The new privacy policy, which Uber first announced on May 28, has attracted a number of privacy complaints from EPIC.  Uber’s posted announcement of this update included the sentence “We value your privacy and encourage you to review the new statement” prominently backlighted in blue at the top of the page.  When you scroll down to the fourth full paragraph of the privacy statement however, you find this:

Location Information: When you use the Services for transportation or delivery, we collect precise location data about the trip from the Uber app used by the Driver. If you permit the Uber app to access location services through the permission system used by your mobile operating system (“platform”), we may also collect the precise location of your device when the app is running in the foreground or background. We may also derive your approximate location from your IP address.

In other words, this means that Uber can potentially gather information about a customer even when the customer is not using the app by using the customer’s IP address.  The privacy statement goes on to say that it can use your address-book contact information “to facilitate social interactions through our Services and for other purposes,” which is a nice way of saying they can spam anybody in your email contact list.

In its complaint, EPIC charges that Uber’s plan to track users and gather contact details is an unlawful and deceptive trade practice.  In support of its complaint, EPIC cites to what it says is a history of Uber’s misuse of customer data.  EPIC has also recommended comprehensive legislation governing companies like Uber.  According to EPIC:

Uber’s Revised Business Practices Will Allow the Company to Routinely Track the Location of Internet Users Even When They are not Customers of Uber

Uber’s revised privacy policy creates several risks for American consumers. Uber will now collect the precise location of the user when the app is running in the foreground through traditional GPS location services. Uber will also collect precise location information if the app is operating in the background. On phones running iOS, this means that Uber may be able collect location data even after an app has been terminated by the user. … Further, given Uber’s statement that it will collect location data from a user’s device only “[i]f you permit it to,” a user would reasonably assume that the company does not track his or her location by other means. In fact, Uber may continue to “derive your approximate location from your IP address.”

EPIC’s complaint further notes that Uber claims “it will allow users to opt-out of these features,” but asserts that Uber’s “change in business practices places an unreasonable burden on consumers and is not easy to exercise: while iOS users can later disable the contact syncing option by changing the contacts setting on their mobile devices, the Android platform does not provide any such setting.  These statements could lead users to believe that that [sic] they can choose to not share location data with the company after downloading the app, which is not true.”

The lengthy, 23-page complaint also states “prior to the emergence of Uber and similar services, American consumers could routinely hire taxis without any disclosure of personal information or tracking of their location.”  Ultimately, EPIC asks the FTC to investigate Uber’s business and data-collection practices; investigate Uber’s “possible violation of the Telephone Consumer Protection Act”; “halt” Uber’s collection of contact list information and user location data unless it is required for actual provision of the service; and also investigate other companies engaged in similar practices.

An Uber spokesperson rejected the FTC complaint and said there is no basis for it.  “We care deeply about the privacy of our riders and driver-partners and have significantly streamlined our privacy statements in order to improve readability and transparency.  These updated statements don’t reflect a shift in our practices, they more clearly lay out the data we collect today and how it is used to provide or improve our services,” the spokesperson said.  Uber also says they have no current plans to use customer’s imported contacts or use location data collected while the user does not have the app open, even though it would be allowed under the new policy.

Interestingly, the EPIC complaint came just weeks after FTC Commissioner Maureen Ohlhausen said the FTC was not planning a significant enforcement push against “sharing economy” companies like Uber.  Even still, the comments came at the FTC’s “sharing economy” workshop mentioned above, which was held to determine what regulatory problems might need to be addressed in the fast-growing sector of the economy.  It is currently a high-stakes moment for Uber.  It is reportedly raising money at a $50 billion valuation and continuing to develop a powerful lobbying operation to make its case to regulators in Washington, at the state and local level and around the world.  If the FTC plans to act on EPIC’s complaint, it appears Uber is gearing up for that fight.