TNCs’ control over consumer data has raised some concerns as to the privacy protections offered by TNCs, and the applicability of the current U.S. privacy framework to the so-called new “sharing economy.” In order to operate, TNCs such as Uber and Lyft collect, retain and process massive amounts of data with respect to their users. This information may include a passenger’s name, contact information, payment information, device location, device manufacturer and model, mobile operating system, pick-up location, destination, trip history, contact information for those with whom customers wish to share information, and information about how customers interact with the TNCs’ interfaces (e.g. browser types and IP addresses). TNCs – which dictate the terms of service and privacy policies that every passenger must consent to in order to use their services – consequently control a significant volume and variety of personal information. This data may be more valuable than the transportation services themselves, as it may become a significant source of revenue and/or business valuation for these companies. This article will summarize the findings of my report entitled Transportation Network Companies: Passenger Data Security and Privacy Issues, published on Westlaw. The full article can be accessed on Westlaw, or by contacting mdaus@windelsmarx.com.
On August 15, 2017, the Federal Trade Commission (FTC) announced it had reached an agreement with Uber to settle FTC charges that the ride-hailing company deceived consumers by (i) misrepresenting the extent to which it monitored employee access to passengers’ and drivers’ personal information, and (ii) misrepresenting that it took reasonable steps to secure that data.” The FTC’s first allegation arose out of a series of news articles published in November 2014 describing improper access and use of consumer personal information, including geolocation information, by Uber employees. The FTC’s second allegation stemmed from a data security breach Uber suffered in the spring of 2014 that potentially exposed drivers’ names, license numbers, and Social Security numbers, as well as bank account and routing numbers. Uber did not discover the breach until September 2014, and only started notifying the affected drivers in February 2015.
Under its proposed agreement with the FTC, Uber is prohibited from misrepresenting how it monitors internal access to consumers’ personal information; prohibited from misrepresenting how it protects and secures that data; required to implement a comprehensive privacy program; and required to obtain within 180 days, and every 2 years after that for the next 20 years, independent, third-party audits. The FTC’s announcement follows a settlement Uber reached with the New York State Attorney General’s Office in January 2016, which required Uber to pay a $20,000 penalty for failure to provide timely notice of the breach to drivers and the Attorney General’s Office, and adopt data security protection practices. It is to be noted that on November 2, 2017, Attorney General Schneiderman introduced the Stop Hacks and Improve Electronic Data Security Act (SHIELD Act) in a bid to close major gaps in New York’s data security laws. Under the Act, companies would have to adopt “reasonable” administrative, technical, and physical safeguards for sensitive data. The standards would apply to any business that holds sensitive data of New Yorkers, whether they do business in New York or not, and may also include TNCs.
Uber is not the only TNC whose privacy practices have come under scrutiny in the past few years. In November 2014, a reporter contended that a Lyft executive had purportedly accessed her trip log information. Lyft later announced a change in its internal privacy policies to limit employee access to user data by instituting “tiered access controls” that would limit access to user data to a subset of employees and contractors, with access to ride location data restricted to an even smaller subset of people. Lyft has also been facing several lawsuits from individuals claiming that they received unsolicited text messages from this TNC in violation of the Telephone Consumer Protection Act (TCPA).
While TNCs have sometimes failed to protect their users’ privacy, these same companies often refuse to share their data with public authorities, citing privacy concerns. Government regulators and agencies need access to ground transportation data for compliance and planning purposes. Universities and academic researchers also crave TNC data for the purpose of study and analysis. In addition, granting access to open data platforms with anonymized data sets to private individuals and corporations could help spur innovation via the creation of new technological products and services. Consumers’ privacy should, however, always be safeguarded.
In light of the many concerns raised, clear privacy legislation governing TNCs and providing for the implementation of fundamental privacy principles, together with effective enforcement mechanisms, needs to be adopted. Whether changes are on the way on a national legislative level, it is completely within the power of state and local legislators or government transportation regulators to require, as a condition of TNC licensure, that privacy protections be put in place and enforced. These could be inserted as amendments to state and local TNC legislation, or as part of implementing regulations by relevant state and local administrative government agencies. In sum, such amended laws and/or regulations should require TNCs to implement policies, subject to government audit and enforcement. A failure to comply by not enacting or implementing privacy policies properly would result in significant fines, and/or TNC license suspension or revocation.
In addition, TNCs could be required to provide data in an anonymized format or lockbox via an approved third-party administrator hired by the government. The law can create an exemption from Freedom of Information Laws (FOIL), and allow access exclusively to government regulators for specific investigatory or data collection purposes that are clearly defined. A third-party validator would collect, monitor and audit items such as granular pick-up and drop-off locations and times, collision or “black box” data, duration of trip, and test data accuracy, while protecting TNCs’ trade secrets and consumers’ privacy. This would enable regulators, researchers and the public to access information under conditions acceptable both to TNCs and consumers.
Professor Matthew W. Daus, Esq. is President, International Association of Transportation Regulators; Distinguished Lecturer, University Transportation Research Center, Region 2; and Partner and Chairman, Windels Marx Transportation Practice Group.