Uber today released the results of a review of its privacy policies, which it had commissioned from independent law firm Hogan Lovells. The firm found that Uber had appropriate policies and disclosures in place and that it had invested significantly to enforce those policies. However, it made 10 recommendations into how the company could improve the way it handles user data.
The review of Uber’s policies began after a series of events called its commitment to user privacy into question last year. Those incidents led Senator Al Franken to ask Uber a series of eight questions about its policies in a public letter.
At a dinner last fall, senior Uber executive Emil Michael suggested the company spend $1 million conducting opposition research on journalists. Meanwhile, the company also examined claims one of its general managers had used a journalist’s location data without her permission. Around the same time, a report emerged that Uber executives had shown off its “God View” at a launch party several years ago.
Over a six week period, Hogan Lovells reviewed Uber’s internal documents and interviewed executives about its policies. The firm found that while appropriate policies and procedures in place, especially for a company of its age and scale. But there’s always room for improvement:
Based on our review and findings, we have offered ten core recommendations for the expansion of Uber’s Privacy Program. We recommend that Uber: (1) enhance its existing privacy governance framework by continuing to formalize information policies and practices, developing a concrete plan and time frame for regular reviews of the Privacy Program, and ensuring that senior leadership continues to set an appropriate tone at the top; (2) streamline and enhance the content and availability of existing privacy disclosures to help consumers more readily understand Uber’s practices relating to Consumer Data; (3) implement additional tools, access controls, and written procedures that will help automate and further embed compliance with the Company’s access control policies into day-to-day operations; (4) enhance its privacy by design program by further formalizing the existing privacy review of products prior to launch; (5) further formalize its vendor management program by enhancing template agreements, developing a standard set of diligence questions for vendors, and developing formal procedures to periodically review third parties’ compliance with contractual and legal obligations related to data security; (6) implement additional procedures to review inactive or closed accounts that have been retained for a valid reason for a certain period of time to determine whether that reason still exists; (7) create a central “hub” for incident response resources and revise relevant policies and procedures to reflect a consistent system for classifying incident severity; (8) update the Company’s written data security policies, guidelines, and templates to formally document any unwritten data security expectations for personnel related to Consumer Data; (9) enhance and formalize its training and awareness program to provide tailored trainings about Uber’s privacy practices based on job responsibilities and to mandate regular refresher trainings and updated guidance; and (10) continue to emphasize employee accountability for data privacy through additional formal initiatives.
“While Uber is encouraged by these findings, we fully acknowledge that we haven’t always gotten it right,” the company said in its blog post. It said that it will continue to “review and iterate on its policies, processes, and technology” based on Hogan Lovells’ recommendations.