The long-brewing behind-the-scenes tensions of privacy, big data, and mobile finally came to a head last week in the public relations disaster known as #Ubergate. Uber’s meteoric rise to the pinnacle of the rideshare start-up economy has been fueled in part by its collection and usage of sensitive consumer geolocation information. An Uber executive’s recent freewheeling remarks about the potential abuse of that sensitive consumer data has ignited a firestorm of controversy, bringing to the fore additional allegations of questionable data usage practices. #Ubergate serves as a cautionary tale to any start-up collecting and using sensitive personal location information to invest early in privacy policies, practices, and ethics.
Uber came under fire last week for a number of alleged unorthodox consumer data collection and usage practices, which were contrary to its stated policy:
Uber has vehemently denied that Michael’s comment reflects its practices, and is investigating the alleged tracking of a journalist. In the wake of the scandal, Uber has publicly hired outside data privacy legal counsel to quickly review and address these privacy issues. And as a consequence of these reports, Uber is contending with considerable customer backlash on social media and a rash of customer requests to permanently delete their accounts.
Location-Based Services, the FTC, and Privacy
Over the past few years, the FTC and other regulators have become increasingly concerned with the privacy implications of mobile and geolocation data and mobile app data security. Location-based services – applications that provide information to users based on their location – are growing at an exponential rate with the rapid rise of mobile smartphone devices and tablets. Geolocation or location-based services provide tremendous benefits to consumers in the form of navigation (e.g., GoogleMaps), local search (e.g., Yelp), check-in (e.g., Foursquare), and social media (e.g., Facebook). Location-based services are what enable Uber to get you a ride as quickly as you want one. But the same principle that makes geolocation services so appealing – the ability to provide consumers with real-time information tailored to their location – also raises serious privacy concerns as companies can collect and compile – without consumer knowledge or consent – detailed records and consumer profiles on the places one works, eats, and visits; the events consumers attend; the people one socializes with; and more.
On the policy front, the FTC has taken the position that geolocation data is “sensitive” information deserving a greater level of privacy protection. The agency has issued several reports outlining its privacy concerns with mobile devices and location-based services and signaling where it recommends the industry should head. In the FTC’s seminal 2012 report, Protecting Consumer Privacy in an Era of Rapid Change (“2012 Privacy Report”), the Commission made plain its “particular concerns of location data in the mobile context” and called on “entities involved in the mobile ecosystem to work together to establish standards that address data collection, transfer, use, and disposal, particularly for location data.” On the heels of the 2012 Privacy Report, the FTC issued Marketing Your Mobile App: Get It Right from the Start, to educate small businesses on basic privacy principles, and Mobile App Developers: Start with Security, to provide guidance to app developers on mobile security. In February 2013, the FTC released a staff report titled Mobile Privacy Disclosures: Building Trust Through Transparency (“2013 Mobile Report”), which examines the risks mobile technologies pose to consumer privacy, including (i) the unprecedented growth of consumer data being collected over mobile; (ii) the precise information collected about a user’s location that can be used to build detailed profiles of consumers in unanticipated ways; and (iii) the difficulty in conveying consumer data collection policies and practices to consumers in an understandable way over small smartphone screens.
Recognizing the void in legal and regulatory coverage, the Senate Judiciary Committee’s Subcommittee for Privacy, Technology, and the Law introduced earlier this year Senate Bill 2171, The Location Privacy Protection Act of 2014 (LPPA). This bill – incidentally co-sponsored by Senator Franken – would, among other things, require consumer consent before companies could track geolocation data, and require companies collecting the location data of 1,000 or more devices to post online the kinds of data they collect, how they share and use it, and how people can opt out of data collection. The FTC testified in favor of the LPPA before the Senate Judiciary Committee this past June.
And it is not just the federal government weighing in on consumer geolocation privacy protection. For example, the California Attorney General’s office has been particularly active, and in January 2013 published a report titled Privacy On the Go: Recommendations for the Mobile Ecosystem, which followed a number of data privacy enforcement actions.
“Privacy by Design” and the Keys to Avoiding an Uber-Size Mess
To implement “Privacy by Design,” the FTC recommends that companies incorporate substantive privacy protections and data management procedures into their practices such as:
Applying these privacy-by-design principles, the FTC’s 2013 Mobile Report recommends the following privacy protections for mobile apps:
Any enterprise – start-up or otherwise – that collects and uses consumer geolocation information should pay close attention to the FTC’s guidance on privacy by design and its application to mobile applications. In the wake of #Ubergate, there will undoubtedly be more congressional and regulatory scrutiny for mobile app location-based services, which were already garnering substantial attention because of their privacy implications. But implementing a top-down privacy-by-design approach to consumer privacy is not only good for the regulators, it is also good for business. Consumers are becoming increasingly concerned with the amount of personal information companies are collecting from them and their inability to do anything about it. And Uber’s alleged Big Brother (or should we say, “big bro”?) privacy excesses and abuses may be the case that makes these concerns concrete. Companies that affirmatively place themselves ahead of the privacy curve – instead of at the end of it or worse – will be better positioned to compete for and secure an asset that may in the long run be worth even more than the data collected – consumer trust.