Among other things, the complaint asks the FTC to halt Uber’s collection of user location data when it is unnecessary to provide a service; to halt Uber’s collection of user contact list information; and to require that ride information be deleted once the ride is completed.
EPIC’s complaint is centered on two of these new uses. First, Uber’s new policy would allow the app to track users’ locations when the app is running in the background, which Uber explained would help “get people on their way more quickly.” Second, the policy would allow Uber to access users’ contact lists and send promotional messages to users’ friends and family.
The new policy states:
• Location Information: When you use the Services for transportation or delivery, we collect precise location data about the trip from the Uber app used by the Driver. If you permit the Uber app to access location services through the permission system used by your mobile operating system (“platform”), we may also collect the precise location of your device when the app is running in the foreground or background. We may also derive your approximate location from your IP address.
• Contacts Information: If you permit the Uber app to access the address book on your device through the permission system used by your mobile platform, we may access and store names and contact information from your address book to facilitate social interactions through our Services and for other purposes described in this Statement or at the time of consent or collection.
For both the tracking and the promotional features, the post promises that “users will be in control: they will be able to choose whether to share the data with Uber.” Citing this language, EPIC has alleged that Uber has deceptively reassured customers that they would be in control of their data when the update policy actually deprives them of that control.
According to EPIC’s complaint, while iOS phones can disable the contact-syncing option by changing the contacts setting on their phones, the Android mobile platform does not offer any comparable setting. Similarly, the Android platform does not allow users to modify data location settings for individual apps—so if a user wants to bar Uber from tracking a user’s location while the app was running in the background, the user would need to turn off location data for all apps. Again, however, Uber will notify customers before it begins tracking their information in the background, so that they have the option of opting out. The complaint also says that by sending unsolicited texts to customers and people on their contact lists, Uber may be violating the Telephone Consumer Protection Act (TCPA).
The policy explains:
IMPORTANT INFORMATION ABOUT PLATFORM PERMISSIONS
Most mobile platforms (iOS, Android, etc.) have defined certain types of device data that apps cannot access without your consent. And these platforms have different permission systems for obtaining your consent. The iOS platform will alert you the first time the Uber app wants permission to access certain types of data and will let you consent (or not consent) to that request. Android devices will notify you of the permissions that the Uber app seeks before you first use the app, and your use of the app constitutes your consent…
Additionally, even when a customer has opted out of tracking, the revised policy would allow Uber to track customers based on their IP addresses. According to the complaint, this is an unfair business practice because users are not given the option of opting out of this kind of tracking.
Once the new policy takes effect, Uber will be able to collect and store various information about its users, including: location data, contact information, transaction information, usage and preference information, device information and information regarding calls and messages between riders and drivers. Notably, Uber is not unique in accessing this kind of data—it is common, for example, for apps to track customers’ locations based on their IP addresses. Because apps in many industries regularly access the kinds of data being used by Uber, and because of the current lack of regulations in this area, any action that the FTC may decide to take will likely have effects extending outside of the rideshare industry.
The FTC has not yet indicated whether it is investigating Uber’s practices. That said, the Commission has shown an increased interest in privacy issues surrounding peer-to-peer businesses. Earlier this month, for example, the Commission hosted a workshop entitled “The Sharing Economy,” which examined competition, consumer protection and economic issues arising in the sharing economy and considered whether and how existing regulatory frameworks can be responsive to sharing economy business models while maintaining appropriate consumer protections.