FTC announces expanded settlement with Uber, WPF comments included

The FTC finalized an expanded settlement with Uber, Inc. regarding the company’s data security practices. According to the FTC complaint, in the midst of the Commission’s original investigation, Uber experienced a second serious breach and waited more than a year after learning of the breach before informing the public or the Commission. The World Privacy Forum submitted two sets of comments to the FTC regarding the Uber breach, urging the Commission to adopt a privacy program with rigorous audits set to clear benchmarks, and to make the results of the audits available publicly in a proactive manner.

The expanded settlement has now outlined specifics of certain elements to be included in a privacy program, which greatly assist with creating audits and benchmarking future data security and data protection activities. WPF had also requested that audits be made public. The settlement allows for the audits to be made public by Freedom of Information Act requests.

FTC Commissioner Rohit Chopra responded directly to World Privacy Forum’s comments saying in a statement:

“In particular, I agree with World Privacy Forum and EPIC that the Commission should make required audits and assessments public, subject to appropriate redactions. The FTC has responded to this comment by stating that these documents are available by filing a Freedom of Information Act request, but proactive disclosure would be superior, given the public interest in keeping this company in compliance.”

WPF is pleased with the improvements in the requirements for the privacy program, and is pleased to see that Commissioner Chopra supports moving toward more proactive disclosure of data practices.