Data Collection Policy Prompts Privacy Concerns

    Jul 22, 2015

    On July 15, Uber’s new policy overhauling its customer data collection practice took effect, prompting a complaint from the Electronic Privacy Information Center (EPIC). 

    Uber’s new policy allows it to collect detailed information about its users and their contacts and to approximate customer locations based on nearby networks, even if users opt out of location sharing. The changes also allow Uber to store user data long-term and to send ads to customers’ contacts without notification. (A previous policy update reduced the use of Uber’s controversial “God mode” tool, which allowed its employees to view the locations of users at any time.)

    According to Legaltech News, one of the risks associated with the updated policies includes Uber’s ability to collect information about when a customer’s home will be unoccupied. This information also could be used to triangulate the details of users’ private lives, making them possible targets of social engineering attempts.

    The San Francisco-based company is no stranger to criticism over its collection of customer data, and EPIC has asked the Federal Trade Commission to bar certain provisions of Uber’s updated policy. But, Legaltech News said, “the proverbial genie of private information collection has long been out of the bottle and new efforts from Uber are more a sign of things to come than an onerous harbinger of privacy abuse.”

    Consumers are paying attention. In a survey released in May by Pew Research, 93% of adults said they consider it important to be in control of who can get information about them. But 91% said they have not made changes to the services on their phones or computers to prevent companies from collecting their personal information. And companies are not shying away from collecting as much personal information as they can, experts warn.

    Robert Neivert, chief operating officer of, told Legaltech News that he expects “companies to continue to push the boundaries of what they can get in terms of personal data, and only when there is backlash will this stop.”

    As for Uber, in a blog related to the policy changes, Managing Counsel Katherine Tassi said, “We care deeply about the privacy of our riders and drivers. It’s why we’re always looking at ways to improve our practices. In the last few months we have doubled the size of our privacy team, overhauled our data protection training for employees, published an external review of our privacy program and hired Joe Sullivan, a former cybercrime prosecutor, as our chief security officer.”

    “Consumers and privacy advocates aren’t the only ones who should be paying attention,” says Diane K. Carlisle, IGP, CRM, ARMA International’s executive director of content. “Information governance (IG) professionals have a responsibility to address their organizations’ data-handling issues related to such stores of information. The Legaltech News article highlights the privacy concerns quite well,” she said. “But the issues go further than that.”

    With the significant quantity of information Uber has on both riders and drivers, both of these groups need to know what its data retention and disposition policies and practices are. How secure is the information it is retaining? Does Uber have the technology in place to prevent unauthorized access to and hacking of the information? Depending on how Uber is managing and protecting this information, all of these individuals could be at risk.

    IG professionals should explore why their own organizations are retaining customer and employee information. If there is a legitimate business purpose, they need to ensure that appropriate policies and protections are in place and maintained. But, if the information is being kept “just in case,” IG professionals should point out the potential risks this creates for the organization and recommend that the information be retained for as little time as possible once the applicable legal, regulatory, and business needs have been met.

    The web seminar “Reduce Risk Through Privacy Compliance: The RIM Leadership Role” from ARMA International’s 2014 conference is a good introduction to several of these issues. Check this out at the link above, and while on the ARMA bookstore site, explore the many other resources available on the topics of privacy, records retention, and establishing policies for an IG program.

    Read more:
    © 2017, ARMA International