Uber tapped security-focused law firm Hogan Lovells to independently review its privacy practices. This audit is a review of the policies at Uber and not a technical review. Instead of looking at how Uber actually stores or accesses user data, Hogan Lovells interviewed employees and reviewed Uber’s written privacy standards.
The audit offers Uber ten suggestions for how to tweak its policies. Largely, Hogan Lovells recommends that Uber must actually “formalize” much of its privacy controls and policies, including:
- Developing a plan for regularly reviewing privacy policies and practices.
- Creating privacy policies related to new products.
- Tracking interactions with third parties and regularly reviewing their compliance with consumer data policies.
- Creating a vendor management plan.
- The addition of procedures to make sure that personally identifiable information related to closed accounts has been deleted.
The firm also said Uber should ensure senior leadership sets the “appropriate tone” for employees and consumers, so they can better understand what the privacy policies are. Hogan Lovells also emphasized that as Uber grows as a company, it should further refine which employees have access to consumer data.
“Uber should continue developing more advanced solutions to appropriately limit access to consumer data as the company moves forward,” says Harriet Pearson, the lead investigator on the audit during a question-and-answer session with the press.
In response to the audit, Uber says it will comply with all ten of the report’s recommendations. Specifically, the company says it will roll out specialized mandatory training for employees on how to handle consumer data; update its privacy policies to be more transparent about data collection practices; and finally, implement both technical and policy measures to ensure employees handling user data are authorized to do so.