Sen. Franken to Lyft: Explain Your Data Privacy Policies
After Pressing Uber Last Month, Senator Wants Car Service Lyft to Clarify Consumer Privacy Safeguards
Today, U.S. Sen. Al Franken (D-Minn.) asked Lyft—a company that connects riders with drivers-for-hire using a GPS-based mobile app—to explain its data privacy policies and to ensure that consumers' sensitive geolocation information is protected.
In a letter sent today, which you can read here or below, Sen. Franken asked the CEO of Lyft to explain the company's privacy policies, how those policies are being communicated to employees and affiliates as well as customers, and whether they are being appropriately enforced. At least one journalist has reported that her Lyft trip log was accessed on multiple occasions by Lyft executives without requesting her permission and without any apparent legitimate business purpose.
"In recent weeks, there has been increased public awareness and concern about the ways in which self-described ‘ridesharing' or transportation network companies treat the information entrusted to them by their customers, including sensitive geolocation data," wrote Sen. Franken in his letter. "Consumers must be able to make informed decisions about whether and with whom they share personal information, and must be assured that when such information is shared that it will receive the utmost protection. In few places is the importance of this as apparent as with companies, such as Lyft, that employ new technologies and rely on the transmission of sensitive data."
Late last month, Sen. Franken pressed the car service Uber to clarify its data collection practices. He also asked Uber to explain how widely it uses its so-called "God View," which reportedly allows Uber's corporate employees to track riders' locations. In the wake of this, Lyft quietly changed its own privacy policy.
Sen. Franken has long been an advocate of protecting consumers' privacy, especially in light of new technologies. Earlier this year he reintroduced his Location Privacy Protection Act, which would ban so-called stalking apps once and for all and give consumers more control over their private location information.
You can read Sen. Franken's letter to Lyft here or below.
December 2, 2014
Mr. Logan Green
Chief Executive Officer
Lyft
Dear Mr. Green:
I am writing to inquire about Lyft's privacy policies. In recent weeks, there has been increased public awareness and concern about the ways in which self-described "ridesharing" or transportation network companies treat the information entrusted to them by their customers, including sensitive geolocation data. Consumers must be able to make informed decisions about whether and with whom they share personal information, and must be assured that when such information is shared it will receive the utmost protection. In few places is the importance of this as apparent as with companies, such as Lyft, that employ new technologies and rely on the transmission of sensitive data.
I understand that Lyft has recently revised its internal policy regarding employees' and contractors' access to user data. Your spokesperson Erin Simpson has stated that "new technical restrictions" have been imposed to limit access to customer data to only those employees "who need [the information] to do their jobs."[1] Because the privacy policy available on your website (https://www.lyft.com/privacy) does not discuss these restrictions, I am contacting you for more information. In particular, I am concerned that it remains unclear which categories of employees continue to have access to ride location data and the circumstances in which their use of that data is considered proper.
It is critically important that sound privacy policies are not only established but are also adequately communicated to employees and affiliates, as well as customers, and are appropriately enforced. I am particularly concerned about this in light of reports of past conduct suggesting inadequate regard among Lyft executives for customers' privacy. At least one journalist has reported that her trip log was accessed on multiple occasions by Lyft executives without requesting her permission and without any apparent legitimate business purpose.
In light of these concerns, I respectfully request that you address the following questions:
- Your spokesperson has stated that steps have been taken to restrict access to customers' data, including location data, to a subset of employees. To whom is access still available and what circumstances qualify as proper use of such data? Where do you provide this information to consumers?
- By accessing a journalist's trip data did executives violate past policies? If they did, to what do you attribute the failure? Under your current policies, is such conduct prohibited?
- What training is provided to employees, as well as contractors and affiliates, to ensure that Lyft's current policies, as well as relevant state and federal laws, are being followed? How has this training been improved in light of recent developments?
- What mechanisms do you have in places to monitor for improper use of customer data by employees? Are customers informed if their information has been improperly accessed?
- Your spokesperson has suggested that abiding by restrictions on user data is a condition of employment. Under what circumstances would an employee face disciplinary action or termination for a violation of Lyft's privacy policies? Have any disciplinary actions been taken on this basis?
- Your privacy policy states that "to preserve the integrity of [Lyft's] databases," you retain customer's data indefinitely. Why is it necessary to retain trip information indefinitely? In particular, when an account is terminated, why isn't all related information deleted as soon as pending charges or other transactional disputes are resolved?
- Your privacy policy states that you may disclose customers' personal information and demographic information (such as "browsing history," "searching history," and other "ride transaction information") on a "non-anonymous basis" to "protect the interests" of Lyft. What does this mean?
- In the same paragraph, the policy states that you may disclose all of this information to your "subsidiary and parent companies and business, and other affiliated legal entities and businesses with whom [Lyft is] under common corporate control." Why aren't any limitations imposed on this sharing?
- Your privacy policy also states that customer data may be shared with advertisers on an "anonymous and aggregated basis." Why aren't customers asked to affirmatively consent to this use of their information? Are customers able to opt out of this information sharing?
- Your policy states that third parties offering or sponsoring products or services on the Lyft Platform need not comply with Lyft's privacy policy. What are some examples of such third parties? Do you impose any minimum standards in evaluating the privacy policies of those parties?
I would appreciate responses to these questions by December 31, 2014.
