Elements of an effective privacy policy courtesy of Senator Al Franken

According to a press release from Senator Franken’s office, he is talking with Lyft about their privacy policy. Lyft is a rideshare program – and apparently there have been problems with Lyft’s privacy policy – in terms of how much access they provide about their customers and how they communicate their privacy policy to customers…

Today, U.S. Sen. Al Franken (D-Minn.) asked Lyft—a company that connects riders with drivers-for-hire using a GPS-based mobile app—to explain its data privacy policies and to ensure that consumers’ sensitive geolocation information is protected.

In a letter sent today, which you can read here or below, Sen. Franken asked the CEO of Lyft to explain the company’s privacy policies, how those policies are being communicated to employees and affiliates as well as customers, and whether they are being appropriately enforced. At least one journalist has reported that her Lyft trip log was accessed on multiple occasions by Lyft executives without requesting her permission and without any apparent legitimate business purpose.

There are three things I like about this interaction. First – I like policy that protects consumers. Most of us don’t have time to check into these sorts of things. I am glad there are policymakers who make time. Second – I’m not a Lyft user, but I do use its competitor Uber, so I feel like I have a dog in this fight. Rideshare programs have your credit card info. And depending on how often you use the service, it wouldn’t take long to learn an awful lot about a user – such a home address (or at least where you go at the assumed end of your day), places and times frequented and whether you travel alone or with others. That’s a lot of information to have!

Finally and perhaps most usefully here, in the letter Franken asks Lyft to consider a series of question related to customer privacy, communication and place for ensuring privacy. It’s a great outline for what you ought to include in a privacy policy.

1. Your spokesperson has stated that steps have been taken to restrict access to customers’ data, including location data, to a subset of employees. To whom is access still available and what circumstances qualify as proper use of such data? Where do you provide this information to consumers?
2. By accessing a journalist’s trip data did executives violate past policies? If they did, to what do you attribute the failure? Under your current policies, is such conduct prohibited?
3. What training is provided to employees, as well as contractors and affiliates, to ensure that Lyft’s current policies, as well as relevant state and federal laws, are being followed? How has this training been improved in light of recent developments?
4. What mechanisms do you have in places to monitor for improper use of customer data by employees? Are customers informed if their information has been improperly accessed?
5. Your spokesperson has suggested that abiding by restrictions on user data is a condition of employment. Under what circumstances would an employee face disciplinary action or termination for a violation of Lyft’s privacy policies? Have any disciplinary actions been taken on this basis?
6. Your privacy policy states that “to preserve the integrity of [Lyft’s] databases,” you retain customer’s data indefinitely. Why is it necessary to retain trip information indefinitely? In particular, when an account is terminated, why isn’t all related information deleted as soon as pending charges or other transactional disputes are resolved?
7. Your privacy policy states that you may disclose customers’ personal information and demographic information (such as “browsing history,” “searching history,” and other “ride transaction information”) on a “non-anonymous basis” to “protect the interests” of Lyft. What does this mean?
8. In the same paragraph, the policy states that you may disclose all of this information to your “subsidiary and parent companies and business, and other affiliated legal entities and businesses with whom [Lyft is] under common corporate control.” Why aren’t any limitations imposed on this sharing?
9. Your privacy policy also states that customer data may be shared with advertisers on an “anonymous and aggregated basis.” Why aren’t customers asked to affirmatively consent to this use of their information? Are customers able to opt out of this information sharing?
10. Your policy states that third parties offering or sponsoring products or services on the Lyft Platform need not comply with Lyft’s privacy policy. What are some examples of such third parties? Do you impose any minimum standards in evaluating the privacy policies of those parties?

Random side note – studies have shown that consumers look for privacy policies on websites before they buy but rarely read them. If you have an ecommerce site it makes sense to have a priacy policy in place. If you are buying online – it makes sense to start reading policies and think of Franken’s shortlist of questions as you do!