Today, U.S. Sen. Al Franken (D-Minn.) asked Lyft—a company that connects riders with drivers-for-hire using a GPS-based mobile app—to explain its data privacy policies and to ensure that consumers’ sensitive geolocation information is protected.
In a letter sent today, which you can read here or below, Sen. Franken asked the CEO of Lyft to explain the company’s privacy policies, how those policies are being communicated to employees and affiliates as well as customers, and whether they are being appropriately enforced. At least one journalist has reported that her Lyft trip log was accessed on multiple occasions by Lyft executives without requesting her permission and without any apparent legitimate business purpose.
There are three things I like about this interaction. First – I like policy that protects consumers. Most of us don’t have time to check into these sorts of things. I am glad there are policymakers who make time. Second – I’m not a Lyft user, but I do use its competitor Uber, so I feel like I have a dog in this fight. Rideshare programs have your credit card info. And depending on how often you use the service, it wouldn’t take long to learn an awful lot about a user – such a home address (or at least where you go at the assumed end of your day), places and times frequented and whether you travel alone or with others. That’s a lot of information to have!
- Your spokesperson has stated that steps have been taken to restrict access to customers’ data, including location data, to a subset of employees. To whom is access still available and what circumstances qualify as proper use of such data? Where do you provide this information to consumers?
- By accessing a journalist’s trip data did executives violate past policies? If they did, to what do you attribute the failure? Under your current policies, is such conduct prohibited?
- What training is provided to employees, as well as contractors and affiliates, to ensure that Lyft’s current policies, as well as relevant state and federal laws, are being followed? How has this training been improved in light of recent developments?
- What mechanisms do you have in places to monitor for improper use of customer data by employees? Are customers informed if their information has been improperly accessed?
- Your spokesperson has suggested that abiding by restrictions on user data is a condition of employment. Under what circumstances would an employee face disciplinary action or termination for a violation of Lyft’s privacy policies? Have any disciplinary actions been taken on this basis?
- In the same paragraph, the policy states that you may disclose all of this information to your “subsidiary and parent companies and business, and other affiliated legal entities and businesses with whom [Lyft is] under common corporate control.” Why aren’t any limitations imposed on this sharing?
Random side note – studies have shown that consumers look for privacy policies on websites before they buy but rarely read them. If you have an ecommerce site it makes sense to have a priacy policy in place. If you are buying online – it makes sense to start reading policies and think of Franken’s shortlist of questions as you do!