Privacy Rules for Uber

The Uber Technologies Inc. logo is displayed on the window of a vehicle after dropping off a passenger at Ronald Reagan Natio
The Uber Technologies Inc. logo is displayed on the window of a vehicle after dropping off a passenger at Ronald Reagan National Airport (DCA) in Washington, D.C., U.S., on Wednesday, Nov. 26, 2014. Uber Technologies Inc. investors are betting the five-year-old car-booking app is more valuable than Twitter Inc. and Hertz Global Holdings Inc. Photographer: Andrew Harrer/Bloomberg via Getty Images

Uber provides a convenient service that is gaining popularity across the country. Investors have also signaled support for the company's business model, setting its worth at more than $40 billion. But the recent outcry over privacy, news of the "God View," and the threats to journalists reveal a problem that will not solve itself: There should be privacy law to regulate Uber and other companies in the ride-sharing industry.

Why a privacy law? Uber collects far more detailed information than was ever gathered before. In the early days, most people paid for cabs with cash. Transportation was essentially anonymous. Manifests were kept for auditing purposes. That changed with the introduction of credit card readers in cabs, but even with credit payments, cab companies rarely kept detailed date and location data on passengers. Records were handwritten. The world was not yet digital.

All of that changed with Uber, essentially an app-based service that matches drivers and passengers. The business model is clever and the experience of most passengers is favorable. The app model is also a data vacuum, gathering detailed information about users and drivers that that the company controls. Much of the data collection is excessive. For example, Uber understandably collects name, phone number, and credit card information to provide the service. But the Uber privacy policy also reveals that the company collects the IP addresses, manufacturers, and operating systems of users' phones. Uber collects information about the mobile web browsers used by its customers, exchanges data with advertisers, and tracks users across the internet.

Users are also unlikely to know about Uber's collection of location data. For instance, every passenger in a shared ride can access the location of the car, even after being dropped off. And Uber's privacy policy describes the use of user location data for targeted advertising.

And then there is "the God View." Apparently the managers at Uber can, at any time they choose, track who is in an Uber vehicle, where the passenger lives and where the passenger is going. That's just creepy.

Nothing in the privacy policy provides much in the way of privacy protection for users. That is not really surprising. Privacy policies are the fine print that companies post so that they can use the information they collect in the ways that they would like. That works well for the company, but for the Uber passenger it provides little assurance.

What is to be done? Congress or the states -- or both -- should pass privacy legislation to regulate the use of personal data collected by Uber. Of course, there is no need to single out Uber; other companies that provide similar services should be covered.

What would the law do? First, Uber would be limited in the type of personal information it can collect. Payment information is obvious, as is travel information. But beyond those categories, the burden would be on Uber to justify the collection of personal data. Second, Uber would be required to delete passenger information after it was no longer needed. It seems obvious that once the ride is completed, Uber should delete the travel records. Third, users should be able to access at any time a complete record of all of the information Uber has about them: all of the records and logs and advertising promotions. If Uber has information about passengers, they should know what Uber knows.

Also, there should be clear legal limits on the use of "God view." Telephone companies have the right to monitor telephone communications to assess line quality and improve service. But those companies face serious legal penalties for simply listening in on the conversations of their customers. So, too, Uber may have in some circumstances the need to use God view to protect the safety of the passenger or the driver. But any use of that feature to track or stalk passengers should be prohibited by law. And all of these legal rights should be backed with meaningful fines if the company crosses the line.

Passengers of course would be free to keep whatever information about their Uber service they wish. Passengers could also choose to disclose travel records and experiences with other users. But those decisions should be made by the passengers, not by the companies. That data belongs to the passengers, not the companies.

Passing privacy legislation for the ride-sharing industry will not solve all the problems. There are also legitimate concerns about the impact of Uber on the regulated taxi industry, the safety of Uber passengers, and the liability of drivers. But the collection of detailed information on Uber passengers is a real problem that can no longer be ignored. Uber may be big, but it is not God.

Time to enact the Rideshare Privacy Act of 2015.

Marc Rotenberg is President of the Electronic Privacy Information Center in Washington, D.C., and teaches privacy law at Georgetown University. Julia Horwitz is EPIC Consumer Protection Counsel.