Uber has agreed to settle accusations by America's top consumer protection agency that the ride-hailing company failed to protect consumers' sensitive data, a misstep that allowed employees to access rider and driver information and led to a data breach in 2014 that exposed thousands of drivers' names and license numbers.
The settlement with the Federal Trade Commission does not require Uber to pay to settle the allegations, the agency said. The San Francisco company is required to hire an outside firm to audit its privacy practices every two years for the next two decades, and violations of the settlement could lead to financial penalties.
The agreement reflects Uber's latest attempt to move past its troubled history and recent crises, which have been marked by Travis Kalanick's resignation as chief executive, the departures of other top executives and an investigation into what some called a toxic workplace culture.
One source of the FTC's concern was an Uber program known as God View, which enabled company employees to monitor the real-time locations of customers who had requested a ride on the service. The existence of God View caused an uproar in 2014, and Uber soon released a privacy statement to say it maintained a "strict policy" that prevented employees from inappropriately spying on customers.
But the FTC said in its complaint that Uber misled the public about its efforts to stop any snooping. Despite building an automated system to police employees' access to God View, Uber abandoned the tool after less than a year and "rarely monitored" how employees were subsequently using God View, according to the FTC. The agency's investigation began shortly after news reports emerged about God View, but it does not cover later privacy-related revelations about tools such as Greyball, which Uber has used in some cases to track and circumvent regulators.
The FTC also said Uber failed to implement basic security practices, such as two-factor authentication, that could have kept Uber's driver data from leaking. Customer information, including location data, also was stored online in an unencrypted format, according to the agency — a state that can make the information easier for hackers to misuse.
Uber said that the allegations date to 2014 and that before the government complaint, it had already put safeguards in place to protect data. Since then, it said, it has strengthened privacy and data security and will keep investing in security programs.
"This settlement provides an opportunity to work with the FTC to further verify that our programs protect user privacy and personal information," Uber said in a statement.
Maureen Ohlhausen, the FTC's acting chairwoman, said the settlement will force Uber to "take privacy into account every day."
"Companies will be held accountable for their promises," Ohlhausen said. "This is the only way we can foster true competition on privacy practices in the marketplace."
The FTC voted 2 to 0 to accept the agreement. The public will be able to comment for 30 days, after which a final decision will be made.
Fung writes for the Washington Post. The Associated Press was used in compiling this report.
3:43 p.m.: This article was updated with comment from Uber and additional details.