‘I have read and agree to the terms’ is commonly regarded as one of the biggest lies on the Internet. In 2014, a company called F-Secure put this to test and set up a free Wi-Fi hotspot in London. One of the terms for accessing the Wi-Fi was for users to assign their firstborn child to the company for eternity. People still signed up. Fortunately, the company decided not to enforce this condition.

Terms of use agreements, which also include privacy policies, usually run into multiple pages and are extremely dense, making it hard for users to understand how their personal information is collected, used and disclosed. This post looks at Uber’s privacy policy to understand its information practices, making it our second attempt to simplify privacy policies of popular companies. Uber is a transportation aggregator that allows users to connect with drivers through its technology platform. Understanding the company’s use of personal information is critical in light of its recent practice to charge users differently, based on what they’re ‘willing to pay’.

The policy has been analysed against the privacy principles recommended by the 2012 Report of the Group of Experts on Privacy (‘2012 Report’). These principles stem from internationally recognised data protection norms that form the basis of several regional and national data protection frameworks.

The underlying principle, that is ‘notice’, requires companies to make their information practices known in an easily accessible manner, allowing users to make an informed choice. This includes informing users of policy changes and notifying them in the event of a data breach. Uber’s policy is to notify users only in the instance that there have been significant changes to its practices. It requires users to opt-out if they disagree with the changes, rather than giving them the option to opt-in. It is also completely silent on data breach notifications, signifying that users don’t have a right to know if their information has been compromised. This has serious ramifications for a user’s privacy in light of the extent of personal information collected.

Uber collects the following information from users who sign up to use its service –

• Information Collected Directly From Users – At the time of creating or modifying an account, Uber collects a user’s name, email and phone number. It may also collect their postal address and payment information, among other information voluntarily provided.

• Information Collected Through Use of Uber’s Services –
• Location – Uber collects location information from a user’s device, the Uber application being used by the driver as well as through a user’s IP address and Wi-Fi signal. Pertinently, Uber collects this information even when the app is running in the background, and not merely during the course of a trip. Even if a user chooses to deny permission to access location information from their device, Uber will continue to receive this information through the other sources mentioned.
• Contacts – Subject to granting permission on her device, Uber may collect and store a user’s contact list. iOS users can choose to disable this permission at any stage, even after initially permitting the collection of this information. However, the policy states that the Android platform does not allow users to revoke access in the same manner.
• Transaction Information – Uber collects information related to the type of service requested, the date, time and amount paid for each ride and other related information.
• Usage and Preference Information – Uber collects information to understand a user’s preferences and remember her settings. This may be through cookies (a small text file placed on one’s device by the app/website) or pixel tags (a block of code on a website allowing it to retrieve certain information about one’s device/browser). Uber’s Cookie Policy explains that it allows certain third parties (such as Google and Facebook) to place cookies on a user’s device to help deliver its services and for advertising purposes.
• Device Information – Information about a user’s mobile device, such as their operating system, hardware model, unique device identifier and mobile network information is collected. Even such innocuous information could lead to unfavourable outcomes for users. For example, reports indicate that Uber has discovered that the battery level of a user’s phone indicates their willingness to pay a higher amount for the same ride.
• Call and SMS Data – To facilitate communication between riders and drivers, Uber collects date and time information related to a call or SMS and the content of the SMS message.
• Log Information – Information such as IP address, the date and time for using the application, and the features or pages viewed is collected.

• Information from ‘Other Sources’ – Uber may also receive information from other sources and combine it with information it collects directly. These other sources include using a social media service (such as Facebook) to create an account, a user’s employer if the latter avails of services such as ‘Uber for Business’ or ratings from drivers.

As per the principle of collection limitation, entities must only collect personal information that is necessary for their stated purposes. As seen above, Uber collects extensive personal information, not all of which is directly related to its purpose of providing users with a transportation facility. Besides these, it also collects specific information from one’s device by seeking access to a user’s media files or calendar, among other things. However, these permissions can be denied. More information can be found here (for Android users) and here (for iOS users).

The 2012 Report also recommends that companies allow individuals to access their personal information and amend or modify it, if it is inaccurate. This right extends to obtaining a copy of all personal information held by the company. Uber allows modification or deletion of a user’s account through its mobile application and website. The right to obtain a copy of one’s information or delete some of it is circumscribed to the rights of individuals under ‘applicable law’. Under Indian law, the access and correction principle is restricted to sensitive personal information only. In the context of information collected by Uber, this is only likely to include passwords and financial information.

The principle of purpose limitation requires information to be collected for specific and explicitly stated purposes and prohibits its recycling for newer purposes. The policy states six distinct purposes. Some are clearly defined – such as facilitating communication between users and drivers or users and their contacts (to split fares etc.), but some are more vaguely drafted. An example of the latter is sending communications the company thinks ‘will be of interest to you’ regarding ‘products, services, promotions, news and events of Uber and other companies’. A user may opt-out of such promotional communication by following the instructions on the message itself.

Besides this, Uber uses the information collected by it to provide and improve its services such as facilitating payments and developing new features. It also uses this information to conduct data analysis, research and monitor how users are using its services.

Besides sharing certain basic and essential personal information with drivers, Uber also shares information with other riders if a user is availing a ride-sharing option like UberPool. Third parties also receive information if users avail of Uber services through a promotion or partnership between a third party and Uber. For workplaces using services like Uber for Business, personal information may be shared with relevant third parties, such as a user’s employer.

If users use social sharing features integrated onto the Uber platform, personal information is shared with that service as well. Uber also allows its advertising partners to track the performance of their ads by placing cookies on a user’s device.

Uber also reserves the right to share personal information with –

• Its subsidiaries and affiliated entities that process data on its behalf. It does not however, identify these entities.
• With any vendor, consultant, marketing partner or service provider that it contracts with to carry out work on its behalf. This clause suffers from vagueness and fails to give individuals an idea about who may have access to their information.
• Any competent authority under law or law enforcement officials and government authorities.
• Any entity as required in the course of a sale, merger, consolidation or acquisition of the company’s business by or into another company.
• Anyone, subject to a user’s consent
• Anyone, in an aggregated or anonymised form where identification is not reasonably possible. Research indicates big data analytics is making re-identification of anonymised data easier. This renders personal information vulnerable under this clause.

Additionally, the policy makes no mention of security standards or procedures undertaken by Uber or its affiliates to safeguard personal information. Under the 2012 Report, the principle of security requires companies to adopt reasonable security safeguards to protect against loss, unauthorised access, destruction, use or disclosure of personal information.

Overall, Uber’s privacy policy is relatively accessible. It breaks down complex terms and processes and gives illustrations at various points. However, as pointed out, it also suffers from overbreadth and vagueness at many places.

Lastly, the principle of accountability requires that companies be held accountable for compliance with privacy principles. An important aspect of accountability is appointing a grievance redressal officer for addressing privacy concerns. The policy provides users with an email () as well as a postal address for raising their privacy concerns. However, enforcing these commitments is difficult in the absence of a data protection legislation. The existing rules under the Information Technology Act 2000 only protect sensitive personal information, excluding a large category of valuable information collected by private corporations. This leaves users with very few remedies if companies fail to live up to their promises. As data collection by corporations becomes more ubiquitous, the need for a robust privacy legislation becomes harder to ignore.

This post is based on the privacy policy that came into effect on 15 July 2015, as available at https://www.uber.com/en-IN/legal/privacy/users/en/ on 23 May 2017.