Lessons from Airbnb and Uber privacy incidents: Gaining trust through privacy compliance

19 February 2015

The privacy of our personal information has, in many respects, become a commodity to be traded for goods and services: If you receive goods or services for free, it is you (or your personal information) that is the product.  

But, as social sharing companies like Airbnb and Uber have discovered, as individuals become more privacy-aware, they are increasingly reluctant to hand-over personal information, unless they trust that their personal information will be protected and properly handled. 

A strong privacy compliance program and corporate culture of valuing privacy go a long way to gaining and maintaining user trust. 

Lessons from Airbnb and Uber privacy “incidents”

The privacy concerns of an Australian Airbnb user (triggered by a request from the platform to upload a personal video) have been widely reported in the press and on social media. 

Airbnb’s Australian manager has reportedly justified the “video policy” on security grounds and assures users that the videos are used for “verification purposes”.  

Uber ran a similar argument last year, when privacy concerns over the service were raised (in particular, that Uber staff had access to the locations of prominent Uber customers). Uber sought to reassure users as to the limited access rights for its employees. 

Whether or not the privacy concerns are well-founded, the extensive media coverage has potentially caused reputational damage to the companies and undermined user trust in their platforms. 

And trust, as sites like Airbnb and Uber know, is critical to the success of platforms which rely on the open sharing of users’ personal information. Uber openly declares that “[its] business depends on the trust of the riders and drivers that use our technology and platform”. 

The challenge for Airbnb, Uber and other social sharing sites is how to unlock the commercial value in the data collected through the platform, whilst maintaining user privacy (and, as a result, user trust). The answer lies, at least in part, in privacy compliance.

Trust is hard to gain, easy to lose

Platforms and services that rely on user trust need to clearly demonstrate a robust privacy compliance program and a corporate culture that values the privacy of its users’ personal information. 

This does not mean that social sharing sites should not use or disclose personal information. On the contrary, users of social sharing sites need to accept that the underlying commercial model means that there is a trade-off: free goods or services in exchange for a sharing of personal information. 

It is the terms of that trade-off that need to be explicit and brought to the attention of the user prior to account opening and whenever there is a change in privacy practices. 

To gain (and maintain) trust, the operator must be open and honest about what happens to users’ personal information collected through the platform. 

Do Australian privacy laws apply to social sharing sites?

The operator of a social sharing site with an “Australian link” will need to comply with the Australian Privacy Act. 

An “Australian link” includes, according to the OAIC guidelines, operating a website that offers goods or services to Australia and collecting personal information from an individual located in Australia. 

This means that a social sharing site marketed to Australian users will need to ensure that it is open and transparent about its privacy practices, as well as complying with the remaining Australian Privacy Principles more generally.

Stating in a privacy policy that personal information is used for “security reasons”, “internal business purposes” or “product development purposes” is unlikely to be considered “open and transparent”. 

Perhaps more importantly, opaque descriptions of privacy practices are also unlikely to foster trust among users in how their personal information is protected. 

Gaining trust through privacy compliance

Given the volume of people using social sharing sites, and the sensitive nature of personal information that is shared (including drivers’ licence and passport details), users want to know how their personal information will be used and that proper privacy controls are in place (as well as having an avenue for legal redress when these controls fail). 

A robust privacy compliance program is key to demonstrating commitment to users’ privacy. It should include:

  1. A corporate culture that values privacy compliance. This culture is most effective if led from the top and with high levels of employee engagement and training.
  2. Robust data security controls, practices and procedures. This includes physical and electronic security measures, together with proper due diligence and management of third party suppliers or partners. 
  3. A privacy policy and privacy “tool kit” on the site that is easy and quick to find and understand. The privacy tools should clearly articulate all purposes for which the collected personal information will be used and disclosed. If there is an unexpected usage (for example, that all communications by users over the platform will be accessed by the site operator, or tracking technology is used) then this should be brought to users’ attention. 
  4. A clear and known data breach response plan that can be quickly implemented, together with open and prompt communications.

As well as engendering trust among users, this approach will also assist operators to comply with Australian privacy laws.  

The content of this publication is for reference purposes only. It is current at the date of publication. This content does not constitute legal advice and should not be relied upon as such. Legal advice about your specific circumstances should always be obtained before taking any action based on this publication.

Related Content


Helen Clarke

Partner. Brisbane
+61 7 3228 9818