The Federal Trade Commission (FTC) is seeking tough new restrictions against Drizly, the alcoholic beverage delivery platform owned by Uber, according to reporting from CNN Business.
US regulators at the FTC allege repeated security failures at Drizly that compromised the data of 2.5 million people.Â
The case sheds light on the extensive data collection practices and the insufficient protection measures Drizly and Uber have taken so far to protect the data of their customers seeking to buy alcohol online.
The Federal Trade Commission announced the action against Drizly, a Boston-based subsidiary of Uber that delivers beer, wine and liquor in states where on-demand alcohol delivery is legal. Drizly and Uber partner with retailers in hundreds of cities around the US.
The proposed order against Drizly would force the company to improve up its cybersecurity and limit its data collection practices, a common requirement in FTC privacy orders, according to CNN Business.
The proposed consent agreement with the FTC names Drizly CEO James Cory Rellas specifically, according to reporting by Fortune. This is a significant step that imposes binding obligations on Mr Rellas and all of his future business activities, at Drizly or otherwise. The regulators allege that the company and Mr. Rellas were alerted to security problems two years before the 2020 breach yet failed to act to protect consumers’ data.
Drizly would also be required to delete any data it holds on consumers that isn’t strictly necessary for it to run its service, the FTC said in a release.
Better consumer protection from predatory data collection practices
The Drizly order reflects recent promises by top FTC officials to use novel remedies — such as forcing businesses to destroy “ill-gotten data” — in the agency’s increasingly tech-focused work, as well as vows to hold individual executives personally accountable if they’re found to be responsible for illegal conduct that harms consumers.
According to the FTC, Drizly — which Uber acquired last year — had been aware of its cybersecurity problems since 2018, after hackers gained access to Drizly employee credentials that then allowed them to use Drizly’s cloud computing accounts to mine cryptocurrency. In another incident in 2020, a hacker compromised Drizly’s corporate network and stole customer data. At least some of that personal data was then offered for sale on underground hacker forums, according to the FTC.Â
Drizly agreed to put in a comprehensive data security program and said it would establish security safeguards. The alcohol delivery platform promised to limit future data collection or storage to that which is necessary for specific purposes. It will also destroy unnecessary data.
Our proposed order against Drizly not only restricts what the company can retain and collect going forward but also ensures the CEO faces consequences for the company’s carelessness,” said Samuel Levine, director of the FTC’s bureau of consumer protection.
CEOs who take shortcuts on security should take note.”
Samuel Levine, Director, FTC’s Bureau of Consumer Protection
The proposed consent agreement will be opened to public comment for 30 days, after which the FTC will decide whether to make it final, according to Fortune reporting.
FTC orders have come under mounting scrutiny in recent years, particularly after Twitter’s former head of security came forward with a whistleblower report alleging that the company had never been on track to comply with its FTC obligations.
Since then, FTC Chair Lina Khan has told lawmakers the agency is increasingly interested in naming executives in consent orders as a way to ensure businesses are held accountable, according to CNN Business reporting.
As part of the Drizly order, Mr. Rellas will have to implement cybersecurity programs at any future business he works for where he is CEO or majority owner and where the business collects personal data from more than 25,000 people.
The FTC will determine whether to finalize the order after a 30-day public comment period that’s expected to begin when a summary of its provisions is published in the Federal Register.
