Lyft Sued For Violating California Privacy Law

Update: Editor's note: Lyft is an independent company; Enteprise acquired its carpool service Zimride.

Ride-sharing company Lyft has been hit with a potential class-action privacy lawsuit for allegedly transmitting data about users to the analytics company Mixpanel.

Lyft's “decision to disclose its users’ sensitive personal information not only demonstrates a brazen disregard for their privacy rights, it also violates the California Privacy Act,” user Miguel Garcia says in his complaint, filed on Friday in federal court in San Francisco.

California's privacy law includes a 1990 provision that prohibits ride-sharing companies from disclosing personal information about people without their written consent. The law provides for damages of $5,000 per violation.

Garcia's lawsuit names Lyft and parent company, car rental business Enterprise Holdings, as defendants; together, they operate the ride-sharing service Zimride. Garcia, a resident of California, alleges in his complaint that Lyft sends Mixpanel information about users' ages, genders, Zip codes, metropolitan regions, trip details, and a link to their Facebook profiles. (Lyft requires users to sign up for Zimride via Facebook.)

Lyft also allegedly transmits an alphanumeric identifier called a Distinct ID, which can be used to create behavioral profiles of users in order to send them targeted ads. Garcia argues that Lyft's transmissions to Mixpanel enables the company to combine information from users' Facebook profiles with the Distinct ID. “In this way, a huge swath of data (like name, address, e-mail address, information about the individual’s likes and dislikes) can easily be funneled into the user’s Mixpanel profile,” he alleges.

“By transmitting users’ highly sensitive personal information -- including specific data about their upcoming carpooling/transit routes -- to Mixpanel, Zimride has engaged in a flagrant violation of its users’ privacy,” Garcia says. He adds that the company doesn't inform users during the sign-up process that it will send details of their trips and other “sensitive personal information” to Mixpanel.

Garcia is seeking class-action status on behalf of all California residents who have used Lyft. He is asking for monetary damages, as well as an injunction requiring Lyft to stop transmitting data to Mixpanel.

Recommend (1)
1 comment about "Lyft Sued For Violating California Privacy Law".
  1. Myles Younger from Canned Banners , February 12, 2014 at 4:51 p.m.
    Yes, seems like overkill to send a customer's FB profile link to an outside vendor. Easily fixable, though; it's not that hard to perform 100% of desired analytics without the transmission of PII. If it was OK to pass raw PII back and forth, a large swath of digital marketing platforms would have no reason to stay in business. Regardless, how is this not already addressed in Lyft's T'c and C's (which could legally constitute 'written consent')? A lot of companies expressly permit themselves to share customer information with certain vendors in the course of doing business. For example, Amazon shares your personal information (name, address, shippers, etc) with UPS.