Taxi-on-demand service Uber ran into hot water last week over reports that company executives have played fast and loose with some of the location data that the service records about its customers. A couple of thoughts about the scandal:

First, it’s a reminder that whenever we allow an institution to collect information about us, we expose ourselves to certain dangers, including the danger that our information will be misused. It’s also a reminder that abuse is a potential problem not just with government but also with companies, which like government agencies have their own incentives and interests and enemies, and if they can gain power via information, they will do so unless something is stopping them.

What struck me most about the reported behavior is just how amateurish Uber comes across (a point that Joe Nocera elaborated on here). The alleged behavior—as well as the flippant way in which it was revealed—smacks of a newbie startup that hasn’t yet begun to understand the power and importance of the data they collect, and the trust they need to earn in their handling of that data—and so doesn’t take privacy seriously. (A good way for any such company to accelerate their maturity in this area is the ACLU of Northern California’s excellent business primer.)

While the Uber executives look ruthless in their reported behavior, from another perspective they look more naïve in the openness with which they bragged about their abusive plans. It’s hard to picture one of the giant, established technology companies behaving in this way. However, what’s less clear is whether that’s because the established companies would never use their data in such a way, or because they are too smart to let anyone know about it.

I think, standing back from any particular companies, it’s indisputably true that at times, companies of whatever size (just like government agencies) will be led by people who are ethically challenged. And at all times, at lower levels within organizations, there will be a Bell curve of individuals in terms of ethics. Some will inevitably be ethically challenged and will give in to temptation to exploit data in unethical ways.

Larger, more bureaucratic organizations do tend to become more regularized—hemmed in by legal and public-relations considerations that a scrappy startup has not yet developed. The Uber scandal shows how lawyering up can be a good thing. But even big companies should be expected to use data in every way that will bring them an advantage when the benefits of doing so appear to outweigh any legal or public-relations risk. Given the paucity of privacy laws, and the secrecy with which data can easily be used and abused, that may be a disturbing amount of the time.

And of course, the risk of data-abuse in the sense of wrongdoing by particular individuals is never the only one. What is also a risk is that illegitimate uses of data will become baked into the very regularized and legal systems that a company builds its profits around. That’s what we’re seeing in many other areas of the information economy, unfortunately.

Ultimately, as with government, checks and balances are the solution. But when it comes to data in the corporate sector, it can be very hard to enforce those checks. That would be true even if the U.S. had a far more rigorous, EU-style system of rules for the handling of data.

The lesson, once again, is that ultimately the best privacy protection comes from not having your data collected in the first place.

Uber should, at a minimum, take a couple of steps in response to this scandal:

Put in place limits on the retention of customer data. Data should not be kept indefinitely, and retention should, to the maximum extent possible, be under the control of the customer. As much fun as Uber’s data scientists might have with analytics, their customers must come first. Uber should follow in Google’s footsteps and give their customers visibility into, and ability to delete, the data that is retained about them.

Along the same lines, Uber might also include the option for a “private trip” for which no data is retained at all by the company. This would be akin to the “private browsing mode” available in most Web browsers. Some people may find it convenient for Uber to retain data about their rides—but want certain rides to be exempted.

As my colleagues at the ACLU of Northern California point out, Uber (like its competitor Lyft) has never issued a transparency report detailing the quantity and type of government demands for the data it holds. We don’t know how much of the company’s data is demanded by regulators, police, or federal intelligence agencies, and the public should know that. It should begin issuing such reports as soon as possible.

Lyft and any other companies competing in this area should of course do the same.