Uber is facing twenty years of audits following a ruling by the Federal Trade Commission (FTC). According to the latter, Uber didn’t do enough to protect the privacy of its riders or drivers.

The FTC ruled that the rideshare company had not adequately protected the information of its users. Uber is now required to implement a privacy program, and it will be audited every two years for the next two decades. According to Acting Chairman Maureen Ohlhausen, “Our order requires a culture of privacy sensitivity for Uber. It’s going to make them take privacy into account every day.”

The FTC began investigating Uber in 2014 after the discovery of the “God View” mode, which allowed employees to see customer locations in real time. It also investigated a data breach that same year which saw 100,000 driver names and license numbers stolen. According to the FTC, Uber didn’t use any “reasonable, low-cost measures that could have helped the company prevent the breach.”

The year isn’t even over, but I’m willing to call this the cherry on top of Uber’s rather tumultuous season. From the numerous allegations of internal sexism, the Waymo lawsuit, and the public departure of CEO Travis Kalanick — being told off by the US government and put on what looks very much like probation must be a bitter pill to swallow.

For its part, Uber claims the mistakes which led to the FTC investigation were made years ago and it has since improved. According to Reuters, a spokesperson said, “We’ve significantly strengthened our privacy and data security practices since then and will continue to invest heavily in these programs.”

Uber settles U.S. allegations over data privacy on Reuters

Read next: Neo-Nazi site The Daily Stormer shifts base to the dark web