UPDATE: This post has been updated to reflect comments made by FTC on a telephone press conference. August 15, 2017 11:59 a.m.

For the next 20 years, Uber needs to secure an independent auditor to check its privacy practices, according to a new settlement with the U.S. Federal Trade Commission (FTC).

“Uber failed consumers in two key ways: First by misrepresenting the extent to which it monitored its employees’ access to personal information about users and drivers, and second by misrepresenting that it took reasonable steps to secure that data,” said FTC Acting Chairman Maureen K. Ohlhausen said in a press release. “This case shows that, even if you’re a fast growing company, you can’t leave consumers behind: you must honor your privacy and security promises.”

Media reports circulated accusing Uber employees of spying on drivers and riders in 2014 using its so-called “god view” system, according to the FTC. Subsequently, the company put in place a system to track employee access to private data about these Uber users, but the FTC alleges that the company quit using it after less than a year. On a subsequent conference call, FTC staff said their investigation began shortly after the “god view” accounts began to circulate.

One of the first accounts came via Medium, in a blog post by an entrepreneur named Peter Sims, who learned that his whereabouts during a ride had been displayed at an Uber party in Chicago.

‘Companies will be held accountable for their promises’

Uber subsequently told the public that it was monitoring employee access to user data to make sure they weren’t spying inappropriately on any of the rideshare app’s users. “They fairly quickly stopped doing that in the way they had described,” Ben Rosen from the FTC said on a conference call with media this morning. “They were looking at a handful of executive accounts and other VIPs,” rather than a broad sample of all Uber riders and drivers.

Uber also had a breach in May 2014 where account details of 100,000 users were exposed. The FTC also contends that Uber did not take even basic, inexpensive privacy precautions to protect this data in case of a breach, such as using two-factor authentication (logging in with something in addition to a password, such as a one time code or USB key). Data about where users had been based on geolocation data was among the data left accessible to an attacker.

From the FTC’s press release:

Under its agreement with the Commission, Uber is:

prohibited from misrepresenting how it monitors internal access to consumers’ personal information;

prohibited from misrepresenting how it protects and secures that data;

required to implement a comprehensive privacy program that addresses privacy risks related to new and existing products and services and protects the privacy and confidentiality of personal information collected by the company; and

required to obtain within 180 days, and every two years after that for the next 20 years, independent, third-party audits certifying that it has a privacy program in place that meets or exceeds the requirements of the FTC order.

The agreement also requires an extensive record keeping process around its accounting, consumer complaints and “each widely disseminated representation by Respondent [Uber] that describes the extent to which Respondent [Uber] maintains or protects the privacy, security and confidentiality of Personal Information.”

There’s no financial penalty under the order. “Our authority is to get consumer redress,” Ohlhausen said during the conference call. “We are typically only getting money when we can point to financial losses.” Now that the company is under an order for 20 years, the FTC may seek civil penalties if Uber violates it.

“The settlement does not require an admission [of wrongdoing], which is standard in our order,” Nicole Jones, a spokesperson for the FTC wrote the Observer in an email. “We are pleased that Uber agreed to settle this case, and we were able to obtain valuable relief for consumers without expending resources on a contentious litigation.”

“The complaint involved practices that date as far back as 2014,” a spokesman for Uber told Recode. “We’ve significantly strengthened our privacy and data security practices since then and will continue to invest heavily in these programs.”

“Companies must honor their promises,” Ohlhausen said, explaining that she’s especially concerned about the kind of data companies like Uber have access to, such as people’s locations. “Companies will be held accountable for their promises.”

The FTC invites comments on the consent agreement through September 15.