8 Total
2 High severity
5 Medium severity
1 Low severity
Summary

This document establishes Lyft's practices for collecting, using, and sharing personal data generated through use of its ride-hailing, bike, and scooter services. Lyft collects precise, real-time location data during trips and permits background location collection, and authorizes sharing of personal data including location, financial information, and biometric identifiers with advertising partners and business affiliates. California residents and residents of other jurisdictions with applicable privacy laws have the right to opt out of data sharing for advertising purposes and to request data deletion through Lyft's privacy portal.

Technical / Legal Breakdown

This document is Lyft's Privacy Policy governing the collection, use, storage, and sharing of personal data across Lyft's rideshare, bikes, scooters, and related services, with its legal basis grounded in user consent, contractual necessity, and legitimate business interests. The policy states that Lyft collects an extensive range of data including precise location (including background location), device identifiers, biometric data (in applicable jurisdictions), financial information, communications, and inferred demographic data, and the terms authorize sharing this data with third-party partners, advertisers, and government authorities under specified conditions. Notably, the policy asserts broad location data collection including when the app runs in the background, and reserves the right to use personal data for targeted advertising, product development, and to share with business partners for their own marketing purposes, which may require evaluation under CCPA, GDPR, and applicable state biometric privacy laws such as Illinois BIPA. The policy engages the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), GDPR for users in applicable jurisdictions, and Illinois BIPA for biometric data collection; enforcement authorities include the FTC, California Privacy Protection Agency, and relevant state attorneys general. Material compliance considerations include Lyft's assertion of a right to share precise location and trip data with third parties for advertising purposes, the scope of biometric data use, and the adequacy of consent mechanisms for sensitive data categories across multiple regulatory jurisdictions.

Institutional Analysis

Institutional analysis available with Compliance

Regulatory exposure by statute, material risk assessment, vendor due diligence action items, and enforcement precedent. Available on Compliance.

Start Compliance free trial

1 important change detected

3 versions captured · Last updated: July 2026

What changed Lyft updated its privacy policy on July 2, 2026, adding a reference to the 'Freenow by Lyft' autonomous vehicle program and directing users to a separate resource for information about personal data processing related to that program's operation in the United Kingdom. The update also corrected the policy's last-updated date from February 9, 2026 to July 1, 2026. This creates a new disclosure pathway for autonomous vehicle program participants but does not substantively change data handling practices.
Why this matters The updated policy adds a disclosure mechanism directing users in the United Kingdom to a separate resource for information about personal data processing in connection with the Freenow by Lyft autonomous vehicle program. This creates an additional channel for accessing data governance information specific to that program but does not modify existing data collection, use, or sharing practices under the primary privacy policy.
View full change record →

Recent Provision Changes Jul 2, 2026

Added (2)
Biometric Data Collection High

Addition of biometric data collection represents a significant expansion of personal data types Lyft collects, particularly facial geometry scans, which raises heightened privacy and security concerns.

Children's Privacy Low

New provision clarifies Lyft's compliance with COPPA and similar child privacy regulations, establishing explicit protections for minors under 13.

Removed (2)
Cross-Border Data Transfers

Removal of cross-border data transfer provisions eliminates transparency regarding international data flows, potentially affecting users in jurisdictions with strong data localization requirements.

Payment and Financial Data Collection

Removal of explicit payment and financial data collection provision reduces transparency about how payment information and financial data are handled and retained.

Modified (6)
Precise and Background Location Data Collection

Previous version had no excerpt; current version adds explicit detail about background location collection and user permission requirements.

Third-Party Advertising Data Sharing

Renamed from 'Data Sharing With Advertisers and Marketing Partners' and severity downgraded from high to medium; now includes explicit excerpt describing cross-website ad targeting.

Government and Law Enforcement Disclosure

Renamed from 'Law Enforcement and Legal Disclosure' and severity downgraded from high to medium; now includes detailed excerpt with specific language about national security requests.

California Consumer Privacy Rights (CCPA/CPRA)

Previous version had no excerpt; current version adds comprehensive excerpt detailing all California resident rights under CCPA/CPRA.

Data Retention Policy

Renamed from 'Data Retention' and previous version had no excerpt; current version adds explicit excerpt describing retention standards.

View full change record →
High — 2 provisions
Medium — 5 provisions
Low — 1 provision

Monitoring

Lyft has updated this document before.

Monitor includes same-day alerts, structured change summaries, and monitoring for up to 25 platforms.

Start Monitor free trial Or create a free account →

Compliance Governance Intelligence

Need provision-level monitoring and regulatory mapping?

Compliance includes governance timelines, compliance memos, audit-ready analysis, and full provision tracking.

Start Compliance free trial

Cross-platform context

See how other platforms handle Biometric Data Collection and similar clauses.

Compare across platforms →

Mapped Governance Frameworks

BIPA
Illinois, USA
View official text ↗
CCPA/CPRA
California, USA
View official text ↗
Connecticut Data Privacy Act Amendments
US-CT
View official text ↗
CAN-SPAM
United States Federal
View official text ↗
FTC Act Section 5
United States Federal
View official text ↗
GDPR
European Union
View official text ↗
Indiana Consumer Data Protection Act
US-IN
View official text ↗
Kentucky Consumer Data Protection Act
US-KY
View official text ↗
UK GDPR
United Kingdom
View official text ↗
Universal Opt-Out Mechanism Expansion 2026
US
View official text ↗
Archival ProvenanceSource & Archival Record
Last Captured July 2, 2026 00:13 UTC
Capture Method Automated scheduled archival capture
Document ID CA-D-000138
Version ID CA-V-004393
SHA-256 d2a7273d437e46ab3791b90f4101168f5a952463d1100272430f6456dbd4e89a
✓ Snapshot stored ✓ Text extracted ✓ Change verified ✓ Hash verified

Governance Monitoring

Monitor governance changes across the platforms you rely on.

Structured alerts for policy changes, governance events, and provision updates across 318+ platforms.

Create free account Compare plans