[ageitgey]

> None of the data that was available sounds like sensitive PII so I'm not sure why anyone would be surprised by this.

The first sentence says employees would "view the personal contact info and ride history of the startup’s passengers."

I would consider contact info and exact physical movements to absolutely be PII and information that is sensitive. If not that, then what?

[mattdodge]

Not all PII is inherently "sensitive" though. Meaning not everything that can be used to actually identify you needs to be encrypted and protected. I don't know for sure but I don't think names or addresses qualify as that.

[s73ver_]

I absolutely would say it would, especially where there's a very good chance that the home and work addresses are part of that list, and the idea that someone would use a database like that to spy on an ex and harass and/or assault them is an actual thing that happens.

[zephyrus1985]

various state by state. The above does qualify as PII in california