Earlier this week, the U.S. Department of Transportation’s Advisory Committee on Aviation Consumer Protection (“ACACP”) held a meeting in Washington, D.C. to discuss data privacy and security issues relevant to the aviation industry. The meeting featured presentations by representatives of the airlines, travel agents, online travel agents, global distribution systems (“GDS”), and consumers. According to ACACP committee member Charles Leocha, this week’s meeting marked the first time that the Federal Trade Commission (“FTC”), the Department of Transportation (“DOT”), and the air travel industry had come together to discuss consumer privacy — a discussion he said was “long long overdue.” In his opening remarks, Leocha characterized travel data as “some of the most sensitive and intimately revealing” consumer data, and expressed optimism that the meeting would be “step one” towards establishing a DOT privacy rule or guidance on best practices.
At the meeting, Robert Gorman, a Senior Attorney from the DOT presented on the Department’s authority to enforce privacy rules and regulate unfair and deceptive trade practices by air carriers. He suggested that the Department would likely determine that a privacy violation rose to the level of an unfair or deceptive trade practice where a company:
- Disclosed personal information in a manner that violates public policy, is immoral, or causes substantial consumer injury not offset by any countervailing benefit;
- Violated a rule where such violations are considered unfair or deceptive trade practices; or
- Violated the Children’s Online Privacy Protection Act (COPPA), which the DOT has the authority to enforce against air carriers.
Gorman reported that he and his colleagues were not aware of receiving any complaints against air carriers for violating consumer privacy, but stated that the DOT is considering whether to issue guidance on complying with COPPA.
Jonathan Zimmerman, a Senior Attorney at the FTC, provided a general overview of the FTC’s role in enforcing consumer privacy and discussed specific enforcement actions. While the FTC does not have jurisdiction over air carriers, it does have jurisdiction over other industry participants, such as GDSs, travel agents, and online travel agencies. The ACACP members also suggested that the DOT’s approach to enforcing consumer privacy among air carriers would be informed by the FTC’s experience as the federal government’s chief privacy regulator.
Nigel Howard, a partner at Covington & Burling and frequent contributor to this blog, presented on state privacy laws and their effect on the air travel industry. After reviewing the many state laws governing areas such as breach notification, spam, and data security, he explained how these state laws guide the development of airline best practices, even when the laws are technically pre-empted by the Airline Deregulation Act of 1978.
In a joint presentation, representatives of American Airlines, Delta, and Alaska Airlines provided a broad overview of airline privacy practices, focusing on the types of data that airlines typically collect, the reasoning behind collecting those types of data, and Generally Accepted Privacy Principles that serve as the basis for their privacy policies. Michael Vatis, an attorney representing the GDSs, presented on how those organizations collect and use consumer data and the limited circumstances in which they would disclose data. GDSs are computerized reservation systems that traditional travel agents, online travel agents, and large corporations use to reserve airline seats. Despite their key role in the air travel industry, they are often unknown to consumers because they are not consumer-facing entities. The meeting also included presentations from traditional travel agents and online travel agents describing their commitment to consumer privacy.
Edward Hasbrouck, an independent consumer advocate, concluded the meeting with a presentation on problems with existing privacy practices in the air travel industry. He described issues with providing consumers meaningful notice and data security vulnerabilities, in particular in relation to access to data held by GDSs. He also noted that, in order for all industry participants to provide better privacy protections, the GDSs would need to “do much of the heavy lifting” by creating more detailed and secure systems. Hasbrouck also attributed the lack of privacy complaints submitted to the DOT to the fact that the Department’s webpage soliciting complaints does not mention privacy and suggested that consumers would not otherwise have reason to know that they should submit privacy complaints to the DOT. He also advocated for the creation of a working group within the DOT with ongoing responsibility for privacy issues.
The ACACP does not have further meetings scheduled to discuss consumer privacy, but we will continue to track these and other privacy developments relevant to the aviation industry.