There is virtually no legal protection for the privacy of personal information about travelers on U.S.-based airlines:
• There is no general consumer privacy law in the U.S. like those in Canada or the European Union. Businesses can do pretty much anything they want with personal information, as long as they don’t violate specific contractual promises or lie about what they are doing.
• None of the sector-specific consumer privacy laws in the U.S. apply to travel information.
• The Department of Transportation (DOT) has lagged far behind other Federal departments, especially the Federal Trade Commission of the Department of Commerce, in its enforcement of existing laws against fraud as they apply to fraudulent claims about privacy practices.
• The DOT has exclusive jurisdiction over airlines and other common carriers, and many practices of airlines and computerized reservation systems have fallen through the cracks between DOT and FTC jurisdiction.
Four years ago, a coalition of consumer groups joined me in urging the FTC to act on this issue. But while the FTC was willing to work with the DOT, the DOT has yet to act.
In May of this year, I was invited to present testimony from a consumer perspective on privacy and air travel before the DOT Advisory Committee for Aviation Consumer Protection (ACACP).
Next Monday, 16 December 2013, the ACACP will meet again to consider what actions to recommend to the Secretary of Transportation. Pursuant to the law which mandated the establishment of the ACACP, the Secretary must report to Congress on what the ACACP has recommended, and what, if any, action the Secretary has taken on those recommendations. So unlike many advisory bodies, the ACACP can set its own agenda and can not be completely ignored.
In an unprecedented call for DOT action on consumer privacy, a list of organizations and individuals including the ACLU, National Network to End Domestic Violence, Consumer Travel Alliance, Consumer Federation of America, Electronic Privacy Information Center, Privacy Rights Clearinghouse, Consumer Action, and others have submitted a joint letter to the ACACP calling for action in line with the recommendations in my testimony to the ACACP in May:
As organizations and individuals with expertise and experience relevant to consumer privacy, we welcome the interest of the ACACP in the privacy of air travelers as a consumer protection issue.
The exclusive jurisdiction of the Department of Transportation (DOT) over many of the activities of travel companies preempts action by the agencies with primary responsibility for protecting consumer privacy in other industry sectors, such as the FTC and state attorneys general. That makes ongoing attention to this issue and action by the DOT essential to protect air travelers’ privacy.
In light of this, we are particularly concerned by the lack of clear information provided to members of the public by the DOT, making clear the DOT’s jurisdiction and procedures with respect to privacy violations by airlines, travel agencies, and computerized reservation systems.
Consumer privacy is not mentioned anywhere on the DOT website, complaint forms, or reports. The DOT website provides no information on what sorts of privacy violations fall within its jurisdiction, how or to whom such violations can be reported, or how such complaints are handled.
We urge the ACACP to recommend that the Department add a “privacy” tab to the DOT aviation consumer protection website and add privacy as a category in DOT complaint forms, logs, and reports. And we urge the Secretary of Transportation to act promptly to adopt and implement that recommendation. The DOT website should provide clear information on DOT jurisdiction, policies, and points of contact and procedures for complaints with respect to the privacy obligations and practices of airlines, travel agencies, and computerized reservation systems.
We also urge the ACACP to establish a permanent subcommittee or working group on consumer privacy, to ensure that the work of the DOT on this issue is reviewed on an ongoing basis and that further actions are recommended as necessary to protect air travelers’ privacy. Among the issues for such a subcommittee or working group would be periodic review of DOT reports (once they begin to include privacy complaints and enforcement activities as a distinct reporting category), whether privacy policies should be required to be included in airline conditions of carriage, and what structures for liaison and coordination with other agencies and departments (such as the FTC and DHS) can best facilitate investigation and enforcement action and avoid jurisdictional gaps in cases that implicate the jurisdiction of multiple agencies – as is likely where personal information related to air travel is commingled with data related to other travel services outside the jurisdiction of the DOT.
We would welcome the opportunity to work with the ACACP, the DOT, and the air travel industry, and to share our experience and expertise in consumer privacy norms and best practices.
These would be only first steps, but they would be important ones.