Monday, 30 May 2016

How can we make airlines respect our privacy?

A decision last week by a California state Court of Appeal in a case involving an airline smartphone app highlights the legal impunity enjoyed by airlines that invade their customers' and passengers' privacy.

Delta Air Lines' mobile app collects all the information travellers provide when they buy tickets, reserve seats, or check in for flights: credit card numbers, travelling companions, special meal requests that can provide a clue to their religion, special service requests that can indicate invisible medical conditions, and so forth. It also collects other information, such as real-time location and movement tracking through access by the Delta app to the GPS and other location information in your phone.

How much of this data is sent to Delta? There's no way for travellers to know, since the data transmission channel from the app on your phone to the airline is encrypted. What did Delta do with this data about its customers and passengers? We don't know that either. Airlines use as much data about travellers as they can get for marketing and operations, and have been trying to get permission from the US government to use any or all of this data, and/or information about customers obtained from third parties, to "personalize" ticket prices and fees for checked baggage and other services. But the Delta app was launched and operated for years with no privacy policy at all, leaving travellers to speculate why the airline wants a log of each app user's movements, or how it uses or shares this data.

How much of this data is made available to government agencies or other third parties? Delta doesn't say. Unlike many other online service providers, no airline has ever published any sort of transparency report about how often the government asks for information about its customers, or how the company has responded to those requests.

California's Attorney General, in her capacity as chief enforcer of the state's consumer protection laws, sued Delta in 2012 for violating the California Online Privacy Protection Act, which "requires commercial operators of websites and online services, including mobile and social apps, which collect personally identifiable information from Californians to conspicuously post a privacy policy."

It's worth noting that this law doesn't restrict companies' ability and legal "right" to spy on their customers, invade their privacy, or rat them out to their private enemies or competitors or to the police or other government agencies. All California law requires is that each company subject to the law post some sort of privacy policy saying what data they claim to collect and what they claim to do with it, and not get caught lying to customers about their practices. In the absence of audits by investigators with subpoena power, of course, companies are unlikely to get caught no matter what they do.

The lawsuit against Delta Air Lines was the first action brought by the state of California to enforce this law, which was enacted in 2003 and took effect in 2004. It was an entirely appropriate choice of an especially large, sophisticated, and egregious corporate violator of the law. It was also, I suspect, a popular choice by a politically savvy official with her sights on higher elected office. Most people want, and would expect, consumer privacy laws to be applied to airlines.

Delta initially told the California A.G.'s office that it "intended" to provide the information that was supposed to be in its privacy policy, but then decided to stonewall. Delta argued successfully both in the trial court and before the Court of Appeals that it doesn't have to have any privacy policy or reveal its personal data collection, usage, or disclosure policies to its customers. The Federal "Airline Deregulation Act of 1978" has preempted any state regulation of these practices, Delta said -- and state judges agreed. Only the U.S. Department of Transportation (DOT) has jurisdiction over these practices, or the authority to impose sanctions against airlines that spy on their customers or lie about what they are doing with the data they collect about us.

A company that doesn't say anything about its practices can't get caught in a lie. So unless some sort of disclosure is legally required, or demanded by popular pressure, silence -- which is to say, secrecy -- is the legally safest course of corporate action.

If that's the direction in which the law has driven airlines -- and it is -- then something is wrong with both the law and the airlines.

Tracking your missing bags in real time is one thing, but tracking you in real time is another. Regardless of whether what Delta is doing is legal -- and it might be, at least in the USA -- it should go without saying that an airline or any other company that deploys an app that's constantly phoning home to report your location, and goes to court to defend its right not to tell you what it's doing with that information, is in contempt of customers and doesn't deserve your business. I'd recommend you choose a different airline, except that most airlines are just as bad, or worse. Delta didn't claim to protect app users' privacy. Most other airlines do have privacy policies for their apps, but they are typically full of blatant lies of commission and omission that are apparent to anyone familiar with airlines' privacy (invasion) practices. I'd be hard pressed to say which is the lesser evil. Delta has "voluntarily" published a privacy policy, despite winning its lawsuit against being forced to do so, but it's not clear that its policy is any more candid or truthful than the industry norm.

What Delta and other airlines are doing does violate privacy and data protection laws in Canada and the European Union. Even domestic US airlines that only operate flights within the USA all accept reservations from customers in Canada and in the EU. Most of them also have offices and/or agents who sell tickets on their behalf in Canada and the EU. But none of them bother to comply with Canadian or EU privacy law. As businesses trying to maximize profits, why would they spend money on compliance with laws that aren't being enforced? I know of no airline, for example, that has established a procedure for providing you, on request, with copies of all of your reservations and all of the data about you collected through their and their agents' Web sites and apps, which would be required to comply with the "subject access" requirements of Canadian and EU law. I've made complaints about this to local privacy and data protection authorities, against local airlines, under local laws, in Canada, Germany, France, and the Netherlands. None of them have taken any enforcement action, and some of them haven't even bothered to respond to my complaints. So the problem can't be blamed solely on US exceptionalism.

Airlines in the USA say that Federal preemption of consumer privacy protection avoids "a patchwork of different regulations around the country". That's true. But if Congress enacted a Federal travel privacy law (as I've been urging publicly for more than a decade), or a general consumer data privacy law applicable to airlines, or if the Department of Transportation did its job of enforcing existing Federal laws against unfair and deceptive airline practices, airlines could be held to a uniform minimal standard without having to worry about divergent or potentially incompatible state requirements.

Desire for national standardization is a reason for Federal action, not an excuse for Federal inaction, much less for Federal intervention to prevent states from trying to fill the airline consumer protection gaps left by do-nothing Federal regulators. That's the real effect of Federal aviation preemption today, and that's why state Attorneys General have called repeatedly and with bipartisan near-unanimity for its repeal or reform.

Consumers can and should push the U.S. Department of Transportation to act by filing formal complaints whenever airlines lie to them. In most cases, the DOT will try to find excuses not to act, or will impose only token penalties, even when presented with meticulously documented formal complaints like these examples from Harvard Business School professor Ben Edelman. But as I pointed out 15 years ago in The Practical Nomad Guide to the Online Travel Marketplace, the DOT will do nothing at all, and will claim that it is unaware of any problem, if consumers don't complain at all or submit only "informal" letters of complaint rather than formal filings in the public DOT regulatory docket that can't be hidden or ignored. As I said in The Practical Nomad: How to Travel Around the World, "Enough sacks of mail, dear readers, and maybe DOT will get the message and start doing its job to protect consumers."

When I testified before the DOT Advisory Committee for Aviation Consumer Protection at the first (and to date only) DOT inquiry into the privacy of airline data in 2013, the response of the DOT regulators in the room was to claim there must not be a problem because DOT doesn't get any complaints about airline privacy practices, even though, as I pointed out in my testimony, there's no way anyone could tell from DOT's Web site that DOT has jurisdiction over privacy issues or accepts complaints of privacy policy violations, much less how to submit such a complaint.

Airlines, members of Congress, and the do-nothings at DOT all need to hear from the public that this sort of airline behavior is not acceptable and should be subject to legal sanctions that are costly enough to affect airlines' profits and influence their decisions.

Link | Posted by Edward on Monday, 30 May 2016, 11:51 (11:51 AM) | TrackBack (0)
Comments
Post a comment









Save personal info as cookie?