Monday, 30 May 2016
How can we make airlines respect our privacy?
A decision last week by a California state Court of Appeal in a case involving an airline smartphone app highlights the legal impunity enjoyed by airlines that invade their customers' and passengers' privacy.
Delta Air Lines' mobile app collects all the information travellers provide when they buy tickets, reserve seats, or check in for flights: credit card numbers, travelling companions, special meal requests that can provide a clue to their religion, special service requests that can indicate invisible medical conditions, and so forth. It also collects other information, such as real-time location and movement tracking through access by the Delta app to the GPS and other location information in your phone.
How much of this data is made available to government agencies or other third parties? Delta doesn't say. Unlike many other online service providers, no airline has ever published any sort of transparency report about how often the government asks for information about its customers, or how the company has responded to those requests.
The lawsuit against Delta Air Lines was the first action brought by the state of California to enforce this law, which was enacted in 2003 and took effect in 2004. It was an entirely appropriate choice of an especially large, sophisticated, and egregious corporate violator of the law. It was also, I suspect, a popular choice by a politically savvy official with her sights on higher elected office. Most people want, and would expect, consumer privacy laws to be applied to airlines.
A company that doesn't say anything about its practices can't get caught in a lie. So unless some sort of disclosure is legally required, or demanded by popular pressure, silence -- which is to say, secrecy -- is the legally safest course of corporate action.
If that's the direction in which the law has driven airlines -- and it is -- then something is wrong with both the law and the airlines.
What Delta and other airlines are doing does violate privacy and data protection laws in Canada and the European Union. Even domestic US airlines that only operate flights within the USA all accept reservations from customers in Canada and in the EU. Most of them also have offices and/or agents who sell tickets on their behalf in Canada and the EU. But none of them bother to comply with Canadian or EU privacy law. As businesses trying to maximize profits, why would they spend money on compliance with laws that aren't being enforced? I know of no airline, for example, that has established a procedure for providing you, on request, with copies of all of your reservations and all of the data about you collected through their and their agents' Web sites and apps, which would be required to comply with the "subject access" requirements of Canadian and EU law. I've made complaints about this to local privacy and data protection authorities, against local airlines, under local laws, in Canada, Germany, France, and the Netherlands. None of them have taken any enforcement action, and some of them haven't even bothered to respond to my complaints. So the problem can't be blamed solely on US exceptionalism.
Airlines in the USA say that Federal preemption of consumer privacy protection avoids "a patchwork of different regulations around the country". That's true. But if Congress enacted a Federal travel privacy law (as I've been urging publicly for more than a decade), or a general consumer data privacy law applicable to airlines, or if the Department of Transportation did its job of enforcing existing Federal laws against unfair and deceptive airline practices, airlines could be held to a uniform minimal standard without having to worry about divergent or potentially incompatible state requirements.
Desire for national standardization is a reason for Federal action, not an excuse for Federal inaction, much less for Federal intervention to prevent states from trying to fill the airline consumer protection gaps left by do-nothing Federal regulators. That's the real effect of Federal aviation preemption today, and that's why state Attorneys General have called repeatedly and with bipartisan near-unanimity for its repeal or reform.
Consumers can and should push the U.S. Department of Transportation to act by filing formal complaints whenever airlines lie to them. In most cases, the DOT will try to find excuses not to act, or will impose only token penalties, even when presented with meticulously documented formal complaints like these examples from Harvard Business School professor Ben Edelman. But as I pointed out 15 years ago in The Practical Nomad Guide to the Online Travel Marketplace, the DOT will do nothing at all, and will claim that it is unaware of any problem, if consumers don't complain at all or submit only "informal" letters of complaint rather than formal filings in the public DOT regulatory docket that can't be hidden or ignored. As I said in The Practical Nomad: How to Travel Around the World, "Enough sacks of mail, dear readers, and maybe DOT will get the message and start doing its job to protect consumers."
Airlines, members of Congress, and the do-nothings at DOT all need to hear from the public that this sort of airline behavior is not acceptable and should be subject to legal sanctions that are costly enough to affect airlines' profits and influence their decisions.Link | Posted by Edward on Monday, 30 May 2016, 11:51 (11:51 AM) | TrackBack (0)