This is a topic that doesn’t come up very often. In fact, since the Federal Trade Commission (FTC) doesn’t have jurisdiction over airline reservation systems and travel agencies, it has not been part of the overall Internet privacy discussions. Your privacy with airlines exists at the whim of the airlines with little government oversight.
Next week, for the first time, travel privacy will be under the microscope at a hearing being held by the Advisory Committee for Aviation Consumer Protections.
Before saying to yourself, “I don’t care” or, “I don’t have anything to hide,” think about what information you entrust to your travel agent and the airlines. Then, think about what information is collected about you during your travels.
The amount of information collected about the normal traveler is amazing, especially when airline records are mixed with tour operators, hotels, car rental companies and other tourism providers who end up with access to your personal data through your PNR or record locator number that serves as the key to a “seamless” trip.
In reality, your travel data is some of the most sensitive, most intimately revealing, most systematically computerized, most widely dispersed, most globally accessible, and most potentially subject to abuse categories of consumer data. And, it lies outside the current world of privacy protections. It has fallen into a jurisdictional black hole.
Back in 2009, the Consumer Travel Alliance (CTA), together with other consumer groups, tried to bring the power of the FTC into the travel privacy equation. However, it was determined that only Department of Transportation (DOT) had jurisdiction over privacy as it relates to aviation and ticket sellers (travel agents). So, while hotels, rental car companies and cruise lines need to follow privacy guidelines subjected to FTC scrutiny, the airlines and travel agents fall under the jurisdiction of the DOT.
Just last week, Delta Air Lines won dismissal of claims it violated California’s Internet privacy law because the judge decided that privacy was protected by federal preemption. In other words, according to the court ruling, state laws do not apply to airlines, only federal laws and regulations. This makes DOT actions regarding aviation privacy more important and necessary.
Plus, DOT is in a unique position among federal agencies — it wields enforcement authority. Whatever privacy policies airlines and ticket agents agree to or add to their contracts can be enforced with DOT procedures.
The 2009 CTA Petition for inclusion in the privacy roundtables notes the extent of the problem with privacy protection of travel records.
PNR’s and other travel records contain extraordinarily intimate data. PNRs show where you went, when, with whom, for how long, and at whose expense. Behind the closed doors of your hotel room, with a specific person (identified, perhaps, by name, address, gender, data of birth, citizenship, passport or ID number, and credit card number) they show whether you asked for one bed or two.
The petition also noted that these records are “highly vulnerable to unauthorized access.”
Tens of thousands of travel agencies and airline staff in the USA alone, and many times more around the world, have credentials as authorized users of CRSs/GDSs. In many cases, those credentials permit remote login and access to CRS/GDS records via the Internet. Because no logs are normally kept of access to PNRs or customer profiles stored in a CRS/GDS, compromise of a travel agency’s credentials, and unauthorized access using those credentials, could go undetected indefinitely.
More than only collection of data is the issue of what airlines, travel agencies and GDSs do with the personal data that they collect. Should there be some disclosure about how information collected during the reservation process and your travels is to be used. Is it only used to provide better customer service? Or, is it sold to the highest bidder and merged with other Big Data to shape what airfares and ancillary fees different travelers see and what frequent flier benefits travelers received?
Everyone knows that we are living in a far different world today than the world that spawned the Internet revolution just over a decade ago. Data collected at every step of travel research affects the ads we see on the Web. Information gleaned from the reservation process affects what services travelers receive. And methods of payments add another layer of data collection and price differentiation.
Certainly, no one expects the airlines and GDSs to change their privacy policies after one committee meeting, but in Washington change comes is small steps. This meeting is step one on the way to a DOT rule on privacy or aviation records that can merge well with the FTC rules on hotel, car rentals and other forms of transportation and tourism. Every journey starts with a small step. The discussions at the DOT Advisory Committee for Aviation Consumer Protections will be the first time in recent decades that the FTC and DOT will be in the same meeting with airlines, travel agents, GDSs and consumers discussing privacy.
It will be a watershed meeting with both the FTC and DOT in discussions about privacy. Hopefully, this meeting will eventually lead to an aviation sector blueprint of best practices or a voluntary privacy policy that can span the data worlds of airlines, ticket agents, GDSs and the rest of the travel world.
Charlie Leocha is the President of Travelers United. He has been working in Washington, DC, for the past 14 years with Congress, the Department of Transportation, and industry stakeholders on travel issues. He was the first consumer representative to the Advisory Committee for Aviation Consumer Protections appointed by the Secretary of Transportation from 2012 through 2018.
