Delta aircraft at the gate showing review of security and privacy policies

U.S. Department of Transportation to Review Airlines’ Data Security and Privacy Policies

The U.S. Department of Transportation (DOT) will review the data security and privacy policies of the country’s top 10 airlines to assess the extent of unfair sharing and monetization of passengers’ sensitive information.

Airlines under review include Allegiant, Alaska, American, Delta, Frontier, Hawaiian, JetBlue, Southwest, Spirit and United.

The DOT said it would also assess employee training, collection and handling processes, investigate passengers’ complaints, and take enforcement action if anomalies or misconduct are discovered.

Airlines’ data security and privacy policies under scrutiny

The DOT said it would investigate if the airlines properly handle and protect passengers’ personal information and whether they were unfairly or deceptively monetizing or sharing sensitive passenger data with third parties.

“The review will examine airlines’ policies and procedures to determine if airlines are properly safeguarding their customers’ personal information. In addition, DOT will probe whether airlines are unfairly or deceptively monetizing or sharing that data with third parties,” said the DOT.

The DOT warns that mishandling consumers’ private information also amounts to “unfair or deceptive practice,” potentially leading to civil penalties.

According to the March 21, 2024, press statement, the review will scrutinize airlines’ data collection and handling practices, how they monetize customer information through targeted advertising, and how employees and contractors are trained to handle passenger data.

“Airline passengers should have confidence that their personal information is not being shared improperly with third parties or mishandled by employees,” said U.S. Transportation Secretary Pete Buttigieg, adding that it intends to ensure that airlines are “stewards of sensitive passenger data,” said the DOT.

The Senate Finance Committee Chair, Sen. Ron Wyden (D-Oregon), will provide expert assistance during the review.

Vowing to continue “holding the airlines responsible for harmful or negligent privacy practices,” Sen. Wyden warned that passengers’ data security and privacy should not be at the mercy of airlines.

“Because consumers will often never know that their personal data was misused or sold to shady data brokers, effective privacy regulation cannot depend on consumer complaints to identify corporate abuses,” he said.

The review will also investigate complaints about airlines mishandling passengers’ sensitive information. The DOT will take enforcement action if it discovers evidence of improper data security and privacy practices.

“As DOT finds evidence of problematic practices, the Department will take action, which could mean investigations, enforcement actions, guidance, or rulemaking,” the DOT said.

The DOT has requested the top 10 airlines to submit information about their data security and privacy policies, customer complaints, and training materials.

Meanwhile, the 300-member International Air Transport Association, which oversees standards and policies, has not publicly responded to the DOT’s request at the time of publication.

A broader initiative to enforce data security and privacy

The DOT has not disclosed what triggered the review of the airlines’ data security and privacy practices. However, U.S. airlines have frequently fallen victim to data breaches.

The department also disclosed that the initiative is part of a “broader push to protect consumer privacy across the economy.”

To further improve customer data security and privacy, the U.S. Federal Trade Commission (FTC) proposes the COPPA (Children’s Online Privacy Protection Act) rule to limit the disclosure or monetization of children’s data.

Additionally, the FTC has warned data brokers and collectors from sharing sensitive personal information, such as browsing history that identify individuals.

Other entities on the regulator’s radar include intelligence agencies that buy personal data from third parties to evade complex legal procedures required to obtain search warrants.

“The FTC is also exploring rules to more broadly crack down on the harms stemming from surveillance and lax data security.”