Sky high standards: Airlines prep for DoT privacy scrutiny
Posted: April 3, 2024
Airlines have faced significant challenges over the last few years. COVID happened, of course, followed by low staffing resulting in a reduction in flights and increased customer frustrations with their travel experience. A new pay-for-seat preference policy with many airlines has increased friction between passengers and airlines. More recently, airplane failures decreased customer confidence in safety.
A challenging environment is nothing new for airlines in the privacy space, however. The airline industry has always faced a complicated privacy environment due to the data they collect, their global nature, and the security-oriented context under which they operate.
By nature, airlines operate in a global space and must address complex transborder data flow restrictions as well as the need to balance sometimes conflicting privacy regulations across jurisdictions. Even seemingly benign data about airline customers, such as meal preference and special service requests can be considered sensitive information because they can lead to knowledge of religion or disability. Additionally, physical and anti-terrorism security measures in airports carry with them the need to process sensitive data and share data among governments. This means that airlines must navigate sensitive data, monitoring, and biometrics privacy issues.
Perhaps most significantly, the very context of airline travel, with its mandatory security screenings and potentially profound consequences, heightens passenger sensitivity for privacy done wrong. In fact, the Department of Transportation’s (DoT’s) own recent research shows that passenger screening is the most frequent type of customer complaint, far above the number of complaints about courtesy, property screening, or wait times (*1). In other words, the very context of air travel in post 9-11 times can increase fear, uncertainty, and doubt about the airline industry and how it uses and shares personal information.
This may be why the Department of Transportation (DoT) recently announced that it intends to conduct a privacy review of ten US-based airlines, and why that privacy review has such potential to have a significant positive impact on the industry. Coming at a time of decreasing consumer satisfaction with airlines (*2), this privacy review may be exactly what the airline industry needs to help build a closer bond of trust with the people sitting in those infamous airplane seats.
The DoT has responsibility for oversight of airlines, including the right to investigate and impose civil penalties related to the Children’s Online Privacy Protection Act (COPPA) and practices that may be considered unfair or deceptive. Though government agencies, including the DoT, have long been required to conduct Privacy Impact Assessments (PIAs) on their own systems through the E-Government Act of 2002 and must set FISMA-directed security controls, this effort represents DoT’s first general external privacy review of the airline industry.
The DoT intends to aim its inaugural privacy review at confirming whether airlines are “properly safeguarding their customer’s personal information,” and “unfairly or deceptively monetizing or sharing that data with third parties.”(*3) The DoT will start its review on privacy policies/procedures, complaints, and personnel training.
It is easy to see why the DoT may be focusing on monetization and data sharing. States continue to pass new privacy laws, and though each State law varies, a common theme across all States is a requirement that gives consumers control over data selling and sharing. This privacy law reflects the real frustration of people trying to gain control of their own personal data.
With that concern as a backdrop, it is also easy to see how airlines could monetize the data they collect during the normal course of business. Travelers spend money- sometimes a lot of it. Airport vendors could benefit from (and pay for) location and preference information, allowing them to send location-based targeted ads. Off-airport retail, hospitality, ground transportation, and entertainment companies would undoubtedly love to know who is coming into town, how long they are expected to stay, and what they like to eat/do/buy. In other words, travel is a big business, and who better knows the details about an someone’s travel plans than the airline that brought her to town.
Connecting travelers with products and services they need in an unfamiliar city can benefit consumers as well. The key, though, is trust. Research has shown that companies earn trust through transparency, consent, and follow through on data promises; exactly the focus of the DoT’s privacy review.
That said, while this review has the potential to confirm sound practices and enhance consumer trust in a challenging industry, any regulator focus also carries potential risk. Negative findings by the DoT could result in fines and penalties for offending airlines. If the DoT sees disturbing trends, it might impose added oversight and compliance requirements and/or launch other, more intensive investigations. Furthermore, if the DoT takes a cue from the Federal Trade Commission, airlines found lacking might find their names and information about their privacy fails made public, leading to reputation damage.
Additionally, the DoT has said that it intends to conduct privacy reviews on an ongoing basis. This means that airlines may face the need of not only being able to provide privacy answers at a single point in time, but they also must have a mature enough privacy program that they can sustain demonstrable compliance far into the future. “Ad hoc privacy” will not be a successful strategy for airlines moving forward.
At the most basic level, defense against criticisms of unfair and deceptive practices revolves around clear notice, consent, and a company’s do-say ratio; meaning that a compliant company must clearly declare it practices, get the right informed consent, and then follow up on its promises. Especially in industries where consumers have less control over their personal data experience, like with air travel, the ability to choose – where choice is possible – becomes especially critical for customer satisfaction and trust.
This means that, to be successful in this type of regulator review, any company should:
- Deeply understand and document the end-to-end life cycle of all personal data it handles, from collection to deletion and all stages in between.
- Review data collection experiences from a customer experience, making special note of privacy promises, consent mechanisms, and terms. Review notices and experiences for clarity and ease of understanding in addition to completeness and accuracy. Understand how to track consent and demonstrate compliance with consent terms.
- Compare promises to practices throughout the life cycle of the data in question; from policies to training to actual actions.
- Review the maturity of the controls in place that help ensure ongoing compliance with policies/agreements/trained processes. Also review the sustainability and effectiveness of compliance reporting.
It is exciting to see privacy receive such focus in a critical industry, and at a crucial time. As David McInerney, Commercial Manager at Cassie says, “The US Department of Transportation’s initiative to review the privacy practices of the nation’s largest airlines emphasizes the importance of consent, not only in the airline industry, but across all sectors. It reflects a growing recognition that consumers deserve transparency in how their personal information is managed. At its core, this initiative will ensure airlines take more responsibility for how they manage passenger information, while also empowering consumers to exercise control over their data and communication preferences. This in turn will create stronger trust-based relationships between brands and consumers.”
With US regulators and legislators picking up the privacy mantel – especially related to personal data sale and sharing – rigorous and demonstrable transparency and consent practices become “table stakes” for data driven organizations. The upcoming DoT privacy review has the potential to showcase airline industry best practices and enhance customer trust in the industry – or out airlines with poor practices and encourage better ones for the benefit of customers in the years to come. Regardless of the outcome for airlines, the effort underscores the ongoing trend of privacy enforcement that only a strong privacy program and practices can address.
* Reference Links
1 https://www.transportation.gov/sites/dot.gov/files/2023-12/November%202023%20ATCR.pdf
2 https://www.jdpower.com/business/press-releases/2023-north-america-airline-satisfaction-study
New Research Report : Privacy beyond borders
Explore the balance between global user expectations and regulatory compliance, as we delve into consumer preferences across global regions and the impact of privacy laws on digital interactions. Download your copy.