On March 21, 2024, U.S. Transportation Secretary Pete Buttigieg announced a pioneering privacy review focusing on the nation’s top ten airlines. This initiative, led by the Department of Transportation (DOT), aims to scrutinize how airlines manage and utilize passengers’ personal data. While many airlines consider themselves exempt from privacy laws such as the California Consumer Privacy Act (CCPA), concerns have risen about whether they are adequately protecting personal information from misuse, including unauthorized sharing with third parties or for profit. The review sends the signal that the federal government is prepared to creatively and aggressively interpret the law to ensure no entity can evade scrutiny for its data handling practices, even in the absence of comprehensive federal data privacy legislation.

The core objectives of the DOT’s review are:

  • Assess airline policies and training related to data privacy to ensure passengers’ sensitive information isn’t mishandled
  • Investigate if airlines engage in unfair practices, like monetizing personal data without consent. That may mean that even the commonplace use of advertising and marketing pixels cookies from Meta and Google require consumers’ consent, or at least the opportunity to opt-out of such sharing or sales.
  • Implement actions against malpractices, ranging from investigations and enforcement to developing new guidelines or regulations

To conduct this review, the DOT has requested that airlines provide the following information:

  • Their practices regarding data collection, use, and protection, including measures to prevent data breaches and unauthorized monetization
  • Complaints related to data mishandling or privacy violations by airline staff or contractors
  • Details about privacy training programs for airline personnel

This review is part of the Biden-Harris Administration’s wider efforts to enhance consumer privacy protections across various sectors. This includes proposed changes to bolster children’s data privacy, protect consumer health data from being sold and shared without consent, and to crack down on data brokers and the largely surreptitious market for personal data. Moreover, the administration has been actively working to expand airline passenger rights, including efforts to eliminate hidden fees and ensure fair treatment during service disruptions. This year, the review will include the following airlines: Allegiant, Alaska, American, Delta, Frontier, Hawaiian, JetBlue, Southwest, Spirit, and United.

Major Takeaway

  • Companies in all industries should assume their privacy practices will be scrutinized, and should consult with their privacy counsel to update their practices and policies accordingly.
  • Prior reliance on entity-based exemptions in the CCPA and other laws is not a viable strategy for approaching privacy compliance in the airline sector. All companies should review and assess their privacy and security practices to ensure they accurately and comprehensively describe their data practices, implement reasonable security practices, and treat data in line with consumers’ reasonable expectations.