Airlines’ privacy policies do little to protect consumers’ personal data
If someone says “sharing economy,” you probably think Uber or Airbnb. You should think instead about your privacy.
Do something online and your personal information will be shared with other businesses itching to spam you with marketing pitches. It’s a practice common to almost all industries.
The problem lies in how all this data sharing is disclosed to consumers — and how difficult companies often make it to limit who can access your info.
“Nobody thinks current practices represent adequate privacy protection for consumers,” said James Dempsey, executive director of UC Berkeley’s Center for Law & Technology. “Privacy policies are written to provide companies with maximum discretion about how they will use customer information.”
Tech companies, telecom providers, retailers — any of these would illustrate the trend. For the sake of discussion, let’s look at airlines.
Ever hear of Resolution 787? Me neither, until this industrywide standard was recently pointed out to me. Basically, it’s a new system that allows airlines to collect data from passengers and exploit the information for marketing purposes.
In April, Democratic lawmakers asked the Department of Transportation to look into whether Resolution 787 does enough to ensure fairness and passengers’ privacy.
This got me wondering about airline privacy policies in general. How much privacy do they actually guarantee?
Not much, it turns out.
“We do not sell your name or other personally identifiable information to third parties, and do not intend to do so in the future,” it says emphatically and, you’d think, definitively.
But the very next sentence says: “We routinely share your information with our SkyMiles Partners and Promotional Partners.”
So they’d never “sell” your personal info but they routinely “share” it? What’s the difference?
“For consumers, there’s no difference,” Dempsey said.
He said marketing partnerships typically are structured so that both companies — the data sharer and the recipient — receive a portion of any revenue that’s subsequently generated. “Maybe that’s not a ‘sale,’ but it’s still a financial relationship,” Dempsey said.
Points to United Airlines for at least being honest about how little privacy its customers can expect.
That would be reassuring except for the admission two paragraphs later that American’s policy is to share passengers’ data “with carefully selected third-party companies with which we have a business relationship.”
I asked each of the airlines how passengers can find out which companies their information is being shared with. Not one came through with a straightforward answer to that question. United implied that the only way to know is from the emails you receive.
If anything, the carriers seemed to resent being called to account for what they see as an everyone-does-it business practice.
A Southwest Airlines spokeswoman, Thais Hanson, initially responded positively to my email overture, saying she could help me get answers.
Then Hanson emailed what she said would be “the official Southwest response”:
I asked Hanson to point me toward any other sections of the policy that might clarify the company’s use of customer data. No response.
Jeff Sovern, a law professor at St. John’s University in New York, said the Federal Trade Commission merely requires that companies live up to the terms of whatever they put in their privacy policies.
“If a company doesn’t promise to keep your information private, it generally doesn’t have to,” he said.
Privacy experts say it’s up to consumers to do what they can to limit data sharing. It’s a time-consuming hassle — and companies know this — but your best bet is to read through privacy policies and follow instructions to opt out of information being shared with others.
You also can try unsubscribing from the email list of any business that contacts you, but this isn’t foolproof. Some companies just take your request as evidence that they’ve got a valid email address to send pitches to.
A legislative remedy is needed. At the very least, companies should be required to specify what information is being collected and how it’s being used. This should be featured prominently and clearly at the top of all privacy policies, along with opt-out instructions.
Companies also should be required to provide lists of all marketing partners that receive information. If they’re so trustworthy, after all, what’s the concern?
David Lazarus’ column runs Tuesdays and Fridays. He also can be seen daily on KTLA-TV Channel 5 and followed on Twitter @Davidlaz. Send your tips or feedback to email@example.com.
Must-read stories from the L.A. Times
Get the day's top news with our Today's Headlines newsletter, sent every weekday morning.
You may occasionally receive promotional content from the Los Angeles Times.