The Atlanta Journal-Constitution
Airlines do little to protect your privacy
What’s the difference between selling, sharing info? Good question.
If someone says “sharing economy,” you probably think Uber or Airbnb. You should think instead about your privacy.
Do something online and your personal information will be shared with other businesses itching to spam you with marketing pitches. It’s a practice common to almost all industries.
The problem lies in how all this data sharing is disclosed to consumers — and how difficult companies often make it to limit who can access your info.
“Nobody thinks current practices represent adequate privacy protection for consumers,” said James Dempsey, executive director of the University of California, Berkeley’s Center for Law & Technology. “Privacy policies are written to provide companies with maximum discretion about how they will use customer information.”
Tech companies, telecom providers, retailers — any of these would illustrate the trend. For the sake of discussion, let’s look at airlines.
Ever hear of Resolution 787? Me neither, until this industrywide standard was recently pointed out to me. Basically, it’s a new system that allows airlines to collect data from passengers and exploit the information for marketing purposes.
In April, Democratic lawmakers asked the Department of Transportation to look into whether Resolution 787 does enough to ensure fairness and passengers’ privacy.
This got me wondering about airline privacy policies in general. How much privacy do they actually guarantee? Not much, it turns out. For example, Delta Air Lines’ privacy policy shows what consumers are up against when trying to figure out how their personal info will be used.
“We do not sell your name or other personally identifiable information to third parties, and do not intend to do so in the future,” it says emphatically and, you’d think, definitively.
But the very next sentence says: “We routinely share your information with our SkyMiles Partners and Promotional Partners.”
So they’d never “sell” your personal info, but they routinely “share” it? What’s the difference?
“For consumers, there’s no difference,” Dempsey said.
He said marketing partnerships typically are structured so that both companies — the data sharer and the recipient — receive a portion of any revenue that’s subsequently generated. “Maybe that’s not a ‘sale,’ but it’s still a financial relationship,” Dempsey said.
Points to United Airlines for at least being honest about how little privacy its customers can expect.
“United may use your information, either individually, in the aggregate, and/or combined with demographic information that we maintain or collect from third parties for marketing and advertising purposes,” it says in its privacy policy.
American Airlines declares that it “does not sell or share your personally identifiable information with third parties except in compliance with this privacy policy.”
That would be reassuring except for the admission two paragraphs later that American’s policy is to share passengers’ data “with carefully selected third-party companies with which we have a business relationship.”
I asked each of the airlines how passengers can find out which companies their information is being shared with. Not one came through with a straightforward answer to that question.
United implied that the only way to know is from the emails you receive.
If anything, the carriers seemed to resent being called to account for what they see as an everyone-does-it business practice.
A Southwest Airlines spokeswoman, Thais Hanson, initially responded positively to my email overture, saying she could help me get answers.
She was equally encouraging after I explained by phone that it seemed as though Southwest’s privacy policy reserved the right to share the data of its Rapid Rewards members with marketing partners, but was unclear about what the airline did with the information of people who aren’t in the rewards program.
Then Hanson emailed what she said would be “the official Southwest response”:
“What you’ve interpreted is one aspect of our privacy policy,” it said. “The full Southwest privacy policy governs how we share and disclose information and with whom we share that information.”
I asked Hanson to point me toward any other sections of the policy that might clarify the company’s use of customer data. No response.
Jeff Sovern, a law professor at St. John’s University in New York, said the Federal Trade Commission merely requires that companies live up to the terms of whatever they put in their privacy policies.
“If a company doesn’t promise to keep your information private, it generally doesn’t have to,” Sovern said.
Privacy experts say it’s up to consumers to do what they can to limit data sharing. It’s a timeconsuming hassle — and companies know this — but your best bet is to read through privacy policies and follow instructions to opt out of information being shared with others.
You also can try unsubscribing from the email list of any business that contacts you, but this isn’t foolproof. Some companies just take your request as evidence that they’ve got a valid email address to send pitches to.
A legislative remedy is needed. At the very least, companies should be required to specify what information is being collected and how it’s being used. This should be featured prominently and clearly at the top of all privacy policies, along with opt-out instructions.
Companies also should be required to provide lists of all marketing partners that receive information. If they’re so trustworthy, after all, what’s the concern?