Analysis

The Department of Transportation’s Underused Privacy Authority

September 9, 2024 | Anna Young, EPIC Law Clerk

Historically, the Department of Transportation has underused its privacy enforcement authority. The Federal Trade Commission’s (FTC) decades of unfair and deceptive practice enforcement can serve as an example for the Department of Transportation’s (DOT) own enforcement authority. In 1966, Congress established the DOT to coordinate the national transportation system and keep the nation’s infrastructure up to date. In 1938, the FTC and the Civil Aeronautics Authority were granted unfair and deceptive practice authority. The DOT was given enforcement authority in 1985. The DOT unfair and deceptive practice authority mirrors the FTC authority.  However, unlike the FTC, the DOT has sparsely used its authority. Due to the rise of invasive airline data practices and facial recognition technology at airport gates, EPIC strongly encourages the DOT to use its unfair and deceptive enforcement authority to address harmful privacy practices.

Despite the similarities between the DOT’s and the FTC’s unfair and deceptive authority, the scope of DOT’s authority remained unclear for many years. The DOT only relatively recently defined the terms “unfair” and “deceptive” in a December 2020 final rule. In August 2022, the DOT issued guidance on these definitions in response to an Executive Order by President Biden. In the guidance, the DOT explicitly explains that the definitions are modeled after FTC’s authority.

The DOT defines a practice as unfair “if it causes or is likely to cause substantial injury, which is not reasonably avoidable, and the harm is not outweighed by benefits to consumers or competition.” A practice is deceptive “if it is likely to mislead a consumer, acting reasonably under the circumstances, with respect to a material matter.” And “[a] matter is material if it is likely to have affected the consumer’s conduct or decision with respect to a product or service.”

The DOT is the only federal agency that can regulate certain airline practices, like invasive data collection or the use of facial recognition technology. The FTC’s enforcement authority specifically excludes domestic and foreign airline activities. Additionally, Congress eliminated state court, state legislative, and state attorney general authority to regulate air travel in the 1978 Airline Deregulation Act. For example, in cases In re Jetblue Airways Corp. Priv. Litig. and In re N.W. Airlines Priv. Litig. plaintiffs filed a class action claiming that JetBlue illegally transferred their personal information to a data mining company. However, the state privacy and deceptive trade practice claims were dismissed because the Airline Deregulation Act, which removed federal regulations from airline economic competition, expressly preempted state laws. Therefore, the best way to regulate airline practices currently is by DOT’s unfair and deceptive authority. There are two areas where it is essential that the DOT use its unfair and deceptive authority: (1) airline data collection and (2) the use of facial recognition technology at gates.

Airline Data Collection

Invasive and expansive consumer data collection is a common practice across most airlines. This data collection is then widely distributed to third-party companies. This distribution exceeds the scope of what is necessary to serve a consumer, and it is likely beyond the consumer’s awareness. Given the DOT’s recent guidance, airlines data collection practices may constitute an unfair practice.

Airlines collect a vast amount of consumer information. Airlines collect booking details like name, passport number, and license number, but also credit card information, tax ID, luggage weight, travel patterns, seat selections, meal choices, flight history, internet sites customers visit on the airline’s Wi-Fi, and complaints. Airlines also collect much more sensitive personal information like images, biometric, and health information. Southwest Airlines collects consumer “social media account information” and more sensitive information like “present and future health status, and genetic information.” Airlines claim that the information personalizes the customer’s in-flight experience with personalized advertisements, or nearby hotels and car rentals.

Airlines share consumer data widely. For example, Delta lists all of the types of third parties to which it discloses customer data, including: “data centers, biometric verification services, and online tools,” others acting on behalf of the consumer, Delta airline partners, promotional partners (like Starbucks and Lyft), travel agencies, banks, financial firms, payment services, and government agencies. American Airlines similarly discloses consumer information to other airlines, credit card partners, third-party vendors, and travel industry partners. United Airlines states that it discloses consumer data to service providers, non-affiliated third parties, marketing partners, and research firms.

These airlines, including Southwest, allow for third parties to collect consumers’ personal information to display personalized advertisements on consumer facing websites. However, the airlines do not acknowledge that they are “selling” consumer information. Rather, airlines explain that they are “disclosing” consumer data to third parties. Thus, third parties are incentivized to partner with airlines for the airlines to “disclose” the consumer data. While airlines are not “selling” consumer data, the data is a driving factor for other companies to form relationships with airlines.

Airline collection of sensitive consumer data can be investigated under the DOT’s unfair practice authority. First, current airline data collection practices likely cause substantial injury to consumers. Increasing consumer data collection, retention, and disclosure with many business sectors increases consumer risk for and data breaches or unauthorized access and subsequent disclosure of their personal information. For instance, in 2022, American Airlines experienced a data breach and hackers gained access to consumer information. In 2021, hackers obtained American Airline’s consumer information from a third-party partner. In 2023, American and Southwest Airlines were hacked which resulted in thousands of employee applicants’ data being released. Across the globe, many companies face heightened data security risks. The Federal Bureau of Investigation (FBI), Verizon, and the Identify Theft Resource Center have all reported an increase in data breaches in the past decade. Additionally, consumer harm from data breaches can include identity theft, money lost from misuse by data hackers, time spent fixing their financial situation, or paying for services to monitor the consumer’s credit. Consumers may also institute a credit freeze, close bank accounts, change their passwords, and exercise greater skepticism on phishing attempts.

Second, this type of consumer injury is not reasonably avoidable, whether airlines either specifically ask customers for this information or automatically collect it. At times, airlines require consumers to provide personal information to continue with purchasing a ticket. For example, to create a frequent flyer account with United Airlines, the consumer must provide their name, date of birth, email address, phone number, gender identity, and home address. The consumer must also agree with United’s terms and conditions, and privacy policy which includes United disclosing the consumer’s information with third parties.

Lastly, the benefits of targeted advertisements and hotel suggestions do not outweigh the  increased risk of privacy and data security harms. These harms can result in significant financial and identity complications for average consumers. Therefore, the airline data collection practices likely constitute an unfair practice under the DOT’s authority.

Facial Recognition Technology at Airport Gates

Next, under its deceptive practices authority, the DOT should investigate airlines’ use of facial recognition technology at boarding gates. A practice is deceptive when it “is likely to mislead a consumer, acting reasonably under the circumstances, with respect to a material matter.” By using facial recognition technology at gates, airlines mislead consumers by using the information extracted from the images in ways that consumers cannot anticipate or control. Additionally, because undisclosed third-party companies are given the sensitive consumer data, consumers are placed at a heightened data security risk. Thus, airline practices and uses of facial recognition technology are likely a deceptive practice.

First, this practice is “likely to mislead a consumer” because airlines do not adequately or conspicuously disclose biometric data collection and retention practices. Thus, airlines do not notify people who may not want their face data extracted and used. Additionally, airlines do not always disclose if they retain consumers’ photos. Customs and Border Protection (CBP) states in a privacy impact assessment and in a statement to Congress that airlines are not allowed to retain photos taken for identification. However, airlines potentially could take a second photo and retain it for business purposes. Airlines would then disclose those photos to third-party partners. For example, Delta takes consumer biometric information, like fingerprints, faces, voices, or eye scans, and discloses it to business partners. Additionally, CBP’s restriction only applies when airlines use CBP’s facial recognition system known as the Traveler Verification Service. It does not apply if the airline uses a different facial recognition system.

United Airlines has no biometric data privacy policies on its website, but still uses biometric technology. A class action filed by consumers alleged that United boarding kiosks in the Chicago O’Hare Airport “unlawfully scan, capture and store the facial geometry of Illinois consumers.” The plaintiffs sued under the Illinois Biometric Information Privacy Act (BIPA), which requires that companies inform their consumers about the length of time and purpose when storing or collecting their personal information and obtain the consumer’s written consent. Plaintiffs claimed that United did not warn or ask for consumers’ consent before the gate agents used facial recognition technology to photograph their faces and extract the data. While consumers can opt out of the process, United did not inform them of this option and did not disclose to consumers the length of time their data is stored or the purpose of storing their data.

Second, consumers are “acting reasonably under the circumstances.” While boarding an airplane, consumers are in long lines, anxious to board, following behind other passengers, and potentially nervous about their physical safety. Additionally, airline agents often do not explain what the technology is or does to passengers. The agents do not explain if there is an opt-out option or show a notice explaining an opt-out procedure. Therefore, to maintain a quick and safe boarding process, it is reasonable for passengers to do whatever the boarding agents ask.

Lastly, the use of facial recognition is a material matter. To reiterate, “[a] matter is material if it is likely to have affected the consumer’s conduct or decision with respect to a product or service.” To be considered “material,” the use of facial recognition technology must affect a consumer’s decision to use the service. Recent survey reports can establish materiality. A PEW Research Center study shows that when products have privacy concerns, over half of Americans will not use the product. A survey regarding facial recognition technology in health and research contexts showed that 22% of those surveyed would want to opt-out of the technology and 55% said that they were worried about the privacy aspects of the technology.

In response to the public’s concern about privacy, members of Congress have called for better privacy protections and Illinois passed the Biometric Information Privacy Act which established standards for companies handling consumer biometric information. Many other states including Maryland, Maine, and Vermont considered privacy protections this past legislative session. As the airlines fail to notify consumers of the facial recognition technology or provide an opt-out notice, consumers do not have the chance to change their decision or conduct.

Recommendations

The DOT should use its privacy authority to combat airlines’ unfair and deceptive practices. EPIC recommends that to strengthen consumer protection, the DOT should mandate strict data minimization practices, require written informed consent to share biometric data, and ensure clear communication regarding airline use of consumer data. Data minimization practices increase consumer privacy, data security, and ensure companies only collect the data they need based on the consumer interaction. Relatedly, airline use of facial recognition technology used during boarding should not also increase the airline’s profits or be used as a business partnership benefit. Consumers should be informed when and how their image is being used and have the option for an airline agent to check their identification manually.

Support Our Work

EPIC's work is funded by the support of individuals like you, who allow us to continue to protect privacy, open government, and democratic values in the information age.

Donate