Who owns the records of your travel?

Should airlines be allowed to pawn travel records to cover cash-flow problems?

travel recordsDo you want all the details of your airline travel records sold to a data mining company? Did you ask for Kosher or a Halal meal? Which countries or airports did you travel to? Who did you sit next to? What emergency contact information did you provide? What movies did you order from pay-per-view when staying in a hotel? Should that information be for sale to the highest bidder — without your consent?

United Airlines thinks it can and should. Other airlines are expected to imitate them in mortgaging their customer data archives. American Airlines has done something similar. AA has used its frequent flier program with all of its data as collateral for the government bailout loans granted during the pandemic. The AA deal was with the government. The United deal is with private banks.

Your travel records have just been sold by United Airlines to banks.

In a filing with the Securities and Exchange Commission, United Airlines has disclosed that its use of data as collateral. The carrier has agreed to a US$5 billion loan from a consortium of banks. As a condition of that loan the airline has committed to:

  1. Transfer “ownership” of United Airlines and MileagePlus customer data to a subsidiary company, “MileagePlus Intellectual Property Assets, Ltd.” (MIPA), and
  2. Pledge this data and reservation records as collateral to secure the US$5 billion loan in case of bankruptcy.

If the airline defaults on the loan, that travel data can be sold to the highest-bidding data broker to satisfy the airline’s debt. United Airlines thinks that the traveler data is its the most valuable remaining unencumbered asset.

The banks value United’s customer data at US$5 billion. This is 10 percent more than the $4.5 billion valuations placed on the airline’s physical business assets. Those assets and landing and takeoff slots, gates, and routes are collateral for other loans. Airplanes might seem more obvious tangible assets for an airline to pledge as collateral for loans. But planes are often owned by leasing companies, not airlines, or have already been pledged as collateral to secure earlier loans.

United Airlines executives reportedly expect other airlines to follow United’s example and mortgage their customer data archives.

Did you give United Airlines permission to sell your travel data? It assumes so. Travelers United and I do not think so.

Spinning off a frequent flyer program as a separate business from the airline that created it is not unprecedented. The Air Canada holding company, for example, divested itself of all of its holdings in the “Aeroplan” program. It created a wholly-owned subsidiary in 2008 when it needed cash. Later it bought the data back in 2018 when it felt more flush. But pledging personal data owned (at least under U.S. law) by a travel corporation as collateral for a loan is a first, so far as I can tell.

Consumer groups have long advocated for a federal consumer privacy law applicable to PNR data and other travel records. More than a decade ago, in a formal submission to the Federal Trade Commission (FTC), Travelers United (then called the Consumer Travel Alliance), the Consumer Federation of America, and I pointed out the need to include protection for travel data in airline bankruptcies:

The issue of whether data about me is “my data”, or is actually owned by commercial entities that have collected or obtained it, is most important when such a company goes bankrupt.

No consumer actually intends to agree, when they provide personal information to a business, that if the company goes bankrupt, that personal information not only can but should and must be sold to the highest bidder.

No travelers have agreed to have their travel data sold to the highest bidder.

Airlines make contractual commitments to travelers. Personal data should be removed from the class of “assets” subject to sale or transfer. In pandemic legislation, personal data should be protected just as medical records. Any government subsidies to airlines should include privacy protections.

How to file in small claims court for airline disputes
Join Travelers United and get VPN for secure WiFi

Here is the non-contract provision that United Airlines is using to justify its sale of your data

Would a sale of passenger data, or a seizure to satisfy a loan for which it had been pledged as collateral, be permitted by United’s privacy policy and tariff? Possibly. Here’s what United Airlines says in its conditions of carriage about the sale or transfer of personal data. Note that it clearly states that its privacy policy is not part of its contract of carriage. United Airlines thus has stated that this is not a contractional right. No member of the frequent flier program has contracted with United Airlines to give up their personal data.

Rule 30 Consent to use of Personal Data

Upon booking a ticket for transportation, purchasing other services, or participating in any UA program or service such as MileagePlus or the United Club, you hereby authorize UA and its affiliates and authorized agents to (i) collect, process, retain and use, and (ii) transfer to third parties, including, but not limited to, subcontractors, agents, affiliates, marketing partners, other carriers, and government agencies, for their use, processing and retention, any and all personal data you provide when UA believes in good faith that … disclosure is otherwise … advisable or as UA deems necessary to carry out any and all business purposes related to the program …

If a passenger wants to learn more about UA’s Privacy Policy, it may be viewed at www.united.com. This policy is merely a statement of administrative protocol; it is not a contract, nor is it made, or intended to be made, a part of this Contract of Carriage, nor does it create any contractual or legal rights.

DOT should stop the sale of personal data or Congress needs to step in. Plus, international privacy laws will already provide some additional privacy protections.

The DOT could and should issue guidance clarifying what an airline describes as a privacy “policy.” When that “policy” creates no legal rights and isn’t incorporated into the airline’s contractual conditions of carriage is an unfair and deceptive practice. If the DOT won’t do this, Congress could and should write this into the statute. Some legal scholars have also argued that, even outside the airline context, mortgaging personal data without explicit prior disclosure of this possibility is an unfair and deceptive practice.

United Airlines collects data from and about individuals in many countries. These countries do not treat personal data ownership in the same way the US does. Foreign data protection authorities, such as those in the European Union, may deny United’s latest actions to use customer data as collateral. The consumers’ quest for “digital sovereignty” is an ongoing struggle.