Thanks for the birthday card, Southwest Airlines.
The computer-generated missive, complete with signatures of the airline’s executives, landed in my mailbox just before the big day. At first I was flattered by the thoughtful gesture. But then I was troubled.
How did they know my birthday?
And then it occurred to me: Airlines are now requiring passengers to provide their full name as it appears on a government-issued I.D., their date of birth and their gender as part of the Transportation Security Administration’s new Secure Flight initiative.
You probably know Secure Flight as the pesky requirement that the name on your passport or driver’s license be an exact match with the name on your airline ticket. But the program is much more than that. With the extra passenger data, the agency promises to improve the travel experience for all airline passengers, particularly those who have been misidentified as terrorists in the past.
With Secure Flight now operational domestically and expected to be in place for international flights by the end of the year, I think it’s worth asking how those data are being employed. Specifically, can an airline use my personal information, such as my date of birth, to send me a card – or a promotional offer?
Southwest says it doesn’t use Secure Flight data for promotional purposes and complies with all rules regarding the information. And in fact, a review of my records showed that I’d given Southwest my date of birth when I updated my frequent-flier account information several months earlier.
I asked the TSA about the personal information used for the program, and a representative pointed me to a statement on the agency’s Web site assuring air travelers that the data are collected, used, distributed, stored and disposed of according to stringent guidelines and all applicable privacy laws and regulations.
The actual requirement can be found in a document called the System of Records Notice. It specifies what information can be gathered (your name, birth date and gender), whom it can be shared with (the TSA and various law enforcement agencies, as appropriate) and when it must be disposed of (a week after your flight, for most records).
Seems pretty reasonable. And my attitude toward privacy appears to be common among the jet set.
“I honestly don’t mind providing an airline with data,” said Lawrence Sherman, an executive with an educational company in Fort Washington, Pa. “I don’t want the info to be used for other purposes.”
But airlines see an opportunity to “maximize the marketing and other commercial value of this government-coerced informational windfall,”asserted Edward Hasbrouck, a consultant to the Identity Project, a privacy advocacy organization for travelers. And drawing a fine line between data collected for Secure Flight and information gathered for other purposes, such as frequent-flier program account information, may allow them to do that.
“It renders meaningless any restrictions on which of this data is retained, or for how long, by the government itself,” Hasbrouck added.
I checked with several federal agencies, including the Department of Transportation and the Federal Trade Commission, that might have jurisdiction over data included in airline reservations.