As aviation safety has improved over the last decade, leading to a decline in the U.S. in aviation personal injury casualty cases, there has been a concomitant rise in class actions filed against carriers. From claims based on purported violations of contracts of carriage to allegations of toxic cabin fumes, and, most recently, refunds due to cancellations as a result of COVID-19, the industry has and will continue to defend its fair share of class-based claims. For more than a decade, the trend has centered on alleged violations of privacy rights, data breaches and other contract based claims with overtones of personal injury such as privacy right violations.
Consumer Privacy Rights Based On Governmental Regulations
Following September 11, the U.S. Government required airlines to gather and provide certain passenger name record (PNR) data to government contractors and agencies that were preparing national security studies related to aviation. This request generated a string of passenger lawsuits claiming that the sharing of PNR data with third parties violated the airlines' express privacy policies and harmed the passengers.1 Plaintiffs brought statutory and common law claims against the airlines, alleging, inter alia, violations of privacy regulations and state consumer protection and unfair business practices statutes; breach of contract; trespass to property; invasion of privacy; unjust enrichment; and various other state law claims. The complaints sought undefined damages, punitive damages, and injunctive relief to the extent that damages were unavailable. While most courts dismissed the various state common law and breach of contract claims, they did so on different legal grounds–including federal preemption: to permit lawsuits under these statutes would allow states to improperly regulate how airlines manage personal information and communicate with their customers in connection with their ticketing and reservation services.2
State-Based Notification Statutes
Passenger-information based claims against airlines continued for alleged violations of the Telephone Consumer Protection Act and the California Penal Code § 630 for failing to notify potential customers that the calls were being recorded. These complaints assert claims for invasion of privacy and negligence and arise from a carrier's recording of a call without prior disclosure. Pursuant to the California statute (which falls under the penal code), the failure to provide prior notice of a recorded call is a per se violation mandating statutory damages of $5,000 per call. Carriers have been successful in arguing such claims are preempted by federal law, including the ADA, and positioning the class for early identification and resolution.
Online Data Breaches
Conclusion and Best Practices
As set forth above, courts across the U.S. frequently dismiss these privacy and data breach claims, holding that the Airline Deregulation Act expressly preempts these statutory claims since they "relate to" an airline "price, route or service." To permit lawsuits under these statutes would allow states to improperly regulate how airlines manage personal information and communicate with their customers in connection with their ticketing and reservation services. This is an industry-protective, posture for courts to take, and reflects a broader preemption protection for airlines faced with privacy claims than that enjoyed by national banks, health care providers, and others in regulated industries.
To minimize the probability that such claims are brought at all, the following reflect good business practices for airlines and all other companies that regularly collect, handle and store computerized customer data:
- Review the notices that are given to, and consents obtained from, customers and other individuals whose personal information is being collected.
- Develop comprehensive data storage handling and destruction procedures consistent the requirements of the jurisdictions to which the airline flies or does business that will safeguard against the inadvertent or unauthorized disclosure of personal data to third parties.
- Confirm that the company's security breach notification procedures comply with state and federal laws. Determine the most efficient way to notify customers of a breach of security.
- Investigate the availability of insurance for cyber risks.
- Retain independent professionals to conduct security audits of the company's policies, programs and actual practices.
1. See Privacy Rights Clearing House v. JetBlue Airways Corp., 2005 WL 3118798 (Cal. App. 4th Dist. Nov. 22, 2005); In re JetBlue Airways Privacy Litig., 379 F. Supp. 2d 299 (E.D.N.Y. 2005); In re Am. Airlines Privacy Litig., 370 F. Supp. 2d 552 (N.D. Tex. 2005); Copeland v. Northwest Airlines Corp., No. 04-2156 M1/V (W.D. Tenn. Feb. 28, 2005); Dyer v. Northwest Airlines Corporation, 334 F. Supp. 2d 1196 (D.N.D. 2004); In re Northwest Airlines Privacy Litig., No. Civ. 04-126, 2004 WL 1278459 (D. Minn. June 6, 2004).
2. See Airline Deregulation Act of 1978, 49 U.S.C. § 41713(b)(1) (the "ADA").
3. People ex rel. Harris v. Delta Air Lines, Inc., No. A139238, 2016 WL 3001805 (Cal. Ct. App., 1st Dist. May 25, 2016).
4. McGarry v. Delta Air Lines, Inc., et al., Case No. 18-cv-9827, 2019 WL 2558199 (C.D. Cal. Jun. 18, 2019) on appeal at 19-cv-55790 (9th Cir.).