Thought leadership from our experts

Privacy-Based Class Actions: An Industry Trend

As aviation safety has improved over the last decade, leading to a decline in the U.S. in aviation personal injury casualty cases, there has been a concomitant rise in class actions filed against carriers. From claims based on purported violations of contracts of carriage to allegations of toxic cabin fumes, and, most recently, refunds due to cancellations as a result of COVID-19, the industry has and will continue to defend its fair share of class-based claims. For more than a decade, the trend has centered on alleged violations of privacy rights, data breaches and other contract based claims with overtones of personal injury such as privacy right violations.

Consumer Privacy Rights Based On Governmental Regulations

Following September 11, the U.S. Government required airlines to gather and provide certain passenger name record (PNR) data to government contractors and agencies that were preparing national security studies related to aviation. This request generated a string of passenger lawsuits claiming that the sharing of PNR data with third parties violated the airlines' express privacy policies and harmed the passengers.1 Plaintiffs brought statutory and common law claims against the airlines, alleging, inter alia, violations of privacy regulations and state consumer protection and unfair business practices statutes; breach of contract; trespass to property; invasion of privacy; unjust enrichment; and various other state law claims. The complaints sought undefined damages, punitive damages, and injunctive relief to the extent that damages were unavailable. While most courts dismissed the various state common law and breach of contract claims, they did so on different legal grounds–including federal preemption: to permit lawsuits under these statutes would allow states to improperly regulate how airlines manage personal information and communicate with their customers in connection with their ticketing and reservation services.2

State-Based Notification Statutes

Passenger-information based claims against airlines continued for alleged violations of the Telephone Consumer Protection Act and the California Penal Code § 630 for failing to notify potential customers that the calls were being recorded. These complaints assert claims for invasion of privacy and negligence and arise from a carrier's recording of a call without prior disclosure. Pursuant to the California statute (which falls under the penal code), the failure to provide prior notice of a recorded call is a per se violation mandating statutory damages of $5,000 per call. Carriers have been successful in arguing such claims are preempted by federal law, including the ADA, and positioning the class for early identification and resolution.

Similar claims were lodged asserting that an airline's mobile application violated, among other things, a state-based online privacy protection statute because, inter alia, it failed to post a privacy policy as required by the statute. 3 According to the complaint, the app allowed users to "check-in online for an airplane flight, view reservations for air travel, rebook cancelled or missed flights, pay for checked baggage, track checked baggage, access a user's frequent flyer account, take photographs, and even save a user's geo-location." The app allowed customers to send and receive information over the internet, which resulted in the collection of certain personally-identifying information from its customers. However, the airline purportedly did not post a readily-accessible privacy policy concerning the personally-identifiable information to its users, either on its website, at app stores which offered the app, or on the app itself. The app had been downloaded millions of time without the posted privacy policy and notice to consumers of how the airline collected or used their personal information. On appeal, the court recognized that the federal legislative presence in matters of air transportation is "longstanding and pervasive" and that the complaint (and the applicable privacy provisions) clearly "related to" the airline's services because they sought to regulate the mobile app, a "marketing mechanism[] appropriate to the furnishing of air transportation services." Specifically, the privacy statute "serves as a means to guide and police the marketing practices of the airline[]" by requiring the airline to meet state standards regarding privacy policy requirements. The obligations imposed by the statute "would have a significant impact upon the airline['s] ability to market [its] product … and hence a significant impact upon the fares they charge." As such, the court found that that the ADA preempted the state-law consumer protection claim as applied to the airline's app.

Online Data Breaches

Most recently, putative class actions were brought against a U.S. domestic carrier for alleged data breaches based on its online chat services. Specifically, the lawsuit alleged that the airline had an obligation to protect against data breaches, could have discovered the malware on its computer systems sooner, and, as a result of the data breach, the class will face years of surveillance of their personal and financial records and will continue to suffer damages.4 The court found that "the broad scope of ADA preemption sweeps claims as broad as those related to state consumer protection statutes, frequent flyer programs, common law covenants, and advertising guidelines because they all have a connection to the core part of the 'services' that an airline provides …". The court also dismissed the breach of contract claim against the airline. In the airline's Contract of Carriage with its customers, there is no self-imposed promise on how the airline would handle customer data. Nor do the terms promise specific procedures by third parties that have access to such data. Permitting plaintiff to read additional obligations into the Contract of Carriage is in direct contravention of the ADA's broad preemptive sweep. To the extent plaintiff relies on the privacy policy based on its privacy policy, it expressly states that it is "not a contract and does not create any legal obligations." Plaintiff also could not rely on any implied contract theory as it would plainly require an enlargement or enhancement of the airline's self-imposed obligations.

Conclusion and Best Practices

As set forth above, courts across the U.S. frequently dismiss these privacy and data breach claims, holding that the Airline Deregulation Act expressly preempts these statutory claims since they "relate to" an airline "price, route or service." To permit lawsuits under these statutes would allow states to improperly regulate how airlines manage personal information and communicate with their customers in connection with their ticketing and reservation services. This is an industry-protective, posture for courts to take, and reflects a broader preemption protection for airlines faced with privacy claims than that enjoyed by national banks, health care providers, and others in regulated industries.

To minimize the probability that such claims are brought at all, the following reflect good business practices for airlines and all other companies that regularly collect, handle and store computerized customer data:

  • Establish a privacy policy that identifies the types of customer data being collected through the company's website or otherwise, and provides a basis to understand how the data may be used.
  • Review the notices that are given to, and consents obtained from, customers and other individuals whose personal information is being collected.
  • Develop comprehensive data storage handling and destruction procedures consistent the requirements of the jurisdictions to which the airline flies or does business that will safeguard against the inadvertent or unauthorized disclosure of personal data to third parties.
  • Confirm that the company's security breach notification procedures comply with state and federal laws. Determine the most efficient way to notify customers of a breach of security.
  • Investigate the availability of insurance for cyber risks.
  • Retain independent professionals to conduct security audits of the company's policies, programs and actual practices.

1. See Privacy Rights Clearing House v. JetBlue Airways Corp., 2005 WL 3118798 (Cal. App. 4th Dist. Nov. 22, 2005); In re JetBlue Airways Privacy Litig., 379 F. Supp. 2d 299 (E.D.N.Y. 2005); In re Am. Airlines Privacy Litig., 370 F. Supp. 2d 552 (N.D. Tex. 2005); Copeland v. Northwest Airlines Corp., No. 04-2156 M1/V (W.D. Tenn. Feb. 28, 2005); Dyer v. Northwest Airlines Corporation, 334 F. Supp. 2d 1196 (D.N.D. 2004); In re Northwest Airlines Privacy Litig., No. Civ. 04-126, 2004 WL 1278459 (D. Minn. June 6, 2004).

2. See Airline Deregulation Act of 1978, 49 U.S.C. § 41713(b)(1) (the "ADA").

3. People ex rel. Harris v. Delta Air Lines, Inc., No. A139238, 2016 WL 3001805 (Cal. Ct. App., 1st Dist. May 25, 2016).

4. McGarry v. Delta Air Lines, Inc., et al., Case No. 18-cv-9827, 2019 WL 2558199 (C.D. Cal. Jun. 18, 2019) on appeal at 19-cv-55790 (9th Cir.).