EPIC Submits Privacy Complaint To FTC Regarding JetBlue

September 22, 2003. The Electronic Privacy Information Center (EPIC) submitted a complaint to the Federal Trade Commission (FTC) in which it alleged that JetBlue Airways Corporation and Acxiom Corporation violated Section 5 of the Federal Trade Commission Act (FTCA), codified at 15 U.S.C. 45(a)(1), in connection with the disclosure of consumer personal information to Torch Concepts Inc.

The EPIC alleges that JetBlue collected personal information from its customers through its web site, and promised customers in its privacy policy that it would not share this information, but did in fact provide the information to an information mining company at the request of the Department of Defense (DOD). The EPIC alleges that this constitutes a deceptive trade practice that violates the FTCA.

The EPIC wants the FTC to conduct an investigation, impose an injunction, collect fines, order JetBlue to disclose to its customers that their personal information was disclosed, and provide such other relief that may make life miserable for JetBlue.

The complaint alleges that JetBlue is a low fare passenger airline that sells tickets through its web site, and that it collects personal information through this ticketing process. The complaint further alleges that JetBlue states in its website that it does not share personal information with third parties.

However, the complaint states that, contrary to its privacy policy, "JetBlue disclosed the names, addresses and phone numbers of JetBlue passengers to Torch Concepts at the request of the Department of Defense." The complaint states that Torch is an information mining company.

JetBlue does not dispute many of the factual allegations in the EPIC complaint. It issued a release on September 22 in which it stated that "At the special request of the Department of Defense, the airline shared passenger itineraries but did not provide payment or credit card information to Torch Concepts." JetBlue conceded that this included "name, address and phone number, along with flight information".

JetBlue stated that Torch is a defense contractor that is working on a project concerning military base security.

JetBlue also stated that "it will not be a test airline nor has it ever shared customer information for the TSA's CAPPS II program and will not do so unless required by law. While, in the interests of the safety and security of its customers, JetBlue had entered into discussions with the TSA regarding the CAPPS II program and had agreed initially to participate in its development, the airline decided against further participation unless federally mandated due to concerns for customer privacy and the uncertainty of the final structure of CAPPS II."

CAPPS is an acronym for Computer Assisted Passenger Prescreening System. Before the terrorist attacks of September 11, 2001, the airlines conducted passenger screening, and administered the CAPPS I, subject to federal guidelines. In late 2001, the Congress passed the Aviation and Transportation Security Act, which created the Transportation Security Administration (TSA) as a unit of the Department of Transportation (DOT). This Act gave the TSA responsibility for airport passenger screening. In late 2002, the Congress passed the Homeland Security Act, which, among other things, created the Department of Homeland Security (DHS), and transferred the TSA from the DOT to the new DHS.

The new CAPPS II, the next generation passenger screening system, will be a government (TSA) run system that replaces CAPPS I. The EPIC, and others, have privacy related concerns about the CAPPS II.

The EPIC complaint also names Acxiom. It alleges that "Torch Concepts purchased from Acxiom demographic data on approximately 40% of the passengers whose itineraries JetBlue had already disclosed to Torch Concepts. The information Acxiom provided to Torch Concepts about these passengers included gender, home specifics (owner/renter, etc.), years at residence, economic status (income, etc.), number of children, Social Security number, number of adults, occupation, and vehicle information."

The FTC has consumer protection authority under the FTCA. 15 U.S.C. 45(a)(1) provides that "Unfair methods of competition in or affecting commerce, and unfair or deceptive acts or practices in or affecting commerce, are hereby declared unlawful."

The FTC has no specific statutory authority with respect to privacy. However, it has acted under the FTCA against entities that have violated their published web site privacy policies.

Also, while the EPIC's complaint is structured like a legal pleading, the FTCA creates no administrative cause of action for private parties. Parties, such as EPIC, may submit complaints to the FTC. In fact, the FTC encourages the submission of public complaints. However, it is within the sole discretion of the FTC to determine whether to conduct any investigation, or take any action.

Nevertheless, the EPIC has a track record of success in persuading the FTC to take action against companies for their privacy related practices. For example, in July of 2001, the EPIC and others submitted a complaint to the FTC regarding Microsoft's Passport and other software and services. See, original complaint [PDF] of July 26, 2001, and updated complaint [PDF] of August 15, 2001.

See also, stories titled "EPIC Complains about Microsoft Passport" in TLJ Daily E-Mail Alert No. 250, August 16, 2001; "EPIC Seeks Government Investigations of Microsoft's Passport" in TLJ Daily E-Mail Alert No. 357, January 30, 2002; and "EPIC Complains to FTC About Windows XP" in TLJ Daily E-Mail Alert No. 236, July 27, 2002.

The FTC acted upon the EPIC's complaints. On August 8, 2002, the FTC brought and settled an administrative complaint against Microsoft. The complaint alleged that Microsoft "represented, expressly or by implication, that it maintained a high level of online security by employing sufficient measures reasonable and appropriate under the circumstances to maintain and protect the privacy and confidentiality of personal information obtained from or about consumers in connection with the Passport and Passport Wallet services", whereas, in fact, Microsoft "did not maintain a high level of online security ..."

The FTC and Microsoft simultaneously entered into an Agreement Containing Consent Order. Microsoft admitted to no violations of federal law. Microsoft paid no fine. However, the agreement, which has a twenty year duration, imposed numerous requirements for Microsoft's information security program. See, stories titled "FTC Files and Settles Complaint Against Microsoft", August 8, 2002, also published in TLJ Daily E-Mail Alert No. 488, August 9, 2002; and "EPIC Comments on FTC's Proposed Consent Order Affecting Microsoft's Privacy Practices" in TLJ Daily E-Mail Alert No. 505, September 10, 2002.