JetBlue Hits Turbulence For Violating Customer Privacy Policy

A group of passengers has filed a class-action lawsuit against JetBlue Airways Corp., charging the airline with violating its own privacy policy by providing a military contractor with passenger data. The suit, filed Monday in Utah's 3rd District Court, comes on the heels of a complaint filed Monday with the Federal Trade Commission by a privacy watchdog group over the same incident.

The lawsuit charges JetBlue with fraudulent misrepresentation, breach of contract, and invasion of privacy and seeks unspecified compensatory damages but no punitive damages.

JetBlue admitted Monday that it provided passenger names, addresses, and phone numbers to Torch Concepts Inc., a defense contractor that develops data-mining and pattern-recognition technology to identify potential terrorists. Torch Concepts used the data as part of a risk-assessment study to improve security at military bases.

On Monday the Electronic Privacy Information Center, a privacy advocacy organization, filed a complaint with the FTC against JetBlue and Acxiom Corp., a marketing database company, charging the two with violating consumer protection laws by providing Torch Concepts with customer data. The complaint says JetBlue provided information on 1.5 million passengers.

The privacy information center says Torch Concepts combined the JetBlue information with additional personal information from Acxiom, including demographic data and Social Security numbers, to determine if passengers could be deemed a security risk, according to the privacy information center complaint.

The privacy information center's complaint charges that JetBlue's and Acxiom's actions violated privacy policies posted on their Web sites. Violating published privacy policies is fraudulent under consumer protection laws.

JetBlue has already issued a public apology for the incident. Monday the airline released a statement saying it has retained the Deloitte & Touche consulting firm to "assist the airline in its analysis and continued development of its privacy policy" in light of the incident. The airline has not yet seen the class-action lawsuit and wouldn't comment.

Acxiom, in a statement, denies that data-processing work it performed for Torch Concepts under contract with the Department of Defense violated its privacy policy. Acxiom's policy, the company says, clearly states that the company provides information such as financial data and Social Security numbers to government agencies "for the purposes of verifying information, employment screening, and assisting law enforcement."

The privacy information center also filed Freedom of Information Act requests with the Federal Aviation Administration, the Transportation Security Administration, and the U.S. Army (which commissioned the Torch Concepts work) seeking additional information about the anti-terrorism screening program.

JetBlue provided passenger itinerary data--but not credit-card or payment information--to Torch Concepts "at the special request of the Department of Defense," according to the airline's statement. JetBlue also said it has been told by Torch Concepts that no "identifiable customer data" was shared with other parties, including the Defense Department or the transportation security administration, and that all the data has been destroyed.

JetBlue also said it has decided, unless mandated by law, that it will not participate in the CAPPS II (computer-assisted passenger prescreening system) program now being developed by the transportation security administration. JetBlue had initially agreed to participate in the development of CAPPS II.

The FTC has "been very active" in enforcing privacy regulations, "so we take allegations like this very seriously," says FTC spokeswoman Claudia Bourne Farrell. She could not say how long it will take to investigate the privacy information center complaint, although she said such complaints are often resolved by the parties through negotiation and consent decrees.