British Airways shows everyone how not to GDPR

Let’s all take a minute to appreciate the view in the British Airways social media cockpit, where staffers at the coalface of the airline’s Twitter account have presided over a wildly unusual ‘interpretation’ of Europe’s new data protection rules.

One that, er, suggests quite the opposite of GDPR compliance… Given the company’s social media staff have been caught unintentionally encouraging customers to post personal data (such as their address and passport number) into a public forum — by failing to make it clear they should only send the information via a DM (i.e. rather than post it publicly to Twitter, as some apparently did) — and here’s the anti-privacy cherry! — claiming it’s necessary for GDPR compliance!

Insert your own [facepalm of choice]…

Some hours later BA’s social media staff did realize their error, though — clarifying in a subsequent tweet to customers to “send this information to us in a Direct Message”…

In a statement BA told us: “We take our responsibility to protect our customers’ details very seriously. We’d never ask customers to send personal information publicly.  When a genuine error is made, we will always go back to the customer to clarify this.”

​”Our social media colleagues look after around 2,000 enquiries a day, and like all customer service teams we are always careful to confirm that we are talking to the right person before making any changes to their booking,” it added.

So clearly the company wasn’t intending what happened to have happened.

However Mustafa Al-Bassam, the UCL information security PhD student who flagged the company’s social media fail in the above Twitter thread has since filed his own data protection complaint against British Airways — after finding its check-in page was leaking his personal data to a bunch of third parties for ad targeting purposes.

Now that could be okay — say if the company asked for and gained consent for sharing his data. Or if it had another valid legal basis for collecting data, i.e. other than consent. Though it’s pretty hard to imagine what might legally justify an airline sharing paying customers’ personal information and travel data with advertisers without their express consent…

Well, Al-Bassam says he was not asked for consent to share his information with advertisers. And if you’re processing data by consent — as British Airways’ privacy policy appears to suggest is what the company thinks it’s doing here — then GDPR does in fact require you to actually ask for and actually obtain consent first.

The Information Commissioner’s Office GDPR guidance on consent in fact states [emphasis ours]:

Consent means giving people genuine choice and control over how you use their data. If the individual has no real choice, consent is not freely given and it will be invalid.

This means people must be able to refuse consent without detriment, and must be able to withdraw consent easily at any time. It also means consent should be unbundled from other terms and conditions (including giving separate granular consent options for different types of processing) wherever possible.

The GDPR is clear that consent should not be bundled up as a condition of service unless it is necessary for that service:

Article 7(4) says:

“When assessing whether consent is freely given, utmost account shall be taken of whether… the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.”

And Recital 43 says:

“Consent is presumed not to be freely given… if the performance of a contract, including the provision of a service, is dependent on the consent despite such consent not being necessary for such performance.”

tl;dr: Consent by default is not consent. Consent must be offered as a frictionless, consequence-free choice, and the choice must also be informed and explicit.

So if BA is trying to bundle consent for ad targeting against its customers’ data into another purpose that could be problematic. Say such as by embedding a catch-all ‘consent’ in the depths of a privacy policy. (Hint: Nope! Bundling consent is not GDPR compliance! Consent must be informed and explicit, and bundling is not that.)

Likewise, we also would not recommend just saying the word ‘GDPR’ out loud three times while looking in the mirror and hoping that’s consent. Because GDPR compliance does not mean what you hope GDPR compliance means.

A BA spokeswoman told us the company asks for consent to share customers’ personal data with third party advertisers via its Cookies Policy

Here, in a section on marketing, the policy states [emphasis ours]:

Cookies are used to enable us to present appropriate messages to you. For example, to:

  • allow ba.com to serve up different versions of a page for marketing purposes
  • control invitations on ba.com for instant credit card offers
  • allow third parties to display appropriate advertising and to track its effectiveness
  • display messages which offer a selection of products based on what you’re viewing on ba.com, which are presented to you by our agency when you visit other selected websites. This is known as online behavioural advertising. For more information please see What is online behavioural advertising?

The policy specifies that BA uses cookies for four purposes: Technical (e.g. balancing website traffic); ease of use (such as remembering a website visitor’s language choice); tracking (to gather site stats); and — uh — for marketing.

On the latter purpose the company specifies that its cookies are used to enable it to present “appropriate messages” to site visitors, such as to serve up different versions of its website for marketing purposes; and — emphasis ours — to allow third parties to display appropriate advertising and to track its effectiveness.

So if you accept BA’s cookies policy your data will be passed to third party advertisers.

How then do BA customers opt out of having their personal information shared with advertisers? The company suggests they alter the settings on their browser to refuse to accept cookies. “For further information about how to refuse cookies, please refer to your browser ‘help’ section or see www.allaboutcookies.org,” it writes in its Cookies policy.

“You can choose to opt out of this type of advertising permanently by going to http://www.networkadvertising.org/choices,” it also says before warning that users who delete their cookies will also delete its ability to know they opted out from ads “so the banners from our third-party will reappear when you visit other selected websites”.

🤔

Asked if it could give the company any GDPR guidance, a spokesperson for the UK’s data protection watchdog told us: “Any personal information that an organisation asks for must be limited to what’s necessary for that purpose. Any processing of that information must be secure and take appropriate technical and organisational precautions.”

The ICO’s website contains a wealth of expert guidance for companies trying to figure out how to comply with GDPR — and even includes this very specific example of how not to obtain consent [emphasis ours]…

An online furniture store requires customers to consent to their details being shared with other homeware stores as part of the checkout process. The store is making consent a condition of sale – but sharing the data with other stores is not necessary for that sale, so consent is not freely given and is not valid. The store could ask customers to consent to passing their data to named third parties but it must allow them a free choice to opt in or out.

Of course the airline is by no means the only company failing entirely to grok GDPR. The regulation is still pretty new (having come into force on May 25) and there are clearly A LOT of privacy dents still to be ironed out all around the online place.

Some of these are accidental and/or idiotic kinks. While others look much more like an intentional deforming of the rules (hi Facebook!). But given the GDPR regime also supports punitive fines for compliance breaches (hello lawsuits!) it’s to be hoped that none of these privacy fails — accidental, spectacularly stupid, intentionally hostile or otherwise — will be around for too long.

This report was updated to specify that BA’s social media staff subsequently informed customers they should send their personal data via DM, and to include statements from the company and details from its Cookies Policy