Before the
Federal Trade Commission
Washington, DC
In the Matter of JetBlue Airways Corporation
and
Acxiom Corporation.Complaint and Request for Injunction, Investigation
and for Other Relief
INTRODUCTION1. This complaint concerns the privacy practices of JetBlue Airways Corporation and Acxiom Corporation. As set forth in detail below, JetBlue Airways Corporation and Acxiom Corporation have engaged in deceptive trade practices affecting commerce by disclosing consumer personal information to Torch Concepts Inc., an information mining company with its principal place of business in Huntsville, Alabama, in violation of 15 U.S.C. § 45(a)(1). JetBlue Airways Corporation and Acxiom Corporation engaged in these activities without the knowledge or consent of the affected consumers, and in contravention of public assurances that the personal information it collects would not be disclosed to third parties. The public interest requires the Commission to investigate these practices and to enjoin JetBlue Airways Corporation and Acxiom Corporation from violating the Federal Trade Commission Act, as alleged herein.
PARTIES
2. The Electronic Privacy Information Center ("EPIC") is a non-profit, public interest research organization incorporated in the District of Columbia. EPIC's activities include the review of government and private sector policies and practices to determine their possible impacts on individuals' rights. Among its other activities, EPIC has prepared reports and presented Congressional testimony on Internet and privacy issues.
3. JetBlue Airways Corporation ("JetBlue") is a commercial airline passenger carrier. JetBlue was incorporated in Delaware in 1998 and maintains its principal place of business at 118-29 Queens Boulevard, Forest Hills, New York 11375. JetBlue has flown over 10 million passengers since commencing operations in February 2000, and is the 11th largest passenger carrier in the United States based on revenue passenger miles for the year ended December 31, 2002. At all times material to this complaint, JetBlue's course of business, including the acts and practices alleged herein, has been and is in or affecting commerce, as "commerce" is defined in Section 4 of the Federal Trade Commission Act, 15 U.S.C. § 44.
4. Acxiom Corporation ("Acxiom") was founded in 1969, is incorporated in Delaware and maintains its principal place of business at 1 Information Way, P.O. Box 8180, Little Rock, Arkansas 72203-8180. Axiom notes that it has become "a global leader in helping large companies and government agencies manage the information they have about individuals . . . by offering innovative marketing and reference services and technologies, along with various information products."[1] At all times material to this complaint, Acxiom's course of business, including the acts and practices alleged herein, has been and is in or affecting commerce, as "commerce" is defined in Section 4 of the Federal Trade Commission Act, 15 U.S.C. § 44.
THE IMPORTANCE OF PRIVACY PROTECTION
5. The right of privacy is a personal and fundamental right in the law of the United States. The privacy of an individual is directly implicated by the collection, use, and dissemination of personal information. The opportunities for an individual to secure employment, insurance, and credit, to obtain medical services, and the rights of due process may be jeopardized by the misuse of certain personal information.
6. United States privacy law has by tradition protected the privacy of consumers in the offering of new commercial services enabled by new technologies, and increasingly recognizes the importance of purpose specification and use limitation when companies use consumers' personal information.
7. United States law provides federal protections for the Social Security number, recognizing that it is used as an identifier for databases including a wide range of financial, medical, educational, and credit information. The Privacy Act of 1974 regulates the government's collection, maintenance, use, and dissemination of personal information, and specifically provides protections for the Social Security number.[2] The Privacy Act also states that contractors working on systems of records on behalf of the government are subject to the same Privacy Act restrictions as the government.[3]
8. Many Americans today are "concerned" or "very concerned" about the loss of privacy, particularly with regard to commercial transactions that take place over the Internet. One recent poll has indicated that the "loss of personal privacy' is the number one concern facing the United States today.
9. The Federal Trade Commission today plays a critical role in protecting consumer privacy, particularly with respect to the offering of commercial services over the Internet, and the resulting collection and use of personal information.
STATEMENT OF FACTS
Background
10. Torch Concepts Inc. ("Torch Concepts") is a Huntsville, Alabama-based company that specializes in information mining.[4] Torch Concepts' projects include pattern recognition technology developed for the Department of Defense.[5]
11. The New York Times reported that prior to September 2002, Torch Concepts was hired by the United States Army "to determine how information from public and private records might be analyzed to help defend military bases from attach by terrorists and other adversaries."[6]
12. The Washington Post reported that in September 2002, Torch Concepts acquired from JetBlue the itinerary information of over 1.5 million passengers, including passenger names, addresses, and phone numbers.[7]
13. According to Wired News, Torch Concepts acquired this information with the assistance of the Transportation Security Administration, which facilitated the transfer of the passenger information from JetBlue to Torch Concepts.[8]
14. In October 2002, Torch Concepts purchased from Acxiom demographic data on approximately 40% of the passengers whose itineraries JetBlue had already disclosed to Torch Concepts. The information Acxiom provided to Torch Concepts about these passengers included gender, home specifics (owner/renter, etc.), years at residence, economic status (income, etc.), number of children, Social Security number, number of adults, occupation, and vehicle information.[9]
15. On or about February 25, 2003, Torch Concepts made a presentation entitled "Homeland Security Airline Passenger Risk Assessment" at a conference sponsored by the Tennessee Valley Chapter of the National Defense Industries Association. The presentation is attached hereto as Exhibit A.[10]
16. Wired News reported that "Homeland Security Airline Passenger Risk Assessment" contained the findings of a Torch Concepts study attempting "to measure the viability of verifying and scoring passengers by checking them against data-aggregation companies' files."[11]
17. The study was based upon the passenger data supplied by JetBlue and Acxiom, references to which are included throughout "Homeland Security Airline Passenger Risk Assessment."[12]
18. The presentation disclosed "Anomalous Demographic Information" on one JetBlue passenger, including addresses, cities, states, zip codes, Social Security numbers, date of birth, and lengths of residence, though the passenger was not identified by name.[13]
19. The Tennessee Valley Chapter of the National Defense Industries Association posted the Torch Concepts presentation on its website, where it remained available until September 16, 2003.
JetBlue's Disclosure of Consumer Personal Information
20. JetBlue is a commercial airline passenger carrier that has been in operation since February 2000. It describes itself as "a low-fare, low-cost passenger airline that provides high-quality customer service primarily on point-to-point routes."[14]
21. JetBlue maintains a website located at http://www.jetblue.com that, among other things, allows consumers to make online air travel reservations.[15] JetBlue collects consumer information in the course of its online ticketing activities.
22. JetBlue's privacy policy, located on its website, provides in pertinent part that "[t]he financial and personal information collected on this site is not shared with any third parties[.]"[16] ConsumerReports.org relied on this privacy policy in August 2003 when it awarded JetBlue a favorable e-rating for Privacy and Security and Customer Service.[17]
23. JetBlue Chief Executive Officer David Neeleman concedes that in September 2002, JetBlue disclosed the names, addresses and phone numbers of JetBlue passengers to Torch Concepts at the request of the Department of Defense.[18]
24. Torch Concepts used this information to conduct its study attempting "to measure the viability of verifying and scoring passengers by checking them against data-aggregation companies' files," the findings of which were presented in "Homeland Security Airline Passenger Risk Assessment."[19]
25. There is no evidence that JetBlue provided notice to or obtained the consent of any passengers whose personal information was disclosed to Torch Concepts Inc. for the purposes of the study.
Acxiom's Disclosure of Consumer Personal Information
26. Axiom states that it is "a global leader in helping large companies and government agencies manage the information they have about individuals . . . by offering innovative marketing and reference services and technologies, along with various information products."[20]
27. Acxiom displays a US Privacy Policy on its website providing in pertinent part:
Acxiom respects the privacy of every individual about whom we have information. Acxiom and our associates (employees) pledge to conduct our business according to these principles:
Notice, Access and Choice -- Acxiom recognizes that individuals should be informed about how information about them is used and have choices about the dissemination of that information.[21]
28. Acxiom displays on its website Access, Notice, and Choice provisions providing in pertinent part:
Notices should be provided that explain the collection, use and distribution of personally identifiable information. Most importantly, individuals should have the choice to opt out of the use of their data in marketing campaigns if they so desire. Similarly, Acxiom believes individuals should have access to information a company has about them that will be used for commercial reference purposes. Acxiom conforms to all legal and self-regulatory guidelines for providing an individual with notice, access and choice . . . . Acxiom does not provide any information, whether public or non-public, to individuals. Acxiom also does not allow our clients to make any non-public information available to an individual. Acxiom does allow our clients to make only public record and publicly available information available to individuals in the form of commonly used and accepted real estate research tools and public listing searches via the Internet.[22]
29. In October 2002, Acxiom sold to Torch Concepts demographic data on approximately 40% of the passengers whose itineraries JetBlue had already disclosed to Torch Concepts.[23]
30. The information Acxiom provided to Torch Concepts about these passengers included gender, home specifics (owner/renter, etc.), years at residence, economic status (income, etc.), number of children, Social Security number, number of adults, occupation, and vehicle information.[24]
31. Torch Concepts used this information to conduct its study attempting "to measure the viability of verifying and scoring passengers by checking them against data-aggregation companies' files," the findings of which were presented in "Homeland Security Airline Passenger Risk Assessment."[25]
32. The presentation disclosed "Anomalous Demographic Information" on one JetBlue passenger, including addresses, cities, states, zip codes, Social Security numbers, date of birth, and lengths of residence, though the passenger was not identified by name.[26]
33. The Tennessee Valley Chapter of the National Defense Industries Association posted the Torch Concepts presentation on its website, where it remained available until September 16, 2003.
34. There is no evidence that Acxiom provided notice to or obtained the consent of any passengers whose personal information was sold to Torch Concepts for the purposes of the study.
VIOLATIONS OF SECTION 5 OF THE FEDERAL TRADE COMMISSION ACT
35. Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a), prohibits unfair or deceptive acts or practices in or affecting commerce.
36. The Federal Trade Commission ("FTC") generally identifies three factors that support a finding of unfairness: Whether the practice injures consumers, whether it violates established public policy, and whether it is unethical or unscrupulous. To find unfairness, the consumer injury must be substantial, the injury must not be outweighed by countervailing benefits to competition or consumers produced by the practice, and it must be an injury that could not have been reasonably avoided. Substantial injury may also occur where a business practice causes a small harm to a large number of people.[27]
37. The FTC applies a three-prong test to evaluate whether a deceptive practice is actionable. First, the FTC evaluates representations and omissions based on their likelihood to mislead, rather than whether the consumer is actually misled. The second prong requires that the representation or omission be likely to mislead a reasonable consumer. In evaluating consumer reasonableness, the FTC examines the totality of the allegedly deceptive practice, weighing the clearness of the representation, whether there is conspicuous information that qualifies the representation, whether omitted information is important, and whether consumers are familiar with the product or service. Finally, the FTC considers whether the representation, omission, or practice is material. A material misrepresentation or practice is one that is likely to affect a consumer's choice of or conduct regarding a product.[28]
JetBlue's Activities Constitute Deceptive Trade Practices
38. JetBlue has publicly represented that personal information it collects about its customers will not be disclosed to third parties.
39. The likelihood is great that JetBlue customers were misled by JetBlue's privacy policy, and reasonable JetBlue costumers were likely to actually believe that their personal information would not be disclosed to third parties. JetBlue's misrepresentation may have materially affected JetBlue customers' choice of airline carrier service.
40. JetBlue's disclosure of passenger information to Torch Concepts violated its privacy policy and constitutes a deceptive trade practice in or affecting commerce within the meaning of Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a).
Acxiom's Activities Constitute Unfair and Deceptive Trade Practices
41. Acxiom has publicly represented its belief that individuals should have notice about how information about them is used and have choices about that dissemination, and has stated that it does not permit clients to make non-public information available to individuals.
42. Acxiom sold consumer information to Torch Concepts without obtaining the consent of the affected consumers, without furnishing notice to the affected consumers, and without providing any means of opting out of the sale.
43. Acxiom's sale of consumer information to Torch Concepts injured consumers throughout the United States by invading their privacy and causing them to believe falsely that they would receive notice of how their information was managed and disseminated, and have choices in that process.
44. The likelihood is great that customers were misled by Acxiom's US privacy policy and Access, Notice, Choice provisions. Reasonable consumers were likely to believe that they would receive notice from Acxiom about how their personal information was used and disseminated. Furthermore, reasonable consumers were likely to believe that Acxiom would prevent its clients from making non-public information about consumers available to others.
45. Acxiom's sale of personal information to Torch Concepts violated its US privacy policy and Notice, Access, Choice provisions, and constitutes an unfair and deceptive trade practice in or affecting commerce within the meaning of Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a).
46. Absent injunctive relief by the Commission, JetBlue and Acxiom are likely to continue to injure consumers and harm the public interest.
47. Absent injunctive relief by the Commission, other companies will be encouraged to collect and disseminate personally identifiable from consumers in an unfair and deceptive manner.
REQUEST FOR RELIEF
WHEREFORE, EPIC requests that the Commission:
A. Initiate an investigation into the information collection and dissemination practices of JetBlue and Acxiom;
B. Order JetBlue and Axciom to notify all individuals affected by the transaction that their personal information was disclosed to Torch Concepts;
C. Order all records supplied by JetBlue and Acxiom to Torch Concepts in violation of the Federal Trade Commission Act to be destroyed;
D. Order JetBlue and Acxiom to obtain the express consent of any consumer whose information is disseminated in this manner in the future;
E. Permanently enjoin JetBlue and Acxiom from violating the Federal Trade Commission Act, as alleged herein;
F. Order JetBlue and Acxiom to pay such civil penalties as may be appropriate; and
G. Provide such other relief as the Commission deems appropriate.
Respectfully submitted,
Marc Rotenberg
Executive DirectorDavid L. Sobel
General Counsel
Chris Jay Hoofnagle
Associate DirectorMarcia Hofmann
Staff Counsel *
* Pending admission to the District of Columbia BarELECTRONIC PRIVACY INFORMATION CENTER
1718 Connecticut Avenue NW
Suite 200
Washington, DC 20009
(202) 483-1140September 22, 2003
1 Acxiom Corporation, Privacy Principles, available at http://www.acxiom.com/default.aspx?ID=1681&Country_Code=USA (last accessed Sept. 21, 2003).
2 Privacy Act of 1974, Pub. L. No. 93-579, § 7.
3 Privacy Act of 1974, 5 U.S.C. § 552a(m).
4 See http://www.torchconcepts.com/about.htm (last accessed Sept. 21, 2003).
5 See http://www.torchconcepts.com (last accessed Sept. 21, 2003).
6 Philip Shenon, JetBlue Gave Defense Firm Files on Passengers, NY Times, Sept. 20, 2003, at A1, available at http://www.nytimes.com/2003/09/20/business/20PRIV.html (last accessed Sept. 21, 2003).
7 Don Philips, JetBlue Apologizes for Use of Passenger Records, Washington Post, Sept. 20, 2003 at E01, available at http://www.washingtonpost.com/wp-dyn/articles/A37232-2003Sep19.html (last accessed Sept. 21, 2003).
8 Ryan Singel, JetBlue Shared Passenger Data, Wired News, Sept. 18, 2003, available at http://www.wired.com/news/privacy/0,1848,60489,00.html (last accessed Sept. 21, 2003).
9 Torch Concepts, Homeland Security Airline Passenger Risk Assessment 11, Feb. 25, 2003, available at http://cryptome.org/jetblue-spy.pdf (last accessed Sept. 21, 2003).
10 Id. at 8-9.
11 Singel, supra note 6.
12 Torch Concepts, Homeland Security Airline Passenger Risk Assessment 8-9, Feb. 25, 2003, available at http://cryptome.org/jetblue-spy.pdf (last accessed Sept. 21, 2003).
13 Id. at 8, 11, 13, 14, 15, 16, 17, 18, 19, 20, 22, 23.
14 JetBlue Airways, Online Annual Report, Overview, available at http://www.jetblue.com/onlineannualreport/about-main.html (last accessed Sept. 21, 2003).
15 JetBlue Airways online ticketing at http://www.jetblueairways.com/cgi-bin/skylights.cgi (last accessed Sept. 21, 2003).
16 JetBlue Airways, Privacy, available at http://www.jetblue.com/privacy.html (last accessed Sept. 21, 2003).
17 ConsumerReports.org, Airlines: JetBlue Airways, August 2003 at http://www.consumerreports.org/main/detailv2.jsp?CONTENT%3C%3Ecnt_id=139117&FOLDER%3C%3Efolder_id=939&bmUID=1064239226905 (last accessed September 22, 2003).
18 David Neeleman, JetBlue Chief's Message to Customers, NY Times, Sept. 20, 2003, available at http://www.nytimes.com/2003/09/20/business/20PBOX.html (last accessed Sept. 21, 2003).
19 Torch Concepts, Homeland Security Airline Passenger Risk Assessment.
20 Acxiom Corporation, Privacy Principles, available at http://www.acxiom.com/default.aspx?ID=1681&Country_Code=USA (last accessed Sept. 21, 2003).
21 Acxiom Corporation, US Privacy Policy, available at http://www.acxiom.com/default.aspx?ID=1684&Country_Code=USA (last accessed Sept. 21, 2003).
22 Acxiom Corporation, Notice, Access Choice, available at http://www.acxiom.com/default.aspx?ID=1688&Country_Code=USA (last accessed Sept. 21, 2003).
23 Torch Concepts, Homeland Security Airline Passenger Risk Assessment.
24 Id. at 11.
25 Id.
26 Id. at 8, 11, 13, 14, 15, 16, 17, 18, 19, 20, 22, 23.
27 See FTC Policy Statement on Unfairness (1980), at http://www.ftc.gov/bcp/policystmt/ad-unfair.htm (last accessed Sept. 21, 2003); see, e.g., FTC v. ReverseAuction.com, at http://www.ftc.gov/os/2000/01/reversecmp.htm (last visited Sept. 22, 2003).
28 See FTC Policy Statement on Deception (1983), at http://www.ftc.gov/bcp/policystmt/ad-decept.htm (last accessed Sept. 21, 2003); see, e.g., In the Matter of The National Research Center for College and University Admissions, Inc., American Student List, LLC, and Don M. Munce, available at http://www.ftc.gov/os/2002/10/nrccuacmp.pdf (last visited Sept. 22, 2003).