No right to privacy for traveler info

Mark Pestronk

Q: Our agency has signed up with a service that provides detailed destination-safety information to employees of our larger corporate accounts. All we have to do is send in the traveler's name, email address and destination city; the service does the rest. Our corporate clients seem to be quite satisfied with the service. What if a traveler objects to our disclosure of his or her name, email address and destination to the service? Do travelers have a right to prohibit us from disclosing the information even if their employer wants us to? What if the travelers' mission were highly sensitive and a leak caused a loss of some kind? Could his or her estate successfully sue us for the disclosure?

A: One of the myths of the travel industry is that a traveler has a right to privacy of his or her personal travel plans. Unlike health or banking information, there is no federal or state privacy law that specifically covers a traveler's personal information.

While some states' laws allow an individual to demand that a business delete his or her personal information, your agency probably does nothing wrong by sending it to a third party without the traveler's consent, if the traveler has not made that demand or opted out of data sharing. If the information was first transmitted to you via your website, you probably must have also disclosed, in a privacy policy, how the traveler's information will be used.

Except as set forth above, nothing prohibits a travel agency or other travel business from doing anything with an adult's personal information, including selling it to a data aggregation company or providing it to a consortium that sends out marketing material.

In corporate travel, the contract between the agency and the corporation may prohibit the agency from disclosing or using traveler information for any purpose other than making travel arrangements and providing reports to the corporate travel manager. In my experience, such a contract provision is becoming increasingly common.

Many corporate travel agreements also include data-protection provisions that limit the agency's use and disclosure of traveler information to specified purposes. So you should carefully review your contractual obligations before sharing traveler information with third parties.

What if the corporation is happy with your sharing its traveler's information, but a traveler objects anyway? Even if the traveler has no legal right to force you to delete his personal travel-plan information, you may well want to do so as a gesture of goodwill. If the traveler is worried that an information leak could jeopardize his mission, you certainly could also ask the destination-safety provider to delete the traveler's information, as well

For the future, you can probably avoid these kinds of problems if you add something like the following at the end of your form of corporate traveler profile: "I hereby consent to transmission of the personal information in this profile to suppliers of travel services, reservation system providers and destination-safety service companies. I understand that I can withdraw this consent at any time."