Much heat was generated last week following the expose by The Independent about the practice of airport retailers collecting passenger destination data in order to report lower VAT revenues while pocketing the VAT effectively paid by those passengers deemed “zero-rated”. I commented, along with many others, on the ethics and legality of the practices but all the time my main focus and concern was elesewhere.
What struck me in the debate – in online forums ranging from the Institute of Directors to consumer advocacy groups – was how little mention was made about the personal data that is harvested from each boarding pass; nor about the legality or otherwise of its capture and use. There seems to be a complacent consensus that “this is just how the business works”.
Firstly, a comment about the law: data protection legislation in the EU (and increasingly, beyond) is clear that electronic data about a person can only be collected and used for:
– lawful purposes;
– with the explicit consent of the person;
– for the purposes of specific, defined, business objectives;
– for as long as the data is required and no longer
That many of these provisions are ridden over roughshod across the economy is thinly veiled with the ubiquitous “privacy notices” that most of us do not read (it has been estimated that it would take you six weeks working full-time to read a year’s worth of such notices). However, many retailers are falling foul of the law just by collecting personal data without providing the statutory privacy notice.
Lesson #1: If anyone asks you for your personal data (to be included in any computerised system), ask to see their privacy notice which is required to state explicitly what the data is being collected and used for.
Secondly, in airports, retailers are indeed required to ask for the destination of a passenger if that has an impact on the sales price, the tax or duty charged to that sale (whether such savings are passed on the passenger was the subject of the previous heated discussions). I’m sure that most retail outlets are trying to do the best by their customers and cut down queuing and processing time: the advent of the 2-D bar code on passenger boarding passes was thus a boon. No more manual checking of paper boarding passes and keying in the required data.
However, the point of sales scanner is not choosy. It scans the entire data set, whether that data is required or not. Different off-the-shelf and proprietary POS software will handle that data in different ways.
The legally prudent and risk-averse retailer would collect simply the destination datum and match that to a particular sale so provide the required and adequate proof to tax and excise services that a certain sale was not subject to duty, VAT, or other taxes.
The lack of analysis from journalists themselves is not very reassuring. From a later Independent article:
Airports may insist that the motive for the irritating demand from their retailers to see a boarding pass is “to understand how demand in our shops changes according to destination, times of the day or during different seasons,” the real reason is to identify purchases for which no VAT is due.
Although strictly true, this is missing the point. Evidence indicates that few retailers who collect personal data will willingly discard that which is not required because therein lies a goldmine for data analytics. Whether it is a benign goal of “knowing your customer” or understanding patterns of movement through a business day, that data is not the retailers to use as they wish without restriction. Remember that your boarding pass does not simply state that Joe Bloggs is flying to New York – it’s telling a whole story of Joe Bloggs, flying in discounted business class in seat 5A, with a OneWorld frequent flyer account, two items of checked baggage, flying today with American Airlines, and who checked in early online. If you are comfortable with sharing all that – and for the retailer to reuse that data in any further way it chooses, then be my guest. But it is your right to know what is being done with your data – and the retailer’s legal obligation to let you know – and to request that it’s use be strictly limited.
Lesson #2: Assume that whoever collects your boarding pass data is going to maximize its use for their benefit – and not just for yours. Note that IATA, the association responsible for the 2-D boarding pass standard, never mentions retailers or indeed any party outside the air travel industry in its guidelines for use of boarding pass data. In the absence of any clear signal to the contrary, retailers have just assumed its OK to use whatever they can get their hands on.
Finally, it is worth thinking about the technology itself: there is an increasing and worrying trend – particularly strong in Silicon Valley – to insist that anything technology can do should be allowed to flourish. And that anyone standing in the way is simply an old-fashioned reactionary. Furthermore, this model of personal data collection fits well with an economy driven (often by desperation) to market ever more aggressively and improve sales. I take a different view based on a societal model that recognizes that laws and customs evolve over time to reflect what is important – and trying to sell me more and more goods that I don’t want, ought to be something over which I can assert some control.
The fact that there are strong (and if anything a trend to stronger) privacy and data protection regulations, is a reflection of societal concern about potential and reals abuses in the collection of personal data. I’m not averse to anyone willingly handing over their data in return for some benefit provided it is done knowingly and transparently.
Lesson #3: If someone wants your data, assume they are making money from it, one way or another. Maybe its time for you to put a price on that transfer and use.
Or to uphold certain societal values that suggest that not all data should have a price tag. In Michael Sandel’s words, we risk becoming a market society rather than a market-driven economy and the difference is important. The latter is a tool; the former is an end in itself where literally anything is for sale. Think about that next time you hand over your passenger data and wonder whether it will affect, for example, future health or life insurance premiums, let alone the price that you will be presented with as an offer for your next flight.