British Airways has been hit by a major privacy backlash after its social media team was found to be asking customers to publicly post a raft of personal information on Twitter so they could investigate customer service claims “to comply with GDPR”, in direct contravention of the regulation.
Customers were asked to provide passport numbers, full addresses, and other sensitive information.
Security researcher and PhD student Mustafa Al-Bassam uncovered the issue when he found that he could not check in for his flight without disabling his ad blocker.
He then discovered that BA uses tracking cookies when customers check into flights on a web browser that then send them personal information to third-party sites to serve ads. Cue much gnashing of teeth on Twitter.
Al-Bassam added that after some users complained about the airline’s bizarrely worded request, it began altering its replies to say that customers should direct message them the information instead.
As he pointed out, without proper consent, this is a violation of GDPR, the same GDPR that BA’s social media team are quoting to get customers to post personal information on a publicly accessible social media site.
When Al-Bassam had no joy in getting a response, when he asked the BA team why there was no consent form or opt-out mechanism, he submitted a complaint to the airline, insisting he would submit a more formal GDPR complaint with the UK’s Information Commissioner’s Office within 30 days if the company does not act.
British Airways has so far failed to comment on the issue.
Only a fifth of UK companies are compliant with GDPR
World’s biggest tech firms accused of flouting GDPR
Google GDPR shortcomings leaving ad clients exposed
Crisis? What crisis? GDPR fuels more potent marketing
‘Firms more worried about World Cup effect than GDPR’
Let battle commence: first GDPR complaints are filed
GDPR zero hour: Now the hard work begins say experts