British Airways breaches GDPR with Social Media Errors

British Airways was found to be breaching the European Union’s new General Data Protection Regulation (GDPR) last week after a security researcher discovered that the airline’s social media team was requesting that customers post their personal details publicly on  Twitter if they wished to have their complaints addressed.

The security researcher who discovered the GDPR breach, Mr Mustafa Al-Bassam, saw that British Airways required their customers post personal detail in order to ‘comply with GDPR’.

Mr Al-Bassam, who posted online a letter online, said “Note that even though your privacy policy states that you may share my personal information with third-party advertising agencies, you must still ask for consent explicitly. (Article 7 of GDPR states) If the data subject’s consent is given in the context of a written declaration which also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language’. I do not recall being requested for consent for you to share my data with third parties in a clearly distinguishable way.”

He also found that British Airways has been employing the use of tracking cookies in a web browser to gather personal information which it then shares with third-party websites. Additionally, online check-in was only being permitted when Ad-blocker software was disable on a passenger’s internet browser. Via his Twitter account he said: “The plot thickens. British_Airways only lets you check-in online after you disable your adblocker, so that they can leak your booking details to tons of third party advertisers and trackers, including Twitter, LinkedIn and Google DoubleClick.”

Responding to the GDPR breach British Airways referred to its policy for customer correspondence on social media: “We take our responsibility to protect our customers’ details very seriously. We’d never ask customers to send personal information publicly. When a genuine error is made, we will always go back to the customer to clarify this. Our social media colleagues look after around 2,000 inquiries a day, and like all customer service teams we are always careful to confirm that we are talking to the right person before making any changes to their booking.”

This may prove to be an even bigger issue for British Airways if it fails to address the errors as any group or company is breaching GDPR it faces a £20m fine or 4% of annual global revenue, whichever figure is higher.