Airlines Face Class-Action Lawsuit for Selling Passenger Data to IRS and FBI

WASHINGTON — Major U.S. airlines are facing a proposed class-action lawsuit for secretly selling billions of passenger flight and payment records to federal agencies, including the Internal Revenue Service and the Federal Bureau of Investigation, without warrants. The data was funneled through the Airlines Reporting Corporation (ARC), a data clearinghouse owned by the airlines themselves, which recently announced it would terminate the controversial program by the end of the year following intense scrutiny from Congress and privacy advocates. This lawsuit underscores a critical operational risk for any business handling customer data. What may seem like a straightforward data monetization strategy can quickly unravel into a significant legal and reputational crisis if privacy laws and constitutional boundaries are not rigorously respected from the outset. The program, known as the Travel Intelligence Program (TIP), provided government agencies with searchable access to a vast database of domestic travel information. According to federal procurement documents and investigative reports, agencies like U.S. Customs and Border Protection (CBP) and Immigration and Customs Enforcement (ICE) paid for access to this data, effectively bypassing constitutional warrant requirements. The data sold included passenger names, travel itineraries, credit card information, and other personal details collected during the booking process. ARC is owned and operated by at least eight major airlines, with board members from Delta Air Lines, American Airlines, United Airlines, Southwest Airlines, Alaska Airlines, and JetBlue. The corporation serves as a critical intermediary for ticket settlements between airlines and more than 240 travel agencies. This central role gave it access to a trove of sensitive consumer information, which it then packaged and sold to the government. Critics argue this arrangement created a loophole allowing the government to purchase information it would otherwise need a court order to obtain. “The government seems intent on using data brokers to buy their way around important guardrails and limits,” said Jake Laperruque of the Center for Democracy & Technology, in a statement regarding the practice. Senator Ron Wyden also condemned the arrangement, stating that “the big airlines—through a shady data broker that they own called ARC—are selling the government bulk access to Americans' sensitive information.” Compounding the privacy concerns, contracts between ARC and federal agencies reportedly included a confidentiality clause that forbade the government from disclosing ARC as the source of the data unless compelled by a court. This secrecy, critics allege, was a deliberate strategy to prevent public and congressional oversight. In our experience, the fallout from such compliance failures extends far beyond legal fees. It erodes customer trust, which is incredibly difficult and expensive to rebuild. We've seen companies stumble when their internal processes fail to keep pace with evolving regulations around data privacy. This is precisely the kind of situation where proactive financial risk management becomes indispensable. For businesses navigating the complex web of data compliance and potential liabilities, the team at C&S Finance Group LLC at csfinancegroup.com can help design frameworks to mitigate these exact risks before they escalate. The revelations have also drawn parallels to other concerns about how airlines use passenger data. A separate proposed class-action lawsuit filed against JetBlue accuses the airline of “surveillance pricing,” alleging it uses digital trackers and shares personal data with third parties to manipulate ticket prices for individual customers. While JetBlue denies the claim, stating fares are based on standard factors like demand and inventory, the lawsuit highlights a growing public anxiety over the opaque use of personal information by corporations. Following mounting pressure and an investigation by members of Congress, ARC announced it was shutting down the Travel Intelligence Program. In an email to the Congressional Hispanic Caucus staff obtained by Migrant Insider, ARC President and CEO Lauri Reishus confirmed that “the small number of government TIP customers have been notified that the program is ending this year.” The termination marks a significant victory for privacy advocates but does not resolve the legal questions raised by the class-action lawsuit. The lesson for small and mid-sized companies is stark: treating data privacy as a secondary concern is a costly mistake. Proactive compliance is not just a regulatory hurdle; it is a fundamental component of sound financial and operational strategy. As the Travel Intelligence Program winds down, the focus will shift to the ongoing litigation and potential legislative action. The lawsuit will proceed, seeking damages for travelers whose data was sold without their consent. Meanwhile, lawmakers are expected to continue examining the “data broker loophole,” with potential for new regulations aimed at preventing government agencies from purchasing their way around constitutional privacy protections.