Dear British Airways,
I am concerned that you have not handled my personal information properly.
Recently, I tried to check-in online on your website, but the interstitial page did not redirect me, and thus I was unable to check-in. I discovered that this was because my adblocker was enabled. After disabling my adblocker, I discovered that your check-in page was leaking my booking reference and surname to countless third parties for advertising purposes, including Twitter, LinkedIn and Google Doubleclick. I've attached for some network logs from Chrome's web developer console for some example evidence.
I do not recall explicitly consenting for my information to be shared in this way, nor do I see any way to opt-out or withdraw my consent. This all appears to be a violation of article 7 of GDPR for conditions of consent, which states "where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data" and "the data subject shall have the right to withdraw his or her consent at any time".
Therefore the following questions arise:
- Why did you not explicitly ask for my consent to share my data, in a clearly distinguishable way?
- How do I exercise my right to opt-out from consenting for you to share my data with third parties for advertising purposes, in accordance with GDPR?
- How will you remedy or compensate customers who have had their privacy rights violated because you have not explicitly asked for their consent?
Finally, under article 15 of GDPR and the UK's Data Protection Act, I would like to exercise my right to request a) all the data that you hold about me and b) a list of the recipients to whom my personal data have been or will be disclosed.
I understand that before reporting my concern to the Information Commissioner’s Office (ICO) I should give you the chance to deal with it.
If, when I receive your response, I would still like to report my concern to the ICO, I will give them a copy of it to consider.
You can find guidance on your obligations under information rights legislation on the ICO’s website (www.ico.org.uk) as well as information on their regulatory powers and the action they can take.
Please send a full response within one calendar month. If you cannot respond within that timescale, please tell me when you will be able to respond.
If there is anything you would like to discuss, please contact me at firstname.lastname@example.org.
Yours faithfully Mustafa Al-Bassam