In a revelation that has sent shockwaves through the travel industry, major U.S. airlines have been caught selling sensitive passenger data to the Department of Homeland Security (DHS) through a little-known data broker called the Airlines Reporting Corporation (ARC). This clandestine operation, uncovered by 404 Media, exposes how airlines like Delta, American, and United have been profiting from your personal information names, flight itineraries, and even credit card details—while instructing the government to keep their involvement under wraps.
At Captain Compliance, the leading data privacy software company, we’re here to break down what this means for you, why it’s a red flag for data privacy, and how business owners can protect their company from similar traps using our data privacy software tools.
The Shocking Details of the Data Sale
According to internal DHS documents, ARC, a data broker owned by major airlines, has been selling access to domestic flight records to Customs and Border Protection (CBP), a DHS division. The data includes:
- Passenger Names: Your full identity tied to every flight.
- Flight Itineraries: Where you’re going, when, and how often.
- Financial Details: Credit card numbers and other payment information.
What’s worse? The contract explicitly forbids CBP from revealing ARC—or the airlines—as the source of this data, creating a veil of secrecy around the transaction. This deal, reportedly worth just $11,025, allows DHS to track “persons of interest” across state lines, raising serious questions about surveillance overreach.
Senator Ron Wyden called it out bluntly: “The big airlines—through a shady data broker that they own called ARC—are selling the government bulk access to Americans’ sensitive information.” ARC’s board includes heavyweights like Delta, United, American, Southwest, and JetBlue, alongside international carriers like Lufthansa and Air Canada, making this a widespread industry practice.
Why This Matters for Your Privacy
This isn’t just about airlines making a quick buck it’s a glaring example of how companies exploit loopholes to bypass privacy protections. Here’s why you should care:
- No Consent, No Transparency: Passengers were never informed their data was being sold to the government. This lack of consent violates the spirit of data privacy laws like the California Consumer Privacy Act (CCPA) and the General Data Protection Regulation (GDPR) for non-U.S. travelers.
- Mass Surveillance Risk: The DHS’s Travel Intelligence Program (TIP) stores over one billion records spanning 39 months of travel data, searchable by name, credit card, or airline. This creates a surveillance dragnet that could ensnare anyone, not just “persons of interest.”
- Data Security Concerns: ARC only introduced multifactor authentication in May 2025, suggesting lax security practices for handling sensitive information. A breach could expose your travel and financial details to bad actors.
- Legal Loopholes: By purchasing data through a third-party broker, DHS sidesteps the need for court orders, undermining constitutional protections against unwarranted surveillance.
As Jake Laperruque from the Center for Democracy & Technology noted, this is part of a “Big Data Surveillance Complex” that’s eroding privacy in the digital age.
How Did This Happen?
ARC operates as a middleman between airlines and travel agencies, collecting ticket sales data from over 240 airlines worldwide. While ARC claims its data comes from travel agencies like Expedia, not direct airline bookings, the reality is murkier. Airlines feed data to ARC regardless of how tickets are purchased, enabling bulk transfers to government agencies like CBP, ICE, the Secret Service, and even the DEA.
The contract, which began in June 2024 and could run until 2029, prioritizes secrecy over accountability. DHS is barred from publicly identifying ARC unless forced by a court order, a clause that shields airlines from public backlash. This secrecy is particularly alarming given that Congress banned domestic bulk data collection a decade ago, highlighting how data brokers exploit regulatory gaps.
What Can You Do to Protect Your Data?
While you can’t stop airlines from collecting your data entirely, you can take steps to minimize your exposure and advocate for change:
- Book Directly with Airlines: ARC’s data primarily comes from travel agencies. Booking directly with airlines may reduce the chance of your data being included in ARC’s database, though it’s not foolproof.
- Use Privacy-Focused Payment Methods: Consider using virtual credit cards or payment services that mask your financial details to limit exposure.
- Monitor Your Data: Use identity protection services to track if your personal or financial information has been compromised.
- Demand Transparency: Contact your airline and ask about their data-sharing practices. Public pressure can force companies to rethink their policies.
- Support Stronger Privacy Laws: Advocate for legislation that closes data broker loopholes and enforces stricter consent requirements.
At Captain Compliance, our cutting-edge software helps businesses stay ahead of privacy regulations, ensuring they handle customer data responsibly. For individuals, we recommend staying informed and proactive your data is your power.
Airline Privacy Takeaway
The airline industry’s secret data deal with DHS is a wake-up call. It’s not just about flight records; it’s about the erosion of trust in institutions that handle your personal information. Airlines profiting from your data while hiding behind a broker like ARC underscores the need for robust privacy protections.
We’re committed to empowering consumers and businesses with the tools to navigate this complex landscape. Whether it’s through our compliance software or by shedding light on stories like this, Captain Compliance is your partner in the fight for data privacy.
Stay vigilant, stay informed, and let’s hold companies accountable because your data deserves better.
