July 21, 2018 : British Airways requests customers post personal data on Twitter, in bizzare GDPR compliance claim.
Disgruntled customers of the airline were asked to tweet their full names and addresses, passport details and even the last four digits of their credit cards “to comply with GDPR” before their complaints could be investigated.
Security researcher and PhD student Mustafa Al-Bassam discovered that BA’s social media staff was basically demanding that customers post a raft of personal information publicly on Twitter, so that customer service complaints could be looked into.
Even more incredible, was that BA staff insisted that this was necessary in order to comply with GDPR…
In a number of instances BA’s customers actually began responding with their personal details, making them viewable not only by British Airways’ 1 million plus followers, but by anyone who happened to visit its Twitter page.
So British Airways is asking for people’s personal data over social media “to comply with GDPR”, and some people are even replying directly in the public feed.
— Mustafa Al-Bassam (@musalbas) July 16, 2018
Mr Al-Bassam only checked out the company’s Twitter activity when he found that he couldn’t check in for his flight without disabling his ad blocker. To add insult to injury, apparantly British Airways uses tracking cookies when customers check into flights on a web browser that then sends customers’ personal data to third-party sites.
After security experts pointed out the gaffe, British Airways hastily asked customers to delete their tweets to protect themselves, and instead to send the information directly.
Without proper consent, this is clearly a violation of GDPR – and certainly not what British Airways’ social media staff appears to think is being compliant, by asking people to post personal information on Twitter.
After playing ‘ping-pong’ with various members of the BA team concerning why there was no consent form or opt-out mechanism, Mr Al-Bassam submitted a complaint to the airline, reposted here, voicing his concerns. He also informed BA of his intentions to submit a formal GDPR complaint with the Information Commissioner’s Office (ICO) within 30 days, if the company fails to remedy the issues with its online check-in process and ad-tracking practices.
A British Airways spokesman said:
We take our responsibility to protect our customers’ details very seriously. We would never ask customers to send personal information publicly. When a genuine error is made, we will always go back to the customer to clarify this.
Editor’s Comment: If a company like British Airways requests customers post personal data on twitter, we can only expect the list of GDPR blunders to continue to grow.