British Airways was outed by security researcher Mustafa Al-Bassam for telling passengers they couldn't help with delays and other problems unless they posted their personal information publicly to Twitter, in order "to comply with the GDPR."
The company later switched to telling people that they could DM their personal details.
Al-Bassam discovered this hot mess while investigating British Airwars' online checkin, which includes several third-party trackers and doesn't work with ad-blocking turned on.
The British institutional habit of insisting that people do ridiculous, anti-privacy things to comply with privacy laws is ancient and well-entrenched. Ten years ago, EDF told me that the Data Protection Act meant that they couldn't accept my report that the heat in my flat had gone out in the middle of a record cold-snap, leaving me in subzero temperatures.
As he notes, without proper consent, this is a violation of GDPR, the same GDPR that British Airways’ social media team thinks it’s complying with by asking people to post personal information on Twitter. After a frustrating back-and-forth with various members of the British Airways team about why there was no consent form or opt-out mechanism, Al-Bassam submitted a complaint to the airline, reposted here, voicing his concerns. He also outlined his plans to submit a more formal GDPR complaint with the UK’s Information Commissioner’s Office within 30 days if the company doesn’t remedy the issue with its web check-in process and ad-tracking practices.
The plot thickens. @British_Airways only lets you check-in online after you disable your adblocker, so that they can leak your booking details to tons of third party advertisers and trackers, including Twitter, LinkedIn and Google DoubleClick. [@musalbas/Twitter]
British Airways asked customers to post personal information on Twitter ‘to comply with GDPR’ [Nick Statt/The Verge]