The ARC Data Sale to U.S. government agencies has come under intense scrutiny following reports of warrantless access to Americans’ travel records. After growing pressure from lawmakers, the Airlines Reporting Corporation (ARC), a data broker collectively owned by major U.S. airlines, has announced it will shut down its Travel Intelligence Program (TIP), a system that allowed federal agencies to search through hundreds of millions of passenger travel records without judicial oversight.

Lawmakers Question ARC Data Sale and Warrantless Access

Concerns over the ARC Data Sale intensified this week after a bipartisan group of lawmakers sent letters to nine airline CEOs urging them to stop the practice immediately. The letter cited reports that government agencies, including the Department of Homeland Security (DHS), the Internal Revenue Service (IRS), the Securities and Exchange Commission (SEC), and the FBI had been accessing ARC’s travel database without obtaining warrants or court orders. According to the lawmakers, ARC sold access to a system containing approximately 722 million ticket transactions covering 39 months of past and future travel data. This includes bookings made through more than 10,000 U.S.-based travel agencies, popular online travel portals like Expedia, Kayak, and Priceline, and even credit-card reward program bookings. Travel details in this database include a passenger’s name, itinerary, flight numbers, fare details, ticket numbers, and sometimes credit card digits used during the purchase. Documents released through public records requests show that the FBI received travel records from ARC based solely on written requests, bypassing the need for subpoenas. DHS described the database as “an unparalleled intelligence resource.”

IRS Admits Policy Violations in Handling Travel Data

A central point of concern is the revelation that the IRS accessed ARC’s travel database without conducting a legal review or completing a required Privacy Impact Assessment. Under the E-Government Act of 2002, federal agencies must complete such assessments before procuring systems that collect personal data. In a disclosure to Senator Ron Wyden, the IRS admitted it had purchased ARC’s airline data without meeting these requirements. The agency only completed the privacy assessment after receiving an oversight inquiry in 2025. It also confirmed that it had not initially reviewed whether accessing the travel data constituted a search that required a warrant, despite previous commitments to do so after a 2021 investigation into cell-phone location data purchases.

Prospective Surveillance Raises New Privacy Concerns

Beyond historical travel data, lawmakers highlighted that ARC’s tools enabled what they termed “prospective surveillance.” Through automated, recurring searches, government agencies could receive alerts the moment a ticket matching specific criteria was booked. This type of forward-looking monitoring typically requires a higher legal threshold and is allowed only in limited circumstances authorized by Congress. Lawmakers argued that buying such capabilities from a data broker like ARC allowed agencies to circumvent the Fourth Amendment, undermining Americans’ constitutional protection against unreasonable searches. Because ARC only captures bookings made through travel agencies, individuals booking directly with airlines do not have their travel data in the system, effectively creating inconsistent privacy protections based solely on how a ticket is purchased.

ARC Confirms End of Travel Intelligence Program

In a letter sent on Tuesday, ARC CEO Lauri Reishus informed lawmakers that the company would end the Travel Intelligence Program in the coming weeks. The decision follows public and political pressure since September, when media reports first revealed the extent of ARC’s data-sharing arrangements with government agencies. Lawmakers noted that airlines benefit financially when passengers book tickets directly, raising concerns that the surveillance program not only threatened privacy rights but also created potential antitrust implications. As lawmakers push for stronger privacy protections and clearer limits on government surveillance, the ARC data sale case has become a high-profile example of how easily personal travel data can be accessed and shared without passengers’ knowledge.

When Elephant Insurance was hacked and millions of driver’s license numbers were exposed, the Fourth Circuit confronted a crucial privacy law dilemma: Is data theft alone enough to sue, or must harm be public and provable? This case exposes how U.S. courts still undervalue privacy in the digital age — and why the elephant in the room is far from irrelevant.

The post Standing to Sue – The Elephant in the Room appeared first on Security Boulevard.

California Attorney General Rob Bonta has announced a $530,000 Sling TV privacy fine against Sling TV LLC and Dish Media Sales LLC, marking the first enforcement action from the Department of Justice’s (DOJ) 2024 sweep of streaming services for compliance with the California Consumer Privacy Act (CCPA). The Sling TV privacy fine resolves allegations that the U.S.-based streaming service failed to make it easy for users to opt out of the sale of their personal data and did not provide adequate privacy protections for children. The company is also required to implement significant changes to how it handles user data and privacy requests.

Privacy Rights and Enforcement

The CCPA grants Californians several privacy rights, including the ability to know what data companies collect, to request deletion of personal information, and to opt out of the sale of their data. According to Attorney General Bonta, Sling TV violated these rights by creating confusing and burdensome procedures for consumers attempting to exercise their opt-out options. “Californians have critical privacy rights,” said Attorney General Bonta. “We take privacy rights seriously, and Sling TV was not providing consumers an easy way to opt out of the sale of their personal data as required. My office is committed to the continued enforcement of the CCPA — every Californian has the right to their online privacy, especially in the comfort of their living room.”

How Sling TV Fell Short

Sling TV operates as an internet-based live TV service offering both paid and ad-supported options. Unlike traditional broadcasting, Sling uses viewer data such as age, gender, location, and income to deliver targeted advertisements. The DOJ’s investigation found that the platform’s privacy settings and opt-out mechanisms were difficult to navigate and ineffective. Consumers seeking to opt out of data sales were directed to cookie preference settings, which did not actually prevent their information from being sold or shared. Even logged-in users, whose details were already known to Sling TV, had to complete lengthy web forms to process their requests. The company also lacked built-in opt-out options on streaming apps used on living room devices such as smart TVs. Additionally, Sling TV failed to provide appropriate protections for minors. It did not offer dedicated kids’ profiles that would limit targeted advertising or require parental consent when users under 16 were likely watching.

Terms of the Sling TV Privacy Fine Settlement

Under the settlement, which is subject to court approval, Sling TV must make several key changes:

• Simplify the opt-out process: Consumers can no longer be directed to cookie settings when attempting to exercise CCPA rights.
• Reduce redundant steps: Logged-in users will not be required to provide information already available to the company.
• Expand accessibility: The opt-out feature must be available directly through Sling TV’s app across different devices.
• Enhance child protections: Parents will be able to set up “kid’s profiles” that automatically block targeted advertising and data sales.
• Improve disclosures: The company must give parents clear information and tools to safeguard their children’s privacy.

Broader CCPA Enforcement Efforts

The Sling TV privacy fine marks the fifth major settlement under California’s privacy law since it took effect. Earlier cases include Healthline Media ($1.55 million), Tilting Point Media ($500,000), DoorDash, and Sephora — all for violations related to consumer data and opt-out requirements. Attorney General Bonta’s office has conducted multiple investigations across mobile apps, data brokers, and streaming platforms to ensure compliance with the state’s privacy law. The Attorney General emphasized that enforcing privacy rights remains a priority as Californians increasingly rely on connected devices and streaming services.