What are the institutional and regulatory implications of this document?

REGULATORY LANDSCAPE: This policy engages multiple regulatory frameworks simultaneously. GDPR applies to EU/EEA data subjects and governs lawful basis requirements for processing sensitive data including health and biometric information; the policy's reference to consent as a fallback basis for sensitive data processing requires documented consent mechanisms compliant with GDPR Article 7 standards. The CCPA and CPRA apply to California residents and require disclosure of data sale or sharing fo…

How does American Airlines's American Airlines Privacy Policy affect users?

American Airlines collects an extensive range of personal data including biometric identifiers, health information, vaccination records, geolocation, payment details, and call recordings, and shares this data with loyalty partners, credit card issuers, travel agents, and advertising networks. Behavioral data from your browsing sessions on aa.com may be combined with personal identifiers to deliver targeted advertising on third-party websites, including through cross-device tracking. You can sub…

How often is American Airlines's American Airlines Privacy Policy updated?

ConductAtlas monitors this document daily and captures every version with cryptographic hashing and timestamp verification. Update frequency varies — see the change timeline on this page for complete version history.

Can I get alerted when American Airlines updates this document?

Yes. Watcher subscribers ($9.99/month) can add American Airlines to their watchlist and receive same-day email alerts whenever this document or any other American Airlines document changes.

CA-D-000633

American Airlines Privacy Policy

American Airlines

Last change detected May 5, 2026 Privacy policy

SHA-256: 474ee5633e1a7462000… 1 version captured 0 changes documented

Create free account

Track 1 platform and get the weekly governance digest. No credit card required.

View original document at American Airlines ↗

This page describes what the document states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability may vary by jurisdiction. Methodology

8 Total

2 High severity

6 Medium severity

0 Low severity

Summary

This is American Airlines' privacy policy, covering all personal data the airline collects when you book flights, use the AAdvantage loyalty program, visit aa.com, or use its mobile app. The most important thing to know is that American collects sensitive categories of data including biometric identifiers, health information, vaccination status, and geolocation, and shares this data with a wide network of travel, loyalty, credit card, and advertising partners, while using cookies and cross-device tracking to deliver targeted advertising both on its own platforms and on third-party websites. California residents and certain other state residents have specific rights to access, delete, or opt out of certain data uses, which can be exercised through the privacy portal linked in the policy.

Technical / Legal Breakdown

This Privacy Policy governs the collection, use, sharing, and protection of personal information by American Airlines, Inc. across its Travel Services, Program Services, and Interactive Services, including the AAdvantage loyalty program, and applies to all interaction channels regardless of device. The agreement states that American collects a broad range of data including biometric identifiers, health information, geolocation, payment data, and communications content; the terms authorize sharing this data with travel partners, loyalty partners, credit card partners, government and law enforcement agencies, advertising networks, and third-party analytics providers, and permit combining online and offline data for targeted advertising purposes. Notably, the policy asserts broad cross-device tracking and data combination practices for behavioral advertising, collects sensitive categories such as biometric, health, and vaccination data, and conditions certain opt-out rights on state residency rather than applying them universally, though applicable law including GDPR, CCPA, and state biometric statutes may constrain how some of these asserted rights operate in practice. The policy engages GDPR for EU/EEA data subjects, the California Consumer Privacy Act and California Privacy Rights Act for California residents, state biometric privacy laws such as Illinois BIPA where biometric data is collected, and federal aviation security and customs regulations that independently compel collection of certain traveler data; the dual role of American as both a commercial data controller and a regulated air carrier creates layered compliance obligations across multiple frameworks and jurisdictions.

Institutional Analysis

Institutional analysis available with Professional

Regulatory exposure by statute, material risk assessment, vendor due diligence action items, and enforcement precedent. Available on Professional.

Start Professional free trial

High — 2 provisions

Biometric Data Collection Compare →

American Airlines may collect biometric data such as facial scans or fingerprints when you participate in biometric authentication programs associated with your travel, and discloses that some biometric programs at airports are operated by third parties such as CBP rather than American itself.

Added May 8, 2026 Standard Seen across 251 platforms
Health and Vaccination Data Collection Compare →

American Airlines collects health information including medical conditions, vaccination status, COVID-19 test results, and emergency medical data, and may receive this information from travel agents or other third parties in addition to directly from you.

Added May 10, 2026 Standard Seen across 251 platforms

Medium — 6 provisions

Cross-Device Tracking and Behavioral Advertising Compare →

American Airlines tracks your browsing behavior across devices and browsers, links that data to your personal identity, and uses it to show you targeted ads both on its own website and on other websites you visit.

Added May 10, 2026 Standard Seen across 251 platforms
Data Sharing with Loyalty, Travel, and Credit Card Partners Compare →

American Airlines shares your personal information with a broad network of partners including airlines, hotels, car rental companies, credit card issuers, travel agents, and tour operators when you use your AAdvantage account or book travel through partner channels.

Added May 10, 2026 Standard Seen across 246 platforms
Privacy Policy Change Notification Compare →

American Airlines can change its privacy policy at any time, and for material changes, will display a notice label on aa.com for 30 days. The policy explicitly states it is not a contract and creates no legal rights or obligations.

Added May 10, 2026 Standard Seen across 262 platforms
Children's Data Collection Compare →

American generally does not collect personal data from children under 13, but does collect travel and safety information about minors when required by law or necessary for their transport, and parents can request deletion by emailing privacy@aa.com.

Added May 10, 2026 Standard Seen across 251 platforms
Combining Online and Offline Data for Personalization Compare →

American Airlines links data about you from airport interactions, website activity, app usage, and third-party sources into a combined profile used to personalize offers and services.

Added May 10, 2026 Standard Seen across 189 platforms
Third-Party Information Collection on American's Services

Third parties including advertising networks and social media companies use their own tracking technologies on American's websites and apps to collect information about your visits, independent of what American itself collects.

Added May 10, 2026 Rare