American Airlines collects health information including medical conditions, vaccination status, COVID-19 test results, and emergency medical data, and may receive this information from travel agents or other third parties in addition to directly from you.
This analysis describes what American Airlines's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
Health data is one of the most sensitive categories of personal information and its collection by an airline, including via third-party intermediaries, raises questions about how long it is retained, who it is shared with, and under what legal basis it is processed.
Interpretive note: The policy does not specify the legal basis for health data processing for each category or jurisdiction, and the extent to which third-party-initiated health data transfers are subject to consumer consent is not clearly addressed.
Your health data including vaccination records and medical conditions may be collected not only when you provide it directly but also when passed on by travel agents or other entities, and may be retained as part of your booking record.
How other platforms handle this
If we collect health information from these integrations (such as heart rate), we will not sell or use it for advertising or other similar purposes; we do not disclose it to third parties without your prior consent; and we will only use it for the specific purposes described in this Policy.
With your permission, we may also receive data from your mobile device's health app (like Apple HealthKit or Google Health Connect), including hours of sleep and sleep goals. However, we do not infer any health-related characteristics from this information and only process it consistent with the pur...
At Ledger, earning and maintaining our users' trust is a top priority. That's why we are deeply committed not only to protecting your privacy and securing your personal data, but also to being fully transparent about how we handle it.
Monitoring
American Airlines has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"Health information, some examples of which include: You have sought clearance from us to fly with a medical condition or device; You have otherwise chosen to provide such information to us or it has been passed onto us by a third party, such as the travel agent through which you made your booking or other entity, including information about whether you have symptoms of a communicable disease or virus (such as COVID-19), an appropriate vaccination, or a negative test result; Health information related to a medical emergency that occurs while traveling. Digital identity credentials, including credentials linked to vaccination status or negative test results that you provide for specific purposes, such as compliance with customs and immigration requirements during international travel or services in which you choose to participate.— Excerpt from American Airlines's American Airlines Privacy Policy
REGULATORY LANDSCAPE: Health data collection engages GDPR Article 9 for EU/EEA data subjects, which classifies health data as a special category requiring explicit consent or a specific enumerated legal basis such as vital interests or substantial public interest. In the United States, HIPAA does not typically apply to airlines in their capacity as transportation providers, but state health privacy laws and the FTC's Health Breach Notification Rule may apply where health data is held by non-HIPAA-covered entities. The CCPA and CPRA define health information as sensitive personal information with associated processing restrictions and consumer rights. GOVERNANCE EXPOSURE: High. The policy discloses that health data may be received from third parties such as travel agents without specifying consent requirements for such third-party-initiated transfers, creating potential exposure under GDPR's data minimization and lawful basis requirements and under state privacy laws that require disclosure of health data sources. JURISDICTION FLAGS: EU/EEA data subjects have the strongest protections under GDPR Article 9, requiring explicit consent or a specific legal basis for health data processing. California residents have enhanced rights over sensitive personal information under CPRA. Washington's My Health MY Data Act may apply to health data collected in connection with Washington-based consumers. CONTRACT AND VENDOR IMPLICATIONS: Travel agents and other third parties that transmit health data to American should be assessed under applicable data processing agreements to confirm that data flows are compliant with GDPR transfer restrictions and state law requirements. The policy's acknowledgment of third-party health data transfers suggests a need for contractual clauses governing lawful basis and data minimization. COMPLIANCE CONSIDERATIONS: Compliance teams should confirm that lawful basis documentation exists for each category of health data processed, particularly for EU/EEA data subjects; review retention schedules for health data collected in connection with completed travel; and assess whether consent mechanisms for optional health data submission meet GDPR and CPRA specificity standards.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
Ad personalization controls removed. Contact scanning added. Advertiser data partnerships quietly dropped. A timeline of every change.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
Health data is one of the most sensitive categories of personal information and its collection by an airline, including via third-party intermediaries, raises questions about how long it is retained, who it is shared with, and under what legal basis it is processed.
Your health data including vaccination records and medical conditions may be collected not only when you provide it directly but also when passed on by travel agents or other entities, and may be retained as part of your booking record.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by American Airlines.