American Airlines collects health information including medical conditions, vaccination status, COVID-19 test results, and emergency medical data, and may receive this information from travel agents or other third parties in addition to directly from you.
This analysis describes what American Airlines's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
Health data is one of the most sensitive categories of personal information and its collection by an airline, including via third-party intermediaries, raises questions about how long it is retained, who it is shared with, and under what legal basis it is processed.
Interpretive note: The policy does not specify the legal basis for health data processing for each category or jurisdiction, and the extent to which third-party-initiated health data transfers are subject to consumer consent is not clearly addressed.
Your health data including vaccination records and medical conditions may be collected not only when you provide it directly but also when passed on by travel agents or other entities, and may be retained as part of your booking record.
How other platforms handle this
When you visit the Careers portion of our websites, we collect the information that you provide to us in connection with your job application. This includes but is not limited to business and personal contact information, professional credentials and skills, educational and work history and other in...
We may collect information about your location, including precise geolocation information, when you use our Services. We use this information to provide location-based services, such as showing you products available in your area, and for other purposes described in this Privacy Policy.
You must be at least 18 years of age or older to subscribe to the Netflix service. Minors may only use the service under the supervision of an adult. We do not knowingly collect personal information from children under 13 unless provided by the account holder in connection with creating a Kids Profi...
Monitoring
American Airlines has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.
"Health information, some examples of which include: You have sought clearance from us to fly with a medical condition or device; You have otherwise chosen to provide such information to us or it has been passed onto us by a third party, such as the travel agent through which you made your booking or other entity, including information about whether you have symptoms of a communicable disease or virus (such as COVID-19), an appropriate vaccination, or a negative test result; Health information related to a medical emergency that occurs while traveling. Digital identity credentials, including credentials linked to vaccination status or negative test results that you provide for specific purposes, such as compliance with customs and immigration requirements during international travel or services in which you choose to participate.— Excerpt from American Airlines's American Airlines Privacy Policy
REGULATORY LANDSCAPE: Health data collection engages GDPR Article 9 for EU/EEA data subjects, which classifies health data as a special category requiring explicit consent or a specific enumerated legal basis such as vital interests or substantial public interest. In the United States, HIPAA does not typically apply to airlines in their capacity as transportation providers, but state health privacy laws and the FTC's Health Breach Notification Rule may apply where health data is held by non-HIPAA-covered entities. The CCPA and CPRA define health information as sensitive personal information with associated processing restrictions and consumer rights. GOVERNANCE EXPOSURE: High. The policy discloses that health data may be received from third parties such as travel agents without specifying consent requirements for such third-party-initiated transfers, creating potential exposure under GDPR's data minimization and lawful basis requirements and under state privacy laws that require disclosure of health data sources. JURISDICTION FLAGS: EU/EEA data subjects have the strongest protections under GDPR Article 9, requiring explicit consent or a specific legal basis for health data processing. California residents have enhanced rights over sensitive personal information under CPRA. Washington's My Health MY Data Act may apply to health data collected in connection with Washington-based consumers. CONTRACT AND VENDOR IMPLICATIONS: Travel agents and other third parties that transmit health data to American should be assessed under applicable data processing agreements to confirm that data flows are compliant with GDPR transfer restrictions and state law requirements. The policy's acknowledgment of third-party health data transfers suggests a need for contractual clauses governing lawful basis and data minimization. COMPLIANCE CONSIDERATIONS: Compliance teams should confirm that lawful basis documentation exists for each category of health data processed, particularly for EU/EEA data subjects; review retention schedules for health data collected in connection with completed travel; and assess whether consent mechanisms for optional health data submission meet GDPR and CPRA specificity standards.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Watcher: 10 platforms + same-day alerts. No credit card required.
Netflix updated its Privacy Statement on April 18, 2026, disclosing voice recording collection and expanded household ad profiling for the first time.
Google's Privacy Policy covers Search, Gmail, YouTube, Maps, and every site running Google Analytics. Here is what it actually authorizes.
Professional Governance Intelligence
Need to monitor specific governance provisions?
Professional includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
Health data is one of the most sensitive categories of personal information and its collection by an airline, including via third-party intermediaries, raises questions about how long it is retained, who it is shared with, and under what legal basis it is processed.
Your health data including vaccination records and medical conditions may be collected not only when you provide it directly but also when passed on by travel agents or other entities, and may be retained as part of your booking record.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by American Airlines.