American Airlines can change its privacy policy at any time, and for material changes, will display a notice label on aa.com for 30 days. The policy explicitly states it is not a contract and creates no legal rights or obligations.
This analysis describes what American Airlines's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
The disclaimer that this policy is not a contract means you cannot rely on it as a legally binding commitment, and the notification mechanism is limited to a website label rather than direct notice such as email, which may be easily missed.
American can modify how it collects, uses, or shares your personal data at any time, with the primary notice mechanism being a label on aa.com that many users will not see, and the policy expressly disclaims any contractual status or enforceable obligations.
How other platforms handle this
enableGpcSdk: true, gpcSetting: { privacyPolicyLink: '/Privacy-Security-Policy-a-282.html' }
We process Global Privacy Control signals as opt-out requests for the sale or sharing of personal information.
The Service is intended for general audiences and is not directed to children under 13. We do not knowingly collect personal information from children under 13. If you are a parent or guardian and believe that your child under the age of 13 has provided us with personal information without your cons...
Monitoring
American Airlines has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"American reserves the right to change this Privacy Policy at any time by posting the updated Policy here along with the date on which the Policy was changed. If we make material changes to this Privacy Policy that affect the way we collect, use and/or share your personal information, we will notify you by including a 'NEWLY UPDATED' label with the 'PRIVACY POLICY' link on aa.com for 30 days after material changes are made. This Privacy Policy is not a contract and does not create any contractual rights or obligations.— Excerpt from American Airlines's American Airlines Privacy Policy
REGULATORY LANDSCAPE: The non-contract disclaimer and change-by-posting mechanism engage FTC guidance on privacy policy commitments, under which the FTC has treated published privacy policies as enforceable representations even when disclaimed as non-contractual. GDPR requires that data subjects be informed of material changes to processing activities and that consent be re-obtained where consent was the original lawful basis. CPRA requires that the privacy policy be updated at least annually and that consumers be notified of material changes. GOVERNANCE EXPOSURE: Medium. The FTC has historically treated privacy policy statements as binding commitments under its unfairness and deception authority regardless of non-contract disclaimers, meaning the practical enforceability of the non-contract clause may be limited. The notification mechanism of a website label may not satisfy GDPR requirements for informing data subjects of material changes, particularly where changes affect the lawful basis for processing. JURISDICTION FLAGS: EU/EEA data subjects have the strongest rights to affirmative notice of material changes to data processing under GDPR, potentially requiring direct email notification rather than a passive website label. California residents are entitled to notice of material changes under CPRA. The FTC's enforcement posture treats published privacy commitments as enforceable regardless of contractual disclaimers. CONTRACT AND VENDOR IMPLICATIONS: The non-contract disclaimer may be cited in disputes about whether particular privacy commitments are enforceable, but regulatory authorities are unlikely to accept this disclaimer as a defense against FTC or state AG enforcement. Vendor contracts that reference or incorporate this policy should be reviewed to understand downstream implications of unilateral policy changes. COMPLIANCE CONSIDERATIONS: Legal teams should monitor whether the 30-day website label notification mechanism satisfies applicable state and international change notification requirements, and assess whether direct email notification to AAdvantage members would be a more defensible approach for material changes affecting how loyalty or sensitive data is processed.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
Ad personalization controls removed. Contact scanning added. Advertiser data partnerships quietly dropped. A timeline of every change.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
The disclaimer that this policy is not a contract means you cannot rely on it as a legally binding commitment, and the notification mechanism is limited to a website label rather than direct notice such as email, which may be easily missed.
American can modify how it collects, uses, or shares your personal data at any time, with the primary notice mechanism being a label on aa.com that many users will not see, and the policy expressly disclaims any contractual status or enforceable obligations.
ConductAtlas has identified this type of provision across 2 platforms. See the full comparison.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by American Airlines.