American Airlines can change its privacy policy at any time, and for material changes, will display a notice label on aa.com for 30 days. The policy explicitly states it is not a contract and creates no legal rights or obligations.
This analysis describes what American Airlines's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
The disclaimer that this policy is not a contract means you cannot rely on it as a legally binding commitment, and the notification mechanism is limited to a website label rather than direct notice such as email, which may be easily missed.
American can modify how it collects, uses, or shares your personal data at any time, with the primary notice mechanism being a label on aa.com that many users will not see, and the policy expressly disclaims any contractual status or enforceable obligations.
How other platforms handle this
We may update this Privacy Policy from time to time. When we do, we will publish an updated version and effective date at the top of this page, unless another type of notice is legally required. Your continued use of this site after any change in this Privacy Policy will constitute your acceptance o...
Changes to this Privacy Notice
If you are a California resident, you may have certain rights under the California Consumer Privacy Act (CCPA). These rights may include: the right to know about personal information collected, disclosed, or sold; the right to delete personal information collected from you; the right to opt-out of t...
Monitoring
American Airlines has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.
"American reserves the right to change this Privacy Policy at any time by posting the updated Policy here along with the date on which the Policy was changed. If we make material changes to this Privacy Policy that affect the way we collect, use and/or share your personal information, we will notify you by including a 'NEWLY UPDATED' label with the 'PRIVACY POLICY' link on aa.com for 30 days after material changes are made. This Privacy Policy is not a contract and does not create any contractual rights or obligations.— Excerpt from American Airlines's American Airlines Privacy Policy
REGULATORY LANDSCAPE: The non-contract disclaimer and change-by-posting mechanism engage FTC guidance on privacy policy commitments, under which the FTC has treated published privacy policies as enforceable representations even when disclaimed as non-contractual. GDPR requires that data subjects be informed of material changes to processing activities and that consent be re-obtained where consent was the original lawful basis. CPRA requires that the privacy policy be updated at least annually and that consumers be notified of material changes. GOVERNANCE EXPOSURE: Medium. The FTC has historically treated privacy policy statements as binding commitments under its unfairness and deception authority regardless of non-contract disclaimers, meaning the practical enforceability of the non-contract clause may be limited. The notification mechanism of a website label may not satisfy GDPR requirements for informing data subjects of material changes, particularly where changes affect the lawful basis for processing. JURISDICTION FLAGS: EU/EEA data subjects have the strongest rights to affirmative notice of material changes to data processing under GDPR, potentially requiring direct email notification rather than a passive website label. California residents are entitled to notice of material changes under CPRA. The FTC's enforcement posture treats published privacy commitments as enforceable regardless of contractual disclaimers. CONTRACT AND VENDOR IMPLICATIONS: The non-contract disclaimer may be cited in disputes about whether particular privacy commitments are enforceable, but regulatory authorities are unlikely to accept this disclaimer as a defense against FTC or state AG enforcement. Vendor contracts that reference or incorporate this policy should be reviewed to understand downstream implications of unilateral policy changes. COMPLIANCE CONSIDERATIONS: Legal teams should monitor whether the 30-day website label notification mechanism satisfies applicable state and international change notification requirements, and assess whether direct email notification to AAdvantage members would be a more defensible approach for material changes affecting how loyalty or sensitive data is processed.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Watcher: 10 platforms + same-day alerts. No credit card required.
Professional Governance Intelligence
Need to monitor specific governance provisions?
Professional includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
The disclaimer that this policy is not a contract means you cannot rely on it as a legally binding commitment, and the notification mechanism is limited to a website label rather than direct notice such as email, which may be easily missed.
American can modify how it collects, uses, or shares your personal data at any time, with the primary notice mechanism being a label on aa.com that many users will not see, and the policy expressly disclaims any contractual status or enforceable obligations.
ConductAtlas has identified this type of provision across 2 platforms. See the full comparison.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by American Airlines.