Will California’s New Privacy Law Require American Airlines to Tell You Your Eagle Rating?

Building on Europe’s GDPR, the California Consumer Privacy Act goes into effect January 1, and OhDoctor wonders whether the requirement for companies to share the data they collect on consumers with consumers will require American Airlines to share the Helix score (or ‘eagle rating) assigned to a passenger?

With California’s Consumer Privacy Law going into effect soon, will AA be compelled to release Helix scores on request? The law specifically mandates that “(a) A consumer shall have the right to request that a business that collects personal information about the consumer disclose to the consumer the categories of personal information it has collected about that consumer.” Wouldn’t Helix information fall under this umbrella?

Here’s how American Airlines scores its customers. American Airlines has a system called Helix that it uses to tell employees when to go ‘above and beyond’ for a customer. It’s used by reservations, agents at the airport, customer relations, baggage services and others as a way to know when it’s ok to spend more on a customer.

The goal of the system is to accommodate high value customers who are at risk of defecting to a competitor. Helix will display an Eagle ranking from 1-5 for each customer. This ranking is updated each day and depends on a combination of revenue and how badly you’ve been treated by the airline. You’re only going to get special treatment if your ranking is 3 or higher.

American won’t tell you your Eagle rating. Will the California Consumer Privacy Act make them at least for California residents? No, it will not because the rating is not personal information gathered about a customer, but rather the airline’s own proprietary algorithm based on the data they’ve collected. Your name, address, and date of birth may be ‘yours’ under the Act, but what American thinks about you is not.

The takeaway here is that personal information isn’t valuable, it’s the predictive models brands build that’s what’s valuable, and those aren’t covered by disclosure rules and you receive nothing when that data is hacked.

About Gary Leff

Gary Leff is one of the foremost experts in the field of miles, points, and frequent business travel - a topic he has covered since 2002. Co-founder of frequent flyer community InsideFlyer.com, emcee of the Freddie Awards, and named one of the "World's Top Travel Experts" by Conde' Nast Traveler (2010-Present) Gary has been a guest on most major news media, profiled in several top print publications, and published broadly on the topic of consumer loyalty. More About Gary »

More articles by Gary Leff »


  1. As this story for the NYT says about getting your data from companies under this act, “I don’t really care that these data analytics companies know I made a return to Victoria’s Secret in 2009, or that I had chicken kebabs delivered to my apartment, but how is this information being used against me when you generate scores for your clients?” Ms. Antonini said. “That is what consumers deserve to know. The lack of the information I received back is the most alarming part of this.”


  2. @ Gary — I am EXP for about 12 years now, and I am certainly not made to feel like a high value customer. I am definitely at high risk of leaving, and I guarantee you that AA doesn’t have a clue. Given those inputs, I’m pretty sure my Eagle score is low.

  3. It’s preempted by federal law. The Supreme Court has already held that the Airline Deregulation Act preempts all state consumer protection statutes.

  4. If your ranking depends on how badly you’ve been treated by American Airlines, would not most passengers have a high Helix system assigned Eagle score?

  5. Laws in the EU+ region may be able to get AA to hand over the very information AA won’t hand over in the US while it may use then-President Carter’s airline deregulation act to shield itself from such requests under state law in the US.

  6. I hear what you’re saying @garyleff, and understand why you take the position that AA will not have to release their “proprietary algorithm” Helix scores to CA residents. But I think that is something that would be legally debatable. For example, see this NYT article: https://www.nytimes.com/2019/11/04/business/secret-consumer-score-access.html

    Personally, I don’t care if I find out my Helix score or not (surely, I’d be curious, but don’t have a pressing desire to know).

  7. @Gary, the definition of PI under the CCPA is much broader than the data points you mentioned. One of the more unique elements of PI that was not covered under the GDPR are “inferences” drawn by businesses based on a consumer’s preferences, purchases, or interaction with your business in any form (i.e. data analytics and algorithms). I believe that your Eagle Rating is an inference based on data the airline collects on you and you should be able to request access to it as a CA resident. I work in data privacy for a living and think if you specifically request this information from AA, they will give it to you because the risk of the AG taking a different view, is much greater risk than a customer being unhappy because they have a low rating. At least that’s how I advise my clients.

  8. @Dakota

    Correct. One of the tenets of GDPR is that you can request ALL data related to you, regardless of whether it’s personally identifiable or not. This is called “The Right of Access”

    “What is the right of access?
    The right of access, commonly referred to as subject access, gives individuals the right to obtain a copy of their personal data as well as other supplementary information. It helps individuals to understand how and why you are using their data, and check you are doing it lawfully.”

    “As well as other supplementary information” is the key phrase


    Not sure if the CA law will go this far, but for any europeans residents, they can lawfully request this info

  9. @Oh Matron: Anyone can “lawfully request” any information. It just may not be given (lawfully or not).

  10. Fathiss,

    AA is legally exposed to GDPR in the EU+ region and failure to lawfully comply with lawful requests relying upon GDPR is actionable and can be very expensive for AA. Does AA really want to risk scoring an expensive own-goal for failing to abide by laws applicable to AA due to AA’s nexus in the EU? It would seem foolish to me, but then again AA is AA.

  11. HunterATL said it all. State consumer protection laws ARE preempted by the Airline Deregulation Act and by the U.S. Supreme Court in TWA v. Mattox. I was on the executive committee of the multistate National Association of Attorneys General task force investigating airline advertising and frequent flier programs in the 80’s. We tried to get basic fairness and consumer protections via multistate guidelines we published in both areas. TWA, with the backing of most airlines (except Southwest which worked with us to make improvements) sued in federal court. We lost. The airlines can do whatever the Hell they want when it comes to ‘rates, routes and services.’ That pretty much covers everything. The only silver lining is that we applied the same consumer protection principles to the car rental industry, published Car Rental Guidelines, and were able to force rental agreements to disclose that CDW/LDW was not insurance and that most customers’ personal auto insurance covered damage. Car rental companies did not have the same protection the airlines did.

Leave a Reply

Your email address will not be published.