By Christopher Elliott

Kathy Agosta calls it a "blatant ambush of personal credit card information." But it's far from clear who was doing the ambushing.

Agosta, a fundraiser for a nonprofit organization in Ann Arbor, Mich., had just booked a flight from Detroit to Barcelona on Travelocity, when a "$20 cash back" offer flickered across her computer screen.

"It gave the impression that it was from Travelocity," she remembered. "I'm usually wary of these types of pop-ups and don't click on them. But this one looked halfway legit because of its general appearance and the fact that it included the travel confirmation information."

Moments after she clicked on the offer, her credit card company phoned, asking her to verify a $20 charge on her credit card from a company called MemberWorks, she said. She declined it.

Had Agosta just experienced the fabled "data pass" that was the subject of a high-profile, year-long investigation by the Senate Commerce Committee? The same tactics that soon, thanks to legislation introduced by Sen. Jay Rockefeller (D-W.Va.), might be illegal?

No way, says Travelocity.

"We do not pass credit card data," said spokesman Joel Frey. "We have never done so."

"Data pass" refers to a shady practice of sending credit card information along to a third party at the end of a transaction without the buyer's explicit approval. In years past, travelers often found themselves unwittingly enrolled in clubs that automatically charged a monthly enrollment fee while travel companies raked in millions in profits, according to investigators and consumers.

"The link on the confirmation pages will take a consumer to a landing page in which the consumer would be required to input her credit card information herself," said Frey. "Furthermore, we do not promote MemberWorks via pop-up advertising."

Frey believes -- and a Senate investigator I interviewed agrees -- that something else, perhaps a computer virus or malware, activated the pop-up ad that led to the transaction.

Vertrue Inc., the Norwalk, Conn.-based direct marketing services company that used to go by the name MemberWorks, has distanced itself from data passing. At the conclusion of the Senate investigation last November, it said that it would begin verifying offers by, at the minimum, obtaining from the consumer the last four digits of their payment account as further acknowledgement of an offer.

It also distanced itself from Agosta's case. Maria Zanfini, a vice president and senior counsel for Vertrue, said that the company had no record of any enrollment by Agosta. In addition: "Our post-transaction offer on Travelocity has always been -- always been -- 16-digit credit card capture. So in order to enroll, a new customer would have to put in their credit card, full credit card number and expiration date."

Last year's Senate investigation concluded that millions of consumers had been sold club memberships by Affinion, Vertrue and Webloyalty that they didn't want and were unaware they had purchased. The report noted that the companies together raked in more than $1 billion by partnering with hundreds of legitimate sites that were willing to share their customers' billing information, including credit and debit card numbers.

Mike Bush, a spokesman for Affinion Group, also based in Norwalk, said that the post-transaction data pass "no longer exists with us," adding, "We voluntarily ended it in January, and consumers must now provide all 16 digits of their credit or debit number when enrolling online in any of our services."

Other travel companies mentioned in the report either refused to comment for this story or said that they do not pass along customer information in this way.

"We don't do it," said Brian Ek, a spokesman for

Instead, online agencies such as his now offer other products at the end of a transaction, including rental cars, hotel rooms, trip insurance, tours and attractions. But any purchase must be authorized separately.

The way in which these other products are marketed is a topic for another day. (Some online agencies still engage in a questionable practice called "opt-out" marketing -- more on that soon.) For now, the big concern among travelers should be avoiding the kind of mysterious data passing that happened to Agosta, if not eliminating it.

How do we rid the Internet of this questionable marketing technique?

The Interactive Travel Services Association, a group that represents online travel sellers, doesn't have an official position on data passing and post-transaction marketing. This might be a good time to adopt one. And, of course, there's proposed legislation, the Restore Online Shoppers' Confidence Act, which promises to end this unsavory sales tactic. The bill is working its way through the Senate this summer.

Until then, don't let your guard down at the end of an online transaction. With just a push of a radio button or the click of a mouse, you could be buying something you don't want, according to a Senate investigator I spoke with.

"Don't click buttons just to finish a purchase," he warned.

Christopher Elliott is the ombudsman for National Geographic Traveler magazine.


© U.S. Christopher Elliott, The Travel Troubleshooter

Travel | Travelers Be Wary of 'Data Passing' Online