FAA implements new privacy protections for aircraft owners

On March 28th, 2025, the Federal Aviation Administration (FAA) published a notice confirming it has implemented Section 803 Data Privacy of the FAA Reauthorization Act of 2024 (Public Law 118-63), codified at 49 U.S.C. § 44114(b), writes Scott McCreary, vice president at McAfee & Taft.

Under Section 44114, Congress mandates the FAA to allow private aircraft owners to electronically request, through the Civil Aviation Registry Electronic Services (CARES), to have their name, address, and other personally identifiable information withheld from public view or dissemination on FAA websites.

The FAA advises that private aircraft owners can submit their requests via the CARES system in PDF format, explicitly stating their intent to keep such information private. Private aircraft owners must create an account on the CARES website to make the request.  Public feedback is being sought on the impact and implementation of withholding this data, including the effects on maintenance, safety checks, regulatory compliance, and accessibility of necessary information. The FAA is also considering a broader approach that may categorically withhold this data by default, with the option for aircraft owners to request access to their information as needed.

Although maintaining data privacy is certainly a concern, it seems the FAA has moved forward with recent changes without much industry input or communication.  Pursuant to Title 49 USC Chapter 441, the FAA Aircraft Registry is not only the place to register aircraft for operational purposes, but it is also where conveyances (bills of sale/security agreements/lease agreements/etc) affecting aircraft are filed and recorded with the FAA to provide third party notice and insolvency perfection.   It is imperative aircraft owners, lenders, lessors, lessees and others have access to the FAA records and documents filed and recorded with the FAA to determine free and clear ownership of aircraft, or to establish their rights or interest in aircraft, for purposes of facilitating the purchase, financing and leasing of US registered aircraft.  Indeed, the US Supreme Court in Philko Aviation, Inc. v. Shacket, 462 U.S. 406 (1983) confirmed the FAA Aircraft Registry is intended as “a central clearing house for recordation of titles so that a person, wherever he may be, will know where he can find ready access to the claims against, or liens, or other legal interests in an aircraft.”

Considering there are over 300,000 aircraft registered with the FAA, and some estimates indicating aircraft currently registered or at one time registered with the FAA are valued at over a trillion dollars, any change in the industry’s ability to determine who owns or owned an aircraft and the status of liens and encumbrances on the aircraft must be carefully considered to avoid needless and unnecessary confusion.  This confusion may undermine the certainty and validity of the rights and interests established by recording interests with the FAA Aircraft Registry.

There are many questions that need to be answered as we move forward, such as:

• What/who is considered a “private” aircraft owner?
• Do the proposed changes apply only to individuals, or does it apply to companies?
• The FAA Aircraft Registry is an owner registry, not an operator registry, so the registered owner may or may not be the operator.

o   May an operator make the privacy request?

o   May the operator, which is the entity using the aircraft and often the entity that needs privacy, request its information also be withheld for public view?

• Will the information only be withheld from the FAA online index?
• Does the request have to come from the registered owner, or can the request be made from a trustee or entity that holds title under a finance lease?
• Can the request be made by law firms or other legal representatives on behalf of the requesting party?
• How can lenders, buyers, lessees determine who owns the aircraft?
• How quickly can the privacy requests be retracted for an upcoming closing?
• Will the FAA Public Document Room Permittees have access to the ownership records for the equipment?

Background

It has become clear, and of course understandable, that many of the recent changes at the FAA Aircraft Registry are driven by the mandates in the FAA Reauthorization Act of 2024. By way of background following is a partial summary of additional changes required in the FAA Reauthorization Act of 2024 as they relate to the FAA Aircraft Registry.

Enhanced Data Privacy (Section 803).  This section significantly strengthens privacy protections for private aircraft owners and operators through a new section, 49 USC § 44114. Specifically, Section 44114 provides that:

• Upon request, the FAA Administrator is required to withhold an aircraft’s registration number and similar identifiable information from broad public dissemination for noncommercial flights, except as legally required physical markings and data shared with government agencies for traffic management or under government agreements.
• A separate process must be established within two years allowing private aircraft owners or operators to request withholding of personally identifiable information (PII), including name, mailing address, electronic address (email), and telephone number from public FAA sources and websites.
• Additionally, the FAA will implement a program allowing aircraft owners and operators to apply for a new ICAO aircraft identification code upon attestation of a specific safety or security need. Approved applicants must comply with updating registration details according to FAA regulations.

Fairness in Aircraft Registration Numbers (Section 804). To ensure fairness, the FAA must implement a transparent process providing equal opportunities for the public to secure specific aircraft registration numbers. This initiative aims to curb the current practice of companies reserving desirable registration numbers (N-numbers) for resale, promoting equitable access.

Implementation of Anti-Terrorist and Narcotic Air Events Programs (Section 231). The FAA must implement the following 15 recommendations from the Government Accountability report titled “Aviation: FAA Needs to Better Prevent, Detect, and Respond to Fraud and Abuse Risks in Aircraft Registration” GAO-20-164 Published: Mar 25, 2020; Publicly Released: Mar 25, 2020:

1.     The Administrator of FAA should conduct and document a risk assessment that considers inherent and residual fraud and abuse risks that may enable criminal, national security, or safety risks.

2.     The Administrator of FAA should determine impact, likelihood, and risk tolerance as part of a risk assessment.

3.     The Administrator of FAA should develop a strategy that outlines specific actions to address analyzed risks, including periodic assessments to evaluate continuing effectiveness of the risk response.

4.     The Administrator of FAA should collect and record information on individual registrants, initially including name, address, date of birth, and driver’s license or pilot’s license, or both, with subsequent PII elements informed by the risk assessment, once completed.

5.     The Administrator of FAA should collect and record information on legal entities not traded publicly—on each individual and entity that owns more than 25 percent of the aircraft; for individuals: name, date of birth, physical address, and driver’s license or pilot’s license, or both; and for entities: name, physical address, state of residence, and taxpayer identification number.

6.     The Administrator of FAA should verify aircraft registration applicants’ and dealers’ eligibility and information.

7.     The Administrator of FAA should increase aircraft registration and dealer fees to ensure the fees are sufficient to cover the costs of FAA efforts to collect and verify applicant information while keeping pace with inflation.

8.     The Administrator of FAA should ensure, as part of aircraft registry IT modernization, that information currently collected in ancillary files or in PDF format on (1) owners and related individuals and entities with potentially significant responsibilities for aircraft ownership (e.g., beneficial owners, trustors, trustees, beneficiaries, stockholders, directors, and managers) and (2) declarations of international operations is recorded in an electronic format that facilitates data analytics by FAA and its stakeholders.

9.     The Administrator of FAA should link information on owners and related individuals and entities with significant responsibilities for aircraft ownership through a common identifier.

10.  The Administrator of FAA should, as part of IT modernization, develop an approach to check OFAC sanctions data on owners and related individuals and entities with potentially significant responsibilities for aircraft ownership for coordination with OFAC and to flag sanctioned individuals and entities across aircraft registration and dealer systems.

11.  The Administrator of FAA should use data collected as part of IT modernization as well as current data sources to identify and analyze patterns of activity indicative of fraud or abuse, based on information from declarations of international operations, postal addresses, sanctions listings, and other sources, and information on dealers, noncitizen corporations, and individuals and entities with significant responsibilities for aircraft ownership.

12.  The Administrator of FAA should develop and implement risk-based mitigation actions to address potential fraud and abuse identified through data analyses.

13.  The Administrator of FAA should develop mechanisms, including regulations if necessary, for dealer suspension and revocation.

14.  The Administrator of FAA, in coordination with relevant law-enforcement agencies, should enhance coordination within the Aircraft Registry Task Force through collaborative mechanisms such as written agreements and use of liaison positions.

15.  The Administrator of FAA, in coordination with relevant law-enforcement agencies, should develop a mechanism to provide declarations of international operations for law-enforcement purposes.

Section 231 requires the FAA implement the priority GAO recommendations (6, 13, 14, and 15) within 180 days and issue required notices of proposed rulemaking. Remaining GAO recommendations (1–5 and 8–12) must be implemented by January 1, 2026, or within 90 days after the FAA implements the Civil Aviation Registry Electronic Services system. Additionally, the FAA is required to report to Congress within 60 days of implementation detailing actions taken.

Conclusion

Many of the GAO recommendations, which clearly will be implemented soon, will have a positive impact on US aviation, but also promise to create additional complexities for the industry if the FAA implements the changes without sufficient industry involvement and coordination.  For instances recommendations 4 and 5 promise to be challenging, as it appears to be the FAA’s own form of the Corporate Transparency Act.  There are numerous questions regarding recommendations 4 and 5 such as:

• What information must be submitted?
• How will the information be submitted and how securely will it be maintained?
• How far up the chain of ownership (parent company, its parent company, etc.) will parties have to submit information?
• What if the entity is a trust or entity with no tax ID number?
• How will the information be vetted by the FAA and for what reasons?
• How long will it take for the FAA to vet the information?
• Will parties have to update the information if it changes?
• How can an owner determine what information has been filed in the past?

Stay tuned, the McAfee & Taft Aviation Group is actively monitoring the changes and will provide updates as we learn more information.