Drones are a uniquely transformative technology in the commercial and private sectors. Indeed, greater operational flexibility, lower capital requirements, and lower operating costs allow drones to enrich people’s daily lives by providing innovative services, safer infrastructure, recreational uses, and greater economic activity. The assimilation of this technology into everyday life, however, raises concerns for privacy, civil rights, and civil liberties.

In recent years drone popularity has soared. According to the FAA there are about 5,600 drones registered for commercial purposes and roughly 450,000 hobbyists who have registered at least one drone. This popularity has put pressure on the drone industry and privacy advocates to reach agreement on guidelines governing drone use.

Seeking to promote the responsible use of drone technology in a way that does not diminish rights and freedoms, President Obama, on February 15, 2015, issued the Presidential Memorandum, “Promoting Economic Competitiveness While Safeguarding Privacy, Civil Rights, and Civil Liberties in Domestic Use of Unmanned Aircraft Systems.”

That memo directed the National Telecommunications and Information Administration (“NTIA”) to establish a multi-stakeholder engagement process—including stakeholders from the private sector—to develop and communicate Best Practices for privacy, accountability, and transparency issues regarding commercial and private drone use in the National Airspace System. And so, on May 18, 2016, the stakeholders came to consensus and issued a document on Best Practices for privacy and other issues surrounding drone use.[1]

Best Practices

The purpose of that document was to outline and describe voluntary Best Practices that drone operators could take to advance drone privacy, transparency, and accountability for the private and commercial use of drones. These Best Practices may be implemented by drone operators in a variety of ways depending on their circumstances and technology uses, and evolving privacy expectations. Yet these Best Practices do not—and are not meant to—create a legal standard of care by which the activities of any particular drone operator should be judged. Nor are the Best Practices intended to serve as a template for future statutory or regulatory obligations—doing so would make these standards mandatory (not voluntary) and could therefore raise First Amendment concerns.

At its core, the Best Practices call for drone users to notify other individuals of drone use and data collecting activities; practice caution when it comes to collecting and storing the data of specific individuals; restrict use and sharing of that data; implement measures to ensure security of covered data[2]; and comply with laws on the use of drones.

These Best Practices focus on data collected via drones, which includes both commercial and non-commercial drones; they do not apply to news gatherers and news reporting organizations or to safety and rescue missions and other emergency response efforts.

In any event, here are the Best Practices in their entirety:

  1. Inform Others of Your Use of Drones
  • (a) Where practicable, drone operators should make a reasonable effort—what qualifies as a practicable and reasonable effort to provide prior notice will depend on operators’ circumstances and the context of the drone operation—to provide prior notice to individuals of the general timeframe and area that they may anticipate a drone intentionally collecting covered data.
  • (b) When a drone operator anticipates that drone use may result in collection of covered data, the operator should provide a privacy policy for such data appropriate to the size and complexity of the operator, or incorporate such a policy into an existing privacy policy. The privacy policy should be in place no later than the time of collection and made publicly available. The policy should include, as practicable:
    • (1) the purposes for which the drone will collect covered data;
    • (2) the kinds of covered data the drone will collect;
    • (3) information regarding any data retention and de-identification practices;
    • (4) examples of the types of any entities with whom covered data will be shared;
    • (5) information on how to submit privacy and security complaints or concerns; and
    • (6) information describing practices in responding to law enforcement requests.
  1. Show Care When Operating Drones or Collecting and Storing Covered Data
  • (a) In the absence of a compelling need to do otherwise, or consent of the data subjects,[3] drone operators should avoid using a drone for the specific purpose of intentionally collecting covered data where the operator knows the data subject has a reasonable expectation of privacy.
  • (b) In the absence of a compelling need to do otherwise, or consent of the data subjects, drone operators should avoid using a drone for the specific purpose of persistent and continuous collection of covered data about individuals.
  • (c) Where it will not impede the purpose for which the drone is used or conflict with FAA guidelines, drone operators should make a reasonable effort to minimize drone operations over or within private property without consent of the property owner or without appropriate legal authority.
  • (d) Drone operators should make a reasonable effort to avoid knowingly retaining covered data longer than reasonably necessary to fulfill a purpose as outlined in § 1(b). With the consent of the data subject, or in exceptional circumstances (such as legal disputes or safety incidents), such data may be held for a longer period.
  • (e) Drone operators should establish a process, appropriate to the size and complexity of the operator, for receiving privacy or security concerns, including requests to delete, de-identify, or obfuscate the data subject’s covered data. Commercial operators should make this process easily accessible to the public, such as by placing points of contact on a company website.

  1. Limit the Use and Sharing of Covered Data
  • (a) Drone operators should not use covered data for the following purposes without consent: employment eligibility, promotion, or retention; credit eligibility; or health care treatment eligibility other than when expressly permitted by and subject to the requirements of a sector-specific regulatory framework.
  • (b) Drone operators should make a reasonable effort to avoid using or sharing covered data for any purpose that is not included in the privacy policy covering drone data.
  • (c) If publicly disclosing covered data is not necessary to fulfill the purpose for which the drone is used, drone operators should avoid knowingly publicly disclosing data collected via drone until the operator has undertaken a reasonable effort to obfuscate or de-identify covered data —unless the data subjects provide consent to the disclosure.
  • (d) Drone operators should make a reasonable effort to avoid using or sharing covered data for marketing purposes unless the data subject provides consent to the use or disclosure. There is no restriction on the use or sharing of aggregated covered data as an input (e.g., statistical information) for broader marketing campaigns.
  1. Secure Covered Data
  • (a) Drone operators should take measures to manage security risks of covered data by implementing a program that contains reasonable administrative, technical, and physical safeguards appropriate to the operator’s size and complexity, the nature and scope of its activities, and the sensitivity of the covered data.
  • (b) Examples of appropriate administrative, technical, and physical safeguards include those described in guidance from the Federal Trade Commission, the National Institute of Standards and Technology Cybersecurity Framework, and the International Organization for Standardization’s 27001 standard for information security management.
  • (c) For example, drone operators engaging in commercial activity should consider taking the following actions to secure covered data:
    • Having a written security policy with respect to the collection, use, storage, and dissemination of covered data appropriate to the size and complexity of the operator and the sensitivity of the data collected and retained.
    • Making a reasonable effort to regularly monitor systems for breach and data security risks.
    • Making a reasonable effort to provide security training to employees with access to covered data.
    • Making a reasonable effort to permit only authorized individuals to access covered data.
  1. Monitor and Comply with Evolving Federal, State, and Local Drone Laws
  • Drone operators should ensure compliance with evolving applicable laws and regulations and drone operators’ own privacy and security policies through appropriate internal processes.

These Best Practices are at present voluntary, however, they may end up as rules that commercial and non-commercial drone operators will have to follow in the future. Indeed, the U.S. Senate has asked the NTIA for a set of privacy guidelines that could serve as the basis for further federal legislation. See FAA Reauthorization Act of 2016, Sec. 2101. With all the news stories about irresponsible individuals using drones for illegal activities or violating people’s privacy, the existence of these Best Practices could be legal fodder for anyone who wants to prosecute you or your company for drone activities. Do yourself or your company a favor, take the initiative and start applying these guidelines today.

Endnotes:

[1] The stakeholders that support this Best Practices document include: Amazon, AUVSI, Center for Democracy and Technology, Consumer Technology Association, CTIA, Future of Privacy Forum, New America’s Open Technology Institute, PrecisionHawk, X (Formerly Google [x]), Small UAV Coalition, Online Trust Association, News Media Coalition, Newspaper Association of America, National Association of Broadcasters, Radio Television Digital News Association, Digital Content Next, Software & Information Industry Association, NetChoice.

[2] “Covered data” means information collected by a drone that identifies a particular person. If data collected by a drone likely will not be linked to an individual’s name or other personally identifiable information, or if the data is altered so that a specific person is not recognizable, it is not covered data.

[3] The term “data subjects” refers to the individuals about whom covered data is collected.