Unmanned Aircraft Systems (UAS), more commonly known as “Drones,” are soaring in popularity – the Federal Aviation Administration saw more than 300,000 drones registered in just the first 30 days since they introduced a registration system on December 21, 2015. Drones have the potential to be a truly transformative technology; they are already disrupting business models in economic sectors as diverse as shipping and photography, and their proliferation as consumer devices has barely begun to be realized. However, the quick adoption of this new technology raises serious issues of for privacy, civil rights and civil liberties.

In an effort to jump-start the regulatory process, on February 15, 2015, President Obama issued a Presidential Memorandum titled “Promoting Economic Competitiveness While Safeguarding Privacy, Civil Rights, and Civil Liberties in Domestic Use of Unmanned Aircraft Systems.” The Memorandum established a multi-stakeholder engagement process to develop a set of criteria for drone owners and operators addressing the privacy, accountability, and transparency issues raised by the commercial and private use of drones. The process was to be headed by the National Telecommunications & Information Administration (the NTIA), and incorporate participants from the public and private sectors, as well as academia. On May 18, 2016, the stakeholders came to a consensus and issued a document for drone operators concerning the collection, use and dissemination of personally identifiable data gathered by both commercial and non-commercial drones. The NTIA says the Best Practices guidance represents “an important step in building consumer trust, giving users the tools to innovate in this space in a manner that respects privacy, and providing accountability and transparency.”

A few important points right off the top. First, the document only applies to “covered data,” which is defined as “information collected by a UAS that identifies a particular person,” suggesting that aggregated data or data that is not capable of identifying a particular person is not covered. Second, the recommendations are completely voluntary, so there are no enforcement mechanisms. Finally, while the document places heavy emphasis on the “reasonableness” of any given best practice depending on the circumstances of the drone owner/operator, the document does not specifically distinguish between commercial and non-commercial drones, which any regulations eventually passed will almost certainly need to do.

You can read the document itself here, but a summary of the Best Practices are as follows:

  • Inform others of your use of drones
    • Drone operators should make a reasonable effort to provide prior notice to individuals whose covered data may be collected
    • Drone operators should make publicly available a privacy policy outlining their policy concerning covered data
  • Show care when operating drones or collecting and storing covered data
    • Avoid collecting covered data where the subject has a reasonable expectation of privacy
    • Avoid continuous collection unless consent is obtained
    • Avoid collecting data (or flying at all) over private property
    • Don’t retain covered data longer than necessary
    • Develop a process for receiving privacy complaints and addressing them
  • Limit the use or sharing of covered data
    • Do not use covered data without consent to determine employment eligibility, promotion, or retention; credit eligibility; or health care treatment eligibility (unless such use is expressly permitted by and subject to the requirements of separate regulations)
    • Don’t use or share covered data not included in your privacy policy
    • Don’t publicly disclose covered data (or anonymize any data that is publicly disclosed)
    • Don’t use covered data for marketing purposes without consent
  • Secure covered data
    • Implement reasonable safeguards to protect stored covered data
  • Monitor and comply with evolving federal, state and local laws
    • You should ensure compliance with evolving applicable laws and regulations and your own privacy and security policies through appropriate internal processes

It is likely that the Best Practices will set expectations for how commercial and non-commercial drones will be regulated in the future. Any business that uses drones should react to the Best Practices by publishing a privacy policy applicable to their drones and implementing internal policies and procedures to address the issues raised in the document.