Over the last year, the National Telecommunications and Information Administration, an arm of the Department of Commerce, has convened a series of meetings regarding voluntary best practices for privacy, accountability and transparency in the use of drones (“UAS”) by commercial and private users. A number of stakeholders have participated in these meetings, including representatives of insurance companies, technology companies, news organizations, drone manufacturers, and consumer and privacy groups. This week the stakeholders reached consensus on a “Best Practices” draft document that contains voluntary privacy guidance, which the NTIA has posted on its website.
Importantly, the document recognizes that the benefits of UAS are substantial, and that UAS integration will have a significant positive economic impact in the United States. The document also stresses that the best practices it outlines are voluntary and do not create a legal or regulatory standard, nor should they be used as a basis for any local, state or federal law or regulation. The privacy guidance focuses on data collected by a UAS — and not on data collected by any other means. And, as we discuss below, the best practices do not cover newsgathering activities.
We observe that these best practices generally provide guidance at a high level and are flexible based on the size and complexity of operations of each organization. Furthermore, we expect they will complement existing privacy guidelines in place at many organizations.
The best practices largely concern the use and collection of “covered data,” defined as “information collected by a UAS that identifies a particular person.” Importantly, “covered data” does not include information that likely will not be linked to an individual’s name or other personally identifiable information, or data that is altered so that a specific person is not recognizable. Here are the highlights of the best practices:
- Where practicable, UAS operators should make a reasonable effort to provide prior notice to individuals of the general timeframe and area in which a UAS may intentionally collect covered data.
- When a UAS may collect covered data, the operator should have in place a privacy policy that includes the purposes for which the data will be collected, the kinds of data collected, information regarding data retention and de-identification practices, and contact information for privacy complaints.
- UAS operators should avoid using UAS for the specific purpose of intentionally collecting covered data in areas where the operator knows the data subject has a reasonable expectation of privacy.
- UAS operators should avoid using UAS for the specific purpose of persistent and continuous collection of covered data.
- UAS operators should make a reasonable effort to minimize UAS operations over or within private property without consent of the property owner or without appropriate legal authority.
- UAS operators should make a reasonable effort to avoid using or sharing covered data for marketing purposes unless the data subject provides consent to the use or disclosure.
- Operators should take steps to secure covered data that is collected by having safeguards in place appropriate to the size of the operator, the scope of its activities, and the sensitivity of the covered data.
Finally, the best practices state that they do not apply to newsgathering and news reporting organizations, based on the strong protections these activities enjoy under the First Amendment. The guidance states that newsgatherers and news reporting organizations may use UAS in the same manner as any other comparable technology to capture, store, retain and use data or images in public spaces — and shall operate under their own internal ethics rules and existing state and federal law.
This post featured contributions from Hannah Lepow.