On August 29, 2016, the Federal Aviation Administration’s (“FAA”) long-awaited small unmanned aircraft systems (“UAS” or “drone”) rule went into effect, for the first time broadly authorizing commercial drone operations. This is a positive step, as drones have great safety and efficiency benefits for the public. Nevertheless, the American public remains concerned about drone privacy issues.

The prevailing thinking among privacy watchers is that the FAA punted on the issue of drone privacy standards in the rule. The rule does not include privacy-specific standards, and the FAA unequivocally stated that it lacks the authority to regulate the privacy aspects of drone operations. One privacy advocacy group, the Electronic Privacy Information Center, is challenging the FAA’s decision, arguing that it was unlawful for the agency to choose not to create drone privacy standards.

Whether or not it is a good idea for the FAA to regulate privacy, the new safety rule does have real privacy implications. The de facto privacy standards provided by the FAA’s regulations by no means provide a comprehensive commercial drone privacy framework, but they do provide some level of privacy protection. These rules, coupled with state and local UAS privacy laws and general rules that prohibit unfair or deceptive acts or practices, peeping toms, trespassing, and nuisance, as well as voluntary industry commitments regarding privacy, provide a glimpse into what the near-term privacy landscape for civil drones looks like.

Privacy Implications of the FAA’s Small UAS Rule

Even though the FAA’s new UAS rule is focused on safety, at least three provisions within the rule have implications for privacy.

Flights Over People. First, UAS may not operate over any persons not directly participating in the UAS flight, except when those persons are under a covered structure, inside a covered stationary vehicle, or when the FAA grants a specific waiver. This prohibition of flights over non-participating persons could result in generally limiting UAS operations to unpopulated or sparsely populated areas or over tightly controlled private property.

Visual Line of Sight. Second, UAS are required to remain within the visual line-of-sight of the pilot-in-command or the drone’s visual observer. The aircraft must remain close enough so those persons are capable of seeing the aircraft with vision unaided by any device other than corrective lenses. Although this rule aims to promote safety by limiting drone operations to a relatively confined space and ensuring constant visual contact between the pilot or visual observer and the aircraft, it also promotes privacy by precluding drone operators from observing distant subjects or places.

Night Operations. Third, UAS generally are prohibited from operating at night without a special waiver. Daylight-only operations or twilight operations – 30 minutes before official sunrise or 30 minutes after official sunset – with appropriate anti-collision lighting are allowed. Like the line of sight rule, the general prohibition on night operations has a key safety purpose of preventing flights at a time when reduced visibility increases the likelihood of collisions, but the rule also limits the ability to misuse UAS to surreptitiously capture images under cover of darkness.

While these requirements in the FAA’s new rule have clear privacy implications that provide a certain level of protection from the use of drones for invasive purposes, privacy advocates have expressed concern about many aspects of drone privacy that remain unregulated. For instance, nonparticipating persons are not necessarily given notice of nearby drone activity. Also, people may be unable to determine who is flying the aircraft or not know how to stop the use of such aircraft if they believe their privacy is violated.

In response to these perceived regulatory gaps, both federal and state legislators have taken steps towards imposing new drone privacy regulations. At the national level, Senator Ed Markey (D-MA) and Congressman Peter Welch (D-VT) introduced legislation that would, among other things, require that all drone licenses be publicly available and disclose the operator, the area of operation, what data will be collected, how data will be used, and if data will be transferred to third parties. Also, at the state level, more than ten states have already passed drone-related privacy laws.

Additionally, earlier this year, as part of the U.S. Department of Commerce’s NTIA multi-stakeholder process, UAS industry stakeholders and certain privacy groups agreed to a set of privacy best practices that create new privacy standards for UAS operators that adopt them. These best practices include promises by UAS operators to: create and publish UAS privacy notices; forgo the collection of information where a person has a reasonable expectation of privacy; delete or de-identify UAS images when no longer needed; and avoid making information public except as necessary or with permission. Any commercial entity that chooses to commit to these best practices must uphold this commitment under federal law.

What the Future Holds for Drone Privacy

Given the many legislative bodies at the state and local level interested in the privacy aspects of drones, the future of privacy standards for drones likely will remain fragmented. In the near-term, we will likely continue to see state and local legislation proposed, as well as calls for federal drone privacy legislation. Over time, as more drones enter the national airspace, and as nighttime and beyond visual line-of-sight operation of UAS is allowed more broadly, the pressures to create comprehensive and broader privacy standards will increase. Drone operators should keep a close eye on these developments as it is only a matter of time before new UAS privacy laws will emerge – and the debate about what shape these laws will take already is underway.

This article was first published on IAPP’s Privacy Tracker on August 30, 2016.