As we await Federal Aviation Administration (“FAA”) proposed rules regarding the operation of drones that weigh less than 55 pounds, other parts of the federal government appear poised to scrutinize the privacy issues associated with drones. Even though the FAA has statutory authority to “provide for the safe integration of civil unmanned aircraft systems into the national airspace system as soon as practicable,” the FAA has suggested that the agency will not address privacy or data collection and use issues in its rulemaking.1 Nonetheless, the Administration and Congress are beginning to take notice of potential privacy issues surrounding the expected private operation of drones in our airspace.

Specifically, President Obama reportedly will issue an Executive Order addressing privacy issues related to the operation of drones. In addition, draft drone privacy legislation has been circulated on the Hill. This recent federal scrutiny follows last year’s efforts by state legislatures to enact limitations on the ability of companies to use drones to collect information about consumers, both in public spaces and on private property.2

PENDING EXECUTIVE ORDER

The President’s expected Executive Order reportedly will address privacy issues relating to both federal and private drones. For example, the Executive Order reportedly would require that federal agencies make disclosures regarding their use of drones for surveillance.

Because the President does not have the authority to create legal obligations for companies (that’s the role of Congress), however, the reported Executive Order is expected to direct the National Telecommunications & Information Administration (“NTIA”) to lead a process to create privacy best practices for drone operators. Even though NTIA guidelines would be voluntary if ultimately adopted, an entity that publicly represents that it adheres to such guidelines would have effectively turned the guidance into federal law, enforceable by the Federal Trade Commission (“FTC”). Under Section 5 of the FTC Act, the FTC has the authority to enjoin unfair and deceptive acts and practices. In this regard, the FTC has firmly established that a company’s practices that are inconsistent with its public representations, such as representations about adherence to industry guidelines or standards, can be violations of Section 5. Of course, the substance of any NTIA guidelines regarding drone privacy is speculative because an Executive Order has not yet been issued. Nonetheless, recent draft federal legislation offers some insight into the types of issues that could be addressed.

“LAME DUCK” DRONE PRIVACY DRAFT LEGISLATION

In his waning days as a U.S. Senator (and also Chairman of the Senate Commerce, Science, and Transportation Committee), former Senator Rockefeller released a discussion draft of legislation specifically designed to address privacy issues associated with the operation of drones. Of course, unless and until somebody in the new Congress picks up where the retired Senator left off, this draft bill will not be formally considered by Congress. Nonetheless, it represents the first Congressional placeholder on how drone privacy issues could be addressed at the federal level.

Like the anticipated Executive Order, the draft legislation would push many of the policy decisions to an administrative agency, namely the FTC. Among other things, the draft legislation would empower the FTC to create privacy regulations governing the use of drones, including requiring that the regulations: (1) prohibit surveillance of an individual without consent; (2) require that an operator of a drone with surveillance or collection capabilities have a publicly available privacy policy; and (3) require that such an operator anonymize data collected and ensure its security.

The proposed legislation envisions the FTC as the primary enforcer, with violations of the regulations enforceable via civil money penalties (as opposed to the limited injunctive remedies available to the FTC in ordinary Section 5 cases). The draft legislation also would empower state Attorneys General to enforce violations of the FTC regulations, and would create a private right of action for any physical harm or “invasion of privacy” arising from a violation of the FTC regulations.

Of course, any privacy regime for drone use that relies on disclosure requirements raises some question of feasibility, including whether notice and choice in order to conduct surveillance can be provided in a meaningful fashion. In this regard, the draft legislation defers these issues to the FTC. As difficult as it may be to apply privacy principles to the “internet of things” (because many connected devices lack a user interface), it would seem that the issues posed by drones are potentially more daunting—the operator and the subject of observation are physically remote, and the subject may not even be aware of the drone’s presence.

IMPLICATIONS FOR POTENTIAL DRONE OPERATORS

While figuring out how to actually tackle the privacy challenges related to the use of drones is far from settled, the fact that the federal government is starting to turn its attention to the issue suggests that these crucial policy questions are ripe for debate and examination in the coming months and years. As with the underlying drone technology, the privacy issues will continue to be a rapidly changing legal front. As companies work through the impending FAA regulations permitting the operation of certain drones, companies should anticipate and be mindful of the privacy implications of the potential collection of consumer information while deploying drones. For example, companies will have to revisit and consider any privacy policies or other public statements that they have made regarding if, when and how the company collects information about consumers and how they use and disclose that information.