Privacy

Trick or Treat? FTC Has Jurisdiction Over Your Drone Operator Privacy Policy

Published: Oct. 31, 2018

Updated: Oct. 05, 2020

President Trump signed into law the FAA Reauthorization Act of 2018 (“FAA Act”) in which Section 375 authorizes the Federal Trade Commission (“FTC”) to apply Section 5 of the FTC Act to privacy policy violations by persons that use Unmanned Aerial Systems (“UAS”) “for compensation or hire, or in the furtherance of a business enterprise.” While it is arguable that the FTC already had the authority under Section 5 of the FTC Act over at least some of these UAS operators, Section 375 suggests that all commercial UAS operators should maintain an external and up-to-date privacy policy to avoid Section 5 enforcements.

“Section 375 suggests that all commercial UAS operators should maintain an external and up-to-date privacy policy to avoid Section 5 enforcements.”

The expectation that a UAS would maintain a privacy policy is not new – the National Telecommunication and Information Administration (“NTIA”) previously issued the Voluntary Best Practices for UAS Privacy, Transparency, and Accountability (“NTIA Guide”) – that included similar suggestions. See here for our prior discussion. Notably, the NTIA Guide broadly defines “covered data” as any information collected by a UAS that identifies a particular person and suggests UAS operators make reasonable efforts to notify individuals before deploying UAS. Practically, compliance with these requirements may affect how UAS operators handle their flights, as they navigate notification obligations.

The NTIA Guide also suggests that the operator provide in the privacy policy:

  • The purposes for which UAS will collect covered data;
  • The kinds of covered data UAS will collect;
  • Information regarding any data retention and deidentification practices;
  • Examples of the types of any entities with whom covered data will be shared;
  • Information on how to submit privacy and security complaints or concerns; and
  • Information describing practices in responding to law enforcement requests.

“…the FTC not only has enforcement authority over UAS operators but now arguably has a baseline for evaluating their privacy policies when pursing enforcements actions against them.”

The combination of the NTIA Guide with Section 375 of the FAA Act means the FTC not only has enforcement authority over UAS operators but now arguably has a baseline for evaluating their privacy policies when pursing enforcements actions against them. Those UAS operators that did not follow the NTIA Guide may also now find themselves penalized for failing to have a privacy policy altogether. Based upon the individual UAS’s business practices, whether Section 375 will serve as an incentive or disincentive for commercial UAS operators to follow the NTIA Guide remains to be seen; but given that the NTIA Guide was affirmatively described as voluntary and “not intended to serve as a template for future statutory or regulatory obligations,” Section 375 could be viewed as a surreptitious circumvention of a core premise of the NTIA Guide.