Trick or Treat? FTC Has Jurisdiction Over Your Drone Operator Privacy Policy

Published On October 31, 2018 | By Devron Brown and Jason Wool | FTC & State AG, Privacy
TwitterLinkedInFacebookRedditCopy LinkEmailPrint

President Trump signed into law the FAA Reauthorization Act of 2018 (“FAA Act”) in which Section 375 authorizes the Federal Trade Commission (“FTC”) to apply Section 5 of the FTC Act to privacy policy violations by persons that use Unmanned Aerial Systems (“UAS”) “for compensation or hire, or in the furtherance of a business enterprise.” While it is arguable that the FTC already had the authority under Section 5 of the FTC Act over at least some of these UAS operators, Section 375 suggests that all commercial UAS operators should maintain an external and up-to-date privacy policy to avoid Section 5 enforcements.

“Section 375 suggests that all commercial UAS operators should maintain an external and up-to-date privacy policy to avoid Section 5 enforcements.”

The expectation that a UAS would maintain a privacy policy is not new – the National Telecommunication and Information Administration (“NTIA”) previously issued the Voluntary Best Practices for UAS Privacy, Transparency, and Accountability (“NTIA Guide”) – that included similar suggestions. See here for our prior discussion. Notably, the NTIA Guide broadly defines “covered data” as any information collected by a UAS that identifies a particular person and suggests UAS operators make reasonable efforts to notify individuals before deploying UAS. Practically, compliance with these requirements may affect how UAS operators handle their flights, as they navigate notification obligations.

The NTIA Guide also suggests that the operator provide in the privacy policy:

  • The purposes for which UAS will collect covered data;
  • The kinds of covered data UAS will collect;
  • Information regarding any data retention and deidentification practices;
  • Examples of the types of any entities with whom covered data will be shared;
  • Information on how to submit privacy and security complaints or concerns; and
  • Information describing practices in responding to law enforcement requests.

“…the FTC not only has enforcement authority over UAS operators but now arguably has a baseline for evaluating their privacy policies when pursing enforcements actions against them.”

The combination of the NTIA Guide with Section 375 of the FAA Act means the FTC not only has enforcement authority over UAS operators but now arguably has a baseline for evaluating their privacy policies when pursing enforcements actions against them. Those UAS operators that did not follow the NTIA Guide may also now find themselves penalized for failing to have a privacy policy altogether. Based upon the individual UAS’s business practices, whether Section 375 will serve as an incentive or disincentive for commercial UAS operators to follow the NTIA Guide remains to be seen; but given that the NTIA Guide was affirmatively described as voluntary and “not intended to serve as a template for future statutory or regulatory obligations,” Section 375 could be viewed as a surreptitious circumvention of a core premise of the NTIA Guide.

 

About The Authors

Prior to joining ZwillGen, Devron worked at Facebook, where he worked with the public policy team on issues related to election integrity, data privacy education, and augmented and virtual reality. Prior, Devron summered at PwC in its Technology, Media, and Telecommunications group (TMT), where he focused IRS reporting requirements for casino jackpots and researched and wrote thought-leadership pieces on autonomous vehicles, rural broadband, and Puerto Rican privacy laws.

Jason Wool’s practice focuses on cybersecurity, including cyber risk management, incident response, and compliance with global data protection laws, regulations, and standards, including the PCI-DSS. He has advised organizations ranging from small businesses to Fortune 500 companies during complex, privileged computer crime investigations; provided ongoing advice on the development of cybersecurity programs and cybersecurity governance structures; conducted tabletop exercises and other data breach simulations; and assisted clients with large scale audits to determine compliance with complex cybersecurity standards.

Leave a Reply

Your email address will not be published. Required fields are marked *