On demand 1h 04s Intermediate

Privacy in the Skies—Overview of Federal Drone Law

4.7 out of 5 Excellent(72 reviews)
View all credits4 approved jurisdictions
Play video
  • Credit information
  • Related courses

Privacy in the Skies—Overview of Federal Drone Law

As drone technology continues to evolve and drones evolve from novelty items to a central part of business operations in a variety of fields ranging from logistics and public utilities to real estate and construction, commercial drone operators must ensure that their operations comply with emerging federal drone privacy law. In this overview of the provisions of the FAA Reauthorization Act of 2018 governing the privacy practices of commercial drone operators, we cover key provisions governing operators’ privacy policies and compliance with the emerging patchwork of state and local information privacy and security laws. We also address emerging issues in federal preemption law related to the applicability of state and local information privacy and security laws to the aviation sector.

Transcript

Bradford Meisel - Hello, my name is Bradford Meisel, and I'm an Associate at the firm of McElroy, Deutsch, Mulvaney and Carpenter, based in Morristown, New Jersey. I'm admitted in New Jersey and New York. And along with my colleague, Diane Reynolds, I am part of the cybersecurity, data protection and privacy practice, as well as the corporate transactional practice group in McElroy, Deutsch. And in addition to corporate law, I do a lot of work with data privacy and cybersecurity, and I also do a lot of work with drone law and the interplay between drone law and privacy law, as well as the preemption of drone regulation at the state and local level by federal law, and I learned a lot about that, working as a law clerk for a couple U.S. senators while I was in law school and I had the opportunity to work on drone legislation, so that is a bit about my background and with drones. And basically, drones are a topic that is becoming a lot more significant in recent months and years.

Years ago, when drones first came out, they were novelty items, basically, toys, in the civilian context, that you would get for some kids to play around with, or someone to go take cool aerial picks with, or, in the military context, to go conduct unmanned air strikes or spy missions. Where things started to change in the last few years is when you started having drones used for a bunch of commercial purposes, and it started to really take off, pardon the pun. In recent years, you've had drones being used by realtors, for instance, to do aerial videos and photographs of properties they're selling, especially large, more remote properties or larger commercial properties, or even in the residential context to go get an aerial view of a neighborhood where the house is located. And that's becoming a regular part of business for a lot of realtors. In the public utility and infrastructure space, you've seen a lot of businesses using drones to conduct aerial monitoring and inspections of gas lines, of oil pipelines, of, you know, power plants and power lines. So because they can go up and get an aerial view really quickly and fly up much closer to a high up power line than a helicopter could, they can often spot mechanical failures and breakage or leaks before the human eye could, and potentially avert significant problems. So it's been a game changer in those sectors. And then another area where we've seen it is with movies and filmmaking and television. They're using it to get aerial shots, 'cause it's a lot cheaper than paying a guy to go up in a helicopter.

So for more low budget indie productions, it's enabled them to get aerial footage that they couldn't ordinarily. And finally, where I think where a lot of people think drones have the potential to really grow is in the delivery space. You've seen a lot of businesses, such as Domino's and Amazon experimenting with drone delivery. And the COVID pandemic really accelerated that, because a lot of people realized that you're gonna have shortages of delivery drivers, especially during a pandemic. We're even seeing that now. There could be other circumstances that cause shortages of drivers, such as strikes. And if you have a pandemic or an emergency where businesses have to be closed to in person customers, retail and restaurant, their only way to survive is by delivery. So being able to deliver with lower overhead could mean the difference between survival or failure for businesses in that situation. And drone delivery has the potential to really bridge the gap and be a lifeline for those businesses. And also just in regular circumstances, just expand the delivery capacity of businesses, and allow them to service more customers. So those are just a few of the areas where drones have a great deal of applicability in the business world. And as drones became more frequently used by businesses, it's raised concerns about individual privacy, because drones often can carry a camera. And you're not gonna know when a drone is flying over you with a camera, and it's raised concerns that drones could be used to conduct voyeurism or other intrusive surveillance of people, to spy on people for paparazzi-type purposes of surveilling celebrities. And a lot of people just find it uncomfortable with the idea that something can just fly over your backyard or buzz right outside your window, and see inside your house or what you're doing in your backyard. And a lot of people find that uncomfortable. And that's led to some political pressure to curtail the ability of drone operators to engage in activities that a lot of people may find intrusive or a violation of their individual privacy.

That culminated in a few of the provisions of the FAA Reauthorization Act of 2018, which are gonna be the focus of this CLE. President Trump, the then President Trump signed the FAA Reauthorization Act of 2018 into law on October 5th, 2018, after it passed the Senate by a 93 to six vote. It was, as you could tell by that vote, something that was passed by widespread bipartisan consensus. And there were provisions in there that were introduced by members of both parties, and it governed significant aspects of aviation law. And a lot of it governed manned aircraft, like airplanes and helicopters, airport operations, so many other aspects of aviation, but there were a number of provisions that regulated drones. For instance, one provision was the Drone Operator Safety Act, which makes it a federal crime to operate a drone in a way that poses a danger to a manned aircraft, specifically operating in the runway exclusion zone of an airport and imposes strict criminal penalties, including imprisonment, if you fly a drone too close to an airport like that, especially and regardless of whether there is an injury, but especially if it collides with an airplane and causes serious injury or death. The idea of that provision is to prevent a drone aircraft airplane collision that causes the plane to crash and kill a lot of people, which could be a tragic situation. This legislation included a lot of provisions that regulated drones, but what we're gonna focus on today are the three separate provisions that collectively, have the potential to impose significant information privacy requirements on commercial drone users.

Interestingly, it doesn't apply to hobbyist drone users. So if you're using it for a purpose where you're gonna make money, or you're using it for a business entity, these are gonna apply, potentially. But if you're just a private individual, not using it on behalf of a business entity, not using it in any way where you could make money, or receive compensation, you're not gonna be subject to it. So if your friend got you a drone for Christmas, and you decide you're just gonna go out and fly around, take some cool pics, maybe put 'em on Instagram, but you're not an influencer. You're not making any money from it. It's just something you do for fun, this isn't something you're gonna worry about. However, if you're a business that's delivering something with drones, using it to inspect power lines, or you're using it to get aerial shots of listings that you have as a real estate broker, there's a good chance this is gonna apply. And if you're representing any of these kinds of clients, this is something to be very cognizant of, as we move along here.

The first provision is section 537 of the FAA Reauthorization Act, which provides that in quote, "It is the policy of the United States that the operation of any unmanned aircraft or unmanned aircraft system shall be carried out in a manner that respects and protects personal privacy consistent with the United States Constitution, and federal, state, and local law." This provision, it could potentially be expanded to include hobbyists, but that is not clear at the moment, but that is something that remains to be seen as to how courts and the FAA will interpret it. Because as of the current date, in February of 2022, there's no FAA regulations or administrative decisions, correct, completely on point, as to whether it only applies to commercial users, as opposed to recreational. Since the statute was signed, there's also another provision that again, hasn't been interpreted since the legislation was signed, but this provision, and that is Section 378 of the Act, which provides that it's a sense of Congress that all commercial drone operators should have a written privacy policy consistent with section 357, which I just mentioned, that is appropriate to the nature, scope of the activities, regarding the collection, use, retention, dissemination, and deletion of data collected during the operation of unmanned aircraft system of this policy, must be publicly available. The only exemption from Section 378 applies to enterprises operated for the purposes protected by the First Amendment of the Constitution.

Therefore, regardless of how courts interpret this provision and the FAA interprets it, it's likely to exempt activities that are protected by the First Amendment, namely news gathering by a media entity. And perhaps you would even have an argument that a filmmaker or television studio, using it to produce a movie or a TV show would also be exempt, because that's a form of speech. These arguments have not been tested in court or before the FAA, but these are arguments that drone operators can, in a number of sectors could potentially make. However, it's a long shot that drone operators in entities that don't involve news gathering or speech are exempt from this requirement, such as a drone operator that's a real estate broker, a drone operator that's a power company, a business that's using it to deliver products, or an agricultural firm that's using it to monitor crops. The legislation is unclear as to whether this is a requirement that could subject a business to penalties for violating it, even though it says, "It's the state sense of Congress that they should have this." And after President Trump signed the statute into law, the Federal Trade Commission, the FTC, initially took the position that it doesn't require such a privacy policy, but it's the sense of Congress.

However, that there is no regulation on point, or administrative decision by the FAA on point, and there's no court case on point. And that was during the Trump administration, when you had a Republican majority on the FCC, and it's entirely plausible that, if and when President Biden gets enough appointees confirmed to the FTC, that you have a Democratic majority, or even without a partisan change, the FAA starts thinking about this issue differently, it's possible the FAA's position could change. And therefore, you can't assume that it won't be interpreted to be a requirement, as opposed to something that Congress believes everyone should have. Also, it's not clear what, if any, administrative penalties or civil or criminal actions could be brought for a violation of this, whether it would be strictly enforceable by the FTC or the FAA, or whether it will give rise to a private right of action. That's not clear, and it's something that could end up being the subject of FTC or FAA regulations in the future. Moreover, Section 357 raises an issue as to whether state Information Privacy and Security Statutes are federally preempted, as applied to drone operators.

Another thing to notice that Section 375 says, "If a drone operator has a privacy policy publicly available and violates it, that violation of the privacy policy would be an unfair and deceptive practice in violation of the FTC Act that would be subject to FTC enforcement." So this is a little murky. So what I'll explain is that basically where this leaves us is that drone operators are supposed to protect data in accordance with state, local, and federal law, and the Constitution. And the sense of Congress is that they should have a privacy policy that is consistent with those legal requirements for data protection and privacy, and a violation of that privacy policy is enforceable by the FTC. That's where things stand now. So if you have a privacy policy and violate it, you're clearly subject to FTC enforcement action. If you don't protect your data in accordance with state, local, and federal law and the Constitution, and you're a drone operator or don't have a privacy policy period, the enforcement mechanisms and penalties are less than clear right now. However, there's a good chance you could be subject to something. Just the question is whether that would be FTC action, FAA regulatory action, actions by State's Attorneys General, private actions, or all the above.

Also what this leaves us with is a question over whether state and local information privacy laws are gonna be enforceable or preempted as to drone operators. Because in recent years, a patchwork of privacy laws have been enacted in different states, governing personally identifiable information. For instance, California, Virginia, and Colorado now have comprehensive privacy laws that require businesses to not only use reasonable security measures to protect individual data, but give data subjects a number of rights with regard to their data, the right to opt out of disclosures or processing, the right to know what data is being processed, and a number of other rights. Other states, like New York, require entities that possess personal information of state residents to implement information privacy programs, and security programs that meet a number of data security criteria to prevent data breaches or hacks. A number of other states have statutes requiring the use of reasonable security measures, and other state courts have imposed common law duties to use reasonable security measures to protect individual privacy. A number of states have also enacted laws governing biometric data, which is data such as, facial recognition data, eye scans, and the like, and I'll get into more detail on that later, but basically there's a big framework of information privacy laws that states have enacted. And these laws govern how personal data of individuals who live in those states are protected, and what rights individuals have with regard to that data.

Section 357 seems to indicate if this is binding, that your privacy policy as a drone operator and your practices must comply with these laws with regard to individual data. And if you have individual data, such as biometric data, or other individual data of people that you collect by filming them or filming their properties, you could potentially have data that's subject to these laws. Information privacy laws though, may at the state and local level, and to clarify, there's no federal information privacy and security law that's generally applicable to all entities. There's only specific ones that are applicable to certain entities, namely healthcare, HIPAA, financial services with Gramm-Leach-Bliley, and education with FERPA, and there's no generally applicable law, and there are none applicable to aviation or drone operators. And generally, because aviation law has been regulated by Congress, going back to the 1920s, there's always an argument that the applicability of state or local laws or regulations governing aviation is federally preempted, and therefore, unenforceable. In the context of the applicability of state information privacy laws to airlines, courts have held that the applicability of such laws to airlines is federally preempted by the Airline Deregulation Act of 1978, which is a federal law. The most significant case on point was People ex rel Harris V Delta Airlines, which is a California appellate decision from 2016.

However, there are no cases on point as to whether state and local information privacy laws are preempted with regard to, and as applied to drone operators, as opposed to airlines. And drones are not subject to the Airline Deregulation of 1978, which was the basis for the preemption of holding in People ex rel Harris. And until there's dispositive case law on point, plaintiffs seeking to enforce their rights under such laws against a drone operator could make the argument that these laws are not preempted. And in addition to the fact that the Airline Deregulation Act of 1970 doesn't apply to drones, Section 357 is really going to potentially be something a plaintiff like that would hang their hat on, because it says that, "Drone operators shall protect data in accordance with state and local law, as well as federal law in the U.S. Constitution." So someone could make the argument that if Congress intended for such laws to be preempted as applied to drones, they would not have included that language in Section 357. And it is possible a court could find that compelling.

So even if Section 357 and Section 378 are not interpreted by the FTA and the FTC in courts as requiring all drone operators to have privacy policies, and adhere to them that require them to adhere to state and local privacy laws, that Congress doesn't intend for those state laws to be preempted, and therefore, those state laws are applicable to drone operators. And so therefore, there's a good chance that one way or another, commercial drone operators, especially in the commercial context, could be subjected to state and local information privacy laws, which I'll be discussing in more detail later. In terms of information privacy, there has been a lot of legislative activity at the local, at the state level, in the last three to five years.

A number of states, as I mentioned, New York, California, also Texas, Pennsylvania, Louisiana, have enacted statutes requiring entities in all industries to use reasonable proactive measures, to protect state residents' personally identifiable information they possess or collect from unauthorized disclosures. Those disclosures resulting from data breaches or other cybersecurity incidents, which have exponentially increased in recent years, especially during the COVID pandemic. And that trend, unfortunately, is unlikely to dissipate in the foreseeable future, and it is possible that it could continue. While a drone operator probably is not going to be collecting credit card information and the like, it is possible that drone operators will be possessing information they collect on people who end up in the line of view of a camera, a photograph, as taking photographs or video. And also in the drone delivery context, the drone operators are gonna have addresses and financial information of all the customers, because it may happen in the coming years that you may have Domino's, or a number of other pizzerias, who are delivering by drone. And in which case, the drone operator is gonna have all the information that Domino's has when you order your pizza, or all the information that Amazon has when you order whatever you order from Amazon shipped to you. And they'll have your address, and all your shipping information, your billing information, and it may take a picture of your house while it lands to confirm that the package or the food was dropped off at your door. So that information is something that could be subject to a lot of these state privacy laws, if drone operators are collecting them.

And also a lot of these statutes have broad, extra territorial applicability. For instance, the New York Shield Act, which imposes significant data security requirements on any entity that possesses New York residents' data, applies broadly to any entity that possesses the personally identifiable information of New York residents, even if the entities are only located out out of state. So there could be an argument under the New York Shield Act that if you're a New York resident, and you go to visit your Aunt Sally in South Carolina, and you order a pizza while you're there, delivered to your aunt's house, while you're staying there with a drone, the data the drone operator collected could be subject to the New York Shield Act, because you're a New York resident, you ordered the pizza. So courts have yet really sort out and draw those lines, but it could at least give rise to arguments that an entity is subject to these laws. So you can't assume if you're representing a business in South Carolina, that only has locations in South Carolina, and doesn't do a huge nationwide mail order business, you can't just categorically assume that you don't have to worry about the privacy laws in other states. Because a lot of times, those privacy laws will be triggered when you do business with people who reside in those states. And so if you're a drone operator, and you're coming up with a privacy policy, because you decided it's prudent to have a privacy policy that complies with the provisions of the FAA Reauthorization Act we discussed, in case it's interpreted to be a requirement, an important step to start with is having provisions in your privacy policy that you will use reasonably appropriate security measures to protect personally identifiable information collected, and conduct cybersecurity risk assessments, and remediate identified vulnerabilities. And a good place to start is by looking at what these laws require, and basically build the kind of controls and prudent cybersecurity measures into your information security practices these laws require.

So if you're ever cited by a regulatory agency, or a plaintiff argues that you violated this statute, you can pull out your policy and show that it's compliant with these statutes, and that you took all of these measures that were required by the statutes. And also, looking at common law negligence cases where courts have found that there was a common law duty to protect personally identifiable information, and what kind of conduct clause gave rise to the breach of that duty. So if you're an attorney, and you are concerned about these issues, you should look at these cases and see what kind of conduct the court found could potentially constitute a breach of this duty, and build controls that would prevent those kind of shortcomings into your privacy policies and practices. However, you can't say things in your privacy policies that you aren't able to deliver on in your day-to-day operations, because a violation of any privacy policy, especially one involving drone use, is going to be a violation of the FTC Act, as an unfair and deceptive practice. So you don't wanna promise things with regard to privacy, that you're not prepared to deliver on. But if it's a requirement under any applicable law, you have to build those controls in no matter what, and actually implement them successfully, and have them in your privacy policy.

Another consideration is data breach notification. All 50 states and District of Columbia have statutes requiring entities to notify state residents whose personally identifiable information is affected by a data breach. And a number of those laws also require notification to state agencies, especially if a certain number of state residents are affected, like the state police, the state Attorney General. And most such laws only require notification if personally identifiable information is acquired by a hacker who obtains it, and could put it on Craigslist, or use it to... Or the dark web, or use it to steal people's identity. In some states, namely New Jersey, New York, Connecticut, and Florida, the mere access to that information is enough to trigger requirements where you have to report it. So if you have a breach, you gotta know how much data you had that was subject to it, and which states the data subjects may have been located in who were affected. Some states only require notification in a timeframe that's nebulous, like a reasonable timeframe without undue delay. Others have specific timeframes, ranging from the shortest specific timeframe is 72 hours in California. The longest is 90 days in Connecticut. The 72 day one also aligns with the European GDPR, which requires notification in 72 hours in the EU.

So commercial drone operators, if you're building out this privacy policy, you've also gotta have it in there that you're going to comply with applicable state data breach notification statutes, in the event that personally identifiable information collected by drones is affected by a data breach. So onto these specific state statutes that we're talking about. The most important one, it's the most comprehensive one, rather, is the California Consumer Privacy Act, CCPA, that took effect on January 1st, 2020. It applies to every entity that does business in California, and has annual gross revenues in excess of 25 million, where annually buys, receives, sells, or shares the personal information of more than 50,000 customers, households, or devices, or derives 50% or more of its annual revenue from selling information. And this gives a number of data rights to California data subjects, including implementing and maintaining reasonable security procedures and practices, and giving all data subjects the right to opt out of sale of personal information, and delete personal information upon request.

And also, it contains a private right of action in the event of a data breach. So if there's a data breach, and you are found not to have adequate security measures, there's gonna be a private right of action in California that could include class actions. Nevada has a statute that mirrors CCPA in some aspects by requiring a business that does business in Nevada to let customers opt out of sales of personal information. Virginia and Colorado also enacted state privacy statutes along the lines of the California CCPA in 2021. And there's a number of other state legislatures that are considering similar legislation, such as New Jersey and Connecticut, a number of other states. And it's possible you could end up having a number of those statutes enacted in the coming months, and certainly the coming years. And then you have the New York Shield Act, which I mentioned, which doesn't have a private right of action, but is incredibly comprehensive in its extra territorial applicability, as well as it's information privacy requirements. While most state statutes require reasonable security measures, it goes and lays out specific cybersecurity controls it requires, almost the way HIPAA or Gramm-Leach-Bliley do, and those are very comprehensive. And that could be an entirely separate one or two hours CLE, so we're gonna keep that minimal now.

But, however, it's not clear with regard to a drone operator, whether just a video or a photograph of a person would constitute personally identifiable information that have yet to be interpreted by courts and administrative agencies, but certainly it could raise issues if it collect... It certainly could be if there's an argument that what it collected was biometric information. And certainly if it has information about someone's physical appearance, that could trigger a definition of personally identifiable information, depending on the statute. Or it involves a business transaction where information about someone's name, address, financial information, or that type of personal information, was collected, which is the case where someone hires a drone to photograph their property for a real estate listing, or someone orders something delivered by a drone. Biometric information is where it could raise significant issues, because biometric information can include scans of a person's face or iris, thermal imaging, or fingerprints. And biometric information is subject to some of these state privacy statutes. So if a drone collects information on someone's facial scan or iris, or thermal imaging, or a plaintiff, or a government agency argues that the drone had the capacity to do that, there could be claims that it collected personal information that was subject to these statutes, and therefore, there could be exposure.

A good way to avoid that is that there's no reason for a drone operator to collect that information, which there really isn't, probably wouldn't be a reason to collect that information. If you're just photographing a house for real estate listing or inspecting power lines, you probably could build it into your policies and practices that you do not have that technology. The drones are not equipped with it, and your systems that store and process the data are not equipped with it, and you will not process or collect biometric information for any purpose or at any time. If you do that, you can avoid, you can narrow the chances that the information you collect could be considered personally identifiable information, subject to these statutes. And it's important that if you are a commercial drone operator, you consult with an attorney who understands data privacy law, in order to determine which privacy and data breach notification statutes your subject to, with regards to your drone use, and where you operate geographically. And also what information would constitute personally identifiable information under those state laws, whether just a picture of a person at their house would, whether it has to be biometric information, or whether it's only in the case that you have people's financial information, address along with their name as part of a transaction. That'll vary state to state, so it's important that you consult with data privacy attorneys about that, and figure out which statutes you're subject to, and what constitutes personal information under those, and then can figure out what you need to comply with.

As for biometric information, Illinois, Washington, and Texas each have, the state of Washington to clarify, have enacted stringent statutes prohibiting the collection of biometric information from state residents without their prior informed consent. The Illinois statute, which is called BIPA, Biometric and Information Privacy Act, is the most significant because it has a private right of action. And this private right of action allows for consequential damages, just for a breach of the statute. You don't have to show an act. You don't have to show any other harm to get damages, other than the fact that the statute was violated. So, and it allows for class actions. So if you violate this statute, even if it doesn't lead to identity theft, or anything likely to cause emotional distress, or physical injury, or reputational harm to a person, you could still be liable for significant damages. And these statutes can lead to significant exposure if you collect biometric information.

So again, if your drones or systems that process, or handle, or collect the data that the drones collect are capable of processing or collecting biometric information, or do in fact, process or collect it, you really need to determine is it necessary to do that. And if not, you should eliminate those capabilities, and clearly state in your privacy policy that you do not have those capabilities, and you do not engage in that type of activity just to protect yourself under these statutes. And if you do collect biometric information with your drone, and for whatever your business purpose is, there's no way to get around it, then you need to make sure you comply with it, and make sure that you're only taking biometric data, collecting metric data from people once they've already consented to it. Like, if you're gonna be flying a drone over somewhere and collecting biometric information from any people there, that you get them to consent beforehand. That's the only way you'll be able to do it under these biometric privacy laws. However, there doesn't seem to be a lot of need to collect biometric information for businesses like realtors or like, delivery services.

However, there can be inadvertent collection, if you're using thermal imaging to detect threats to critical infrastructure or for agricultural crop monitoring. So it's important there to be very careful that you don't collect biometric information from people, and the systems are configured that they won't get thermal imaging of people, and they won't collect or process it. Another consideration with State Drone Law is Drone Voyeurism Law. As we know, drones often can be used to spy on people, because they can get in places that a helicopter can't. Like, it's not practical, or even basically possible, for a helicopter to come fly behind your house, sit right outside your window for 20 minutes, and watch you doing whatever you're doing inside. Certainly if they did, there would be a ton of noise, and you would close your windows, and probably call the police and run. Whereas a drone, I've seen drones that could fit in your hand and have a camera. So a drone can fly three inches from your window, sit there for 30 minutes filming you without your knowledge, and you would never know that it was there. And that's the frightening thing. And it's frightened a lot of people. And it's led to a lot of concern about voyeurism and espionage, both, you know, potentially corporate espionage, espionage even in the terrorist or political sense, and also in a troubling way, voyeurism, including stalking, sexual voyeurism, exploitation of minor children. And that's raised a lot of concern. And a number of states, including Pennsylvania and Arkansas, have enacted statutes specifically prohibiting the use of drones for stalking and voyeurism. So on top of the regular stalking and voyeurism invasion of privacy statutes, it's a separate crime to use a drone for voyeurism. I know, for example, there's also a bill pending in the New Jersey State Assembly that would amend the State Criminal Invasion of Privacy Statute to expressly include drone voyeurism. Voyeurism is something that a number of states have, every state has a law for voyeurism or invasion of privacy in that sense.

Probably the most famous, well-known, publicized case where it was used was the incredibly tragic case of Tyler Clemente, the Rutgers student, whose roommate, without his knowledge, videotaped him in a sexual encounter with another man and live streamed it on the internet, in addition to publicly outing him as gay, and led to him tragically taking his life. And the perpetrator of this was ultimately charged with Invasion of Privacy. And that was the way they got, the prosecutors were able to get him for the egregious incident and the tragic situation that he caused. So that's what those statutes are. Most, not all states have them. And now some states have enacted separate statutes prohibiting drone voyeurism on top of that. Most all states also have a stalking statute, so drone use could come under stalking. And also in the event that someone has a protective order or a no contact order that's been issued by a court, especially in a domestic violence situation, or a family situation, a drone could be used to surveil or follow the person without getting close to them in violation of the order. So use of a drone could potentially be a violation of a protective order.

Where that implicates the federal law to protect a drone operator, to protect privacy in accordance with applicable state and local law, is that if you're a business, and you have a number of employees using drones, or even just one person, you really need to build it into your policy that drones are only being used for your central business purpose, which should be clearly defined in the policy, and not for any other purpose. And that no employee, member, shareholder, officer, agent, or contractor will be permitted to use drones for any voyeuristic, illegal or harmful purpose, or to violate any protective court or governmental order. Because you need to make sure you've covered your bases just to protect individual privacy in accordance with those types of laws, such as protective orders, voyeurism, and stalking statutes, domestic violence statutes. And in addition, it's also important to build into the policy and just your operations, that you closely screen employees who will use the drones and have access to the drones.

Because the last thing you wanna do as a business, even if you don't have any of these federal laws that are applicable, or state privacy laws, you could have tort liability under negligent supervision or hiring, or respond to superior theories, if one of your employees uses a drone to stalk someone, commit voyeurism, or violate a protective order. So therefore, you need to build, as just to prevent tort liability, as well as comply with these federal laws, what you really need to do is the same way if you're a business that has a vehicle fleet for delivery drivers, you have to screen your drivers to make sure no one has a history of moving violations that indicate they're a dangerous driver or substance, alcohol, drug use. You have to do the same thing with drone operators. A, make sure that they're capable of getting registered as a drone operator, because you'll have to do that in order to have them fly a drone. And also that they don't have any history of substance abuse, alcohol, or drugs that can make them not a safe person to operate an unmanned vehicle. And also make sure they're not someone who has a propensity or you have any reason to believe could use a drone for an improper purpose.

So clearly, anyone who's subject to a protective order is probably someone that you wanna make sure has no use or access to drones in your business. Anyone who, of course, is a sex offender, has been convicted of any sexual or domestic violence related offense, or has a pending case against them for such an offense, or voyeurism, or stalking, or anything like that. Because if you hire someone like that and then they go... Or even if you have do a reference check, and find out that they had a history of being creepy, or trying to peep on women, or be inappropriate, and then they go commit voyeurism or do something else like that with a drone, a business could have significant liability under responding at superior negligent or negligent hiring, or supervision theories.

So as a matter of reducing tort exposure, that kind of screening and control and supervision are vital with drones, and also supervising the employees. So if an employee takes a drone and is doing something they're not supposed to do with it, or just not using it for business purposes, they'll quickly be identified, and they'll lose use or access to the drone or be terminated. It's really the same thing as if you're a limo company, or you're a restaurant that has delivery drivers. You always know where your vehicle fleet is. And if a driver takes the car and goes off and does something that's not work related with it, you'll know right away that they were misusing it, and can discipline them appropriately. The same thing will go for drones. And so that is basically where the law stands now. Basically, there is a good chance that you you'll be required to have a privacy policy for your drone, that complies with all state, local, federal, and constitutional privacy protections. And that will likely require, depending on the states where you do business, that you comply with proactive security measures regarding any information that's personally identifiable information, that you don't collect any biometric information without the prior consent of the individuals involved. And that if you have any personally identifiable information that you protect it in accordance with all those laws, and report any data breaches in accordance with the applicable laws. What remains to be seen, what the enforceability will be, and what the penalties will be, and the law is gonna develop in this area.

Another thing to be aware of is that some states are considering enacting drone delivery privacy laws. For instance, there was a bill introduced in California that hasn't passed, but it's been introduced and is being considered, that would require commercial drone operators, who are using drones for deliveries, to delete certain personal information, once it's no longer needed to complete the transaction. So once the drone drops off the package, it would be required to delete certain information, and it would restrict the information that could be saved, or retained, or processed. There's bills like that, that may be considered in more and more states. And based on Section 357 of the drone, the FAA Reauthorization Act in 2018, there'd at least be an argument that they're not preempted federally. Whether courts would agree or not remains to be seen, but there would at least be that argument that those such laws could be in force and enforced. And if drone delivery becomes more common in the coming years, there's a good chance that there'll be political pressure on more states to pass such laws. And you may see states end up passing them. Another possibility is that you have drone privacy regulations promulgated by the FAA, or even drone privacy laws enacted by Congress.

You know, the federal government has enacted privacy regulations and laws for certain sectors, as I told you about HIPAA, and the HHS regulations governing healthcare, FERPA in education, and Gramm-Leach-Bliley, and all the rules enacted by the financial services regulators at the federal level. And there's data security and privacy regulations being discussed in other sectors as well. So it's possible that you may have the FAA step in, and come up with regulations to protect privacy in the context of drones, the way you have it for healthcare. And you may have federal regulations saying, "This is how you have to, you have to comply with these security procedures, with regards to the data you have. You can't collect biometric data with a drone, unless you do this." There are a lot of different approaches they could take, and it's possible the FAA may decide to undertake it, or Congress may pass legislation imposing it, or directing the FAA to implement it. And if drone delivery becomes more of a regular part of the economy, rather than a novelty, there may be a lot more pressure on Congress and the FAA to do so. And that's something you really have to be cognizant of, depending on where things go politically, and where the industry evolves.

Another possibility is that you could end up having a federal privacy framework, the same way the European Union has one that governs all businesses in all sectors, regardless. For instance, the European Union passed what's called the GDPR, the General Data Protection Regulation, in 2018, and the General Data Protection Regulation imposes requirements on any business that targets, that processes data in the EU, or targets customers in the EU, and processes and collects their data. These businesses that are subject to the GDPR, which can include American businesses that are processing and collecting that data, are subject to a number of information privacy requirements, such as the right reasonable security requirements, and the right to give, and the rights of the customers to have their data not processed, to opt out of processing to have their data corrected, to have their data deleted, to know what data has been collected about them, and to know why they've shared it, and why it's been processed and used. That's basically the long and short of what the GDPR does. And at the federal level, it's possible that the United States, depending on where things go politically in the coming years, could enact something like that.

That would be a federal framework for all businesses doing business in interstate commerce. That would basically affect almost all businesses in the country, including drone operators. And that would significant because you take away the argument that privacy standards are that drone privacy laws are preempted, because unless it's a federal law, unless it specifically exempts aviation or drones, then it would apply to drone operators. So that would automatically require operators to adhere to certain privacy practices, if Congress did end up passing it. The only question is, "What would it do if there is such a law passed? What would it do with state laws?" And that division is actually one of the biggest reasons you don't have a federal privacy framework now, the way you have one in Europe. Because right now, the Republican party wants to have, Republican leadership in Congress right now wants to have a federal framework that preempts all state laws. So more stringent state laws potentially, including California's and New York's, would be preempted and unenforceable, the way I said certain laws governing airlines have been held to be preempted and unenforceable. Whereas Democrats congressional in Congress feel very strongly that state laws should not be preempted, and if we have a federal standard, states should be permitted to enact more stringent laws. So if something along the lines of the Republican approach passed, all these state laws would be preempted, and drone operators would only have to comply with whatever the federal law provides.

However, if the Democratic approach is enacted, drone operators would have to comply with the federal law, whatever it provides, no matter what, because there's, of course, no preemption requirements unless they exempt aviation or drone operators. And on top of that, there would still be this patchwork of state laws, which are all different. And some of them would still be more stringent, likely, than whatever the federal standard is. And it's possible that California, Illinois, and other states, especially states with these biometric laws will keep their laws on the books, and make them more stringent than the federal standard. So in that case, depending on whether these provisions of the FAA Act are considered requirements or not, the drone operators could be required to comply with the federal standard, and potentially, the state and local laws as well.

So basically, the situation is very much in flux right now, but there are things you can do, if you're representing commercial drone operators, to stay ahead of the curve and make sure that your clients are less likely to be the test case for novel theories of how statutes are constructed. And if things are constructed in a certain way, aren't gonna have exposure. And a lot of the practices with data security that businesses may use drones may undertake to ensure they comply with these laws, are just prudent practices altogether to minimize data risk. Because as I said earlier, data breaches have exponentially occurred, and that trend is unlikely to stop. It's gonna keep continuing and most businesses are going to be targeted for data breaches at some point. So the kind of controls that you would need to establish that you have reasonable security measures to protect individual privacy in accordance to all these laws, by adopting them, a lot of these practices and procedures are gonna reduce your risk of having a data breach or a cybersecurity incident. And if you do have one, may reduce the impact of it on your operations. And that's very important, because a lot of businesses are going to be targeted, and a lot of businesses are gonna fall prey to these events. And it's important to have these controls in place, so when an incident happens, you can still show that you complied with the reasonable security requirements imposed by these statutes, and also the common law.

There have been courts that have held that businesses have common law duties to protect personal identifiable information. And there could be a common law tort claim for negligence, if there's data breach affecting it, even without any statute or regulation that requires such protections be in place. And the most important thing is not to let businesses think that cyber insurance is a substitute for prudent practices. Because first off, if you're dealing with potentially FTC claims that could happen under these statutes for a drone operator, depending on your insurance policy, that may not be covered. Regulatory fines may not be covered. And also there's a lot of consequences with regard to data breaches that insurance won't help you with. And the big one is reputational harm. Let's say you were a drone operator, and you film people's houses to sell them, because you're a realtor for realtors. And then it comes out that in the news that your business was hacked, and everyone's aerial home videos for the listings, and people's pictures that were taken even beyond what was published online, as well as their name, and their payment information, and everything ended up online, and it was a data breach. If that gets in the news, that drone operator is gonna lose its business from all the realtors that use it. And if a realtor was operating the drone itself and was breached, and all this ended up, that real estate agency is gonna lose business, because who's gonna wanna use a business that couldn't protect their information. And that drop off in business caused by reputational harm, is something that insurance won't help you with. Another thing is, it won't help you if you end up losing customers because you have a cyber attack, and you're out of commission, and your systems are out of commission. You can't operate for a few weeks, so customers get impatient and go to someone else. And they realize, "Hey, I like the other guy better. So I'm not gonna gonna go back."

They'll cover you for the business interruption, but they're not gonna cover you for the fact that your customers never came back to you, and you ended up going out of business. So especially for drone operators, but in any sector, you can't ever have the mentality that cyber insurance is a substitute for prudent cybersecurity measures. It's basically the analogy you could tell someone is, "Fire insurance is no substitute for a fire escape and a smoke alarm." Because there's certain things that it's just not gonna help you with, and you'd rather not have a fire than have to make a claim under your fire insurance. The same way, it's much better to never have a cyber attack or have cyber attacks that can be quickly remediated, and not cause an outright data breach, than it is to have a cyber attack like that that's really bad. And then have to go make a claim under your insurance for remediation costs and business interruption, and then to have to make a claim under your insurance for them to defend a number of lawsuits and other proceedings. And your premiums are certainly gonna go through the roof if that happens. So it's important to bear that in mind when you're advising clients. And I hope this conversation has been very helpful. And I suggest if you found it very interesting, that you should continue to read up on drone law, because a lot is evolving. And you should certainly keep an eye on the FAA. You know, if you're actually representing clients in this space, you should keep an eye on the FAA regulations to see if there's any regulations or proposed notices of proposed rule making that have to do with drone use, and drone privacy, and privacy of information collected by drones. Certainly keep an eye out for any legislation introduced at the state or federal level about drones. And if legislation is introduced, definitely look at who the political players are behind it, so maybe you can get a sense of whether or not it has a chance of passing. And certainly if regulations are promulgated, then it's certainly something to look at and adapt to. And if you have clients who may be interested, maybe talk to them about potentially submitting comments if there's a notice of proposed rule making issued by the FAA or the FTC, and they may be interested. And also you should keep a look out for FTC regulations, because the FTC may also issue regulations in this regard, because of the statutes that were passed as part of the 2018 FAA Reauthorization Act. So I really appreciate your time today.

I hope you found this very interesting and informative. And I hope it'll be helpful for you in your journey as attorneys, as you learn about an exciting area of the law, and I wish you all the best.

Presenter(s)

BMJ
Brad Meisel, JD
Associate Attorney
Firm’s Transactional Group
DR
Diane Reynolds
General Counsel

Credit information

Jurisdiction
Credits
Available until
Status
Alabama
  • 1.0 general
Unavailable
Alaska
  • 1.0 voluntary
Pending
Arizona
  • 1.0 general
Pending
Arkansas
  • 1.0 general
Pending
California
  • 1.0 general
Pending
Colorado
  • 1.0 general
Unavailable
Connecticut
  • 1.0 general
Pending
Delaware
  • 1.0 general
Unavailable
Florida
  • 1.0 general
Pending
Georgia
  • 1.0 general
Unavailable
Guam
  • 1.0 general
Pending
Hawaii
  • 1.0 general
Pending
Idaho
    Not Offered
    Illinois
    • 1.0 general
    Pending
    Indiana
    • 1.0 general
    Unavailable
    Iowa
    • 1.0 general
    Unavailable
    Kansas
    • 1.0 general
    Unavailable
    Kentucky
    • 1.0 general
    Pending
    Louisiana
      Not Offered
      Maine
      • 1.0 general
      Pending
      Minnesota
        Not Offered
        Mississippi
        • 1.0 general
        Pending
        Missouri
        • 1.0 general
        Pending
        Montana
        • 1.0 general
        June 13, 2025 at 11:59PM HST Approved
        Nebraska
        • 1.0 general
        Pending
        Nevada
          Not Offered
          New Hampshire
          • 1.0 general
          Pending
          New Jersey
          • 1.2 general
          Pending
          New Mexico
          • 1.0 general
          March 3, 2027 at 11:59PM HST Approved
          New York
          • 1.0 areas of professional practice
          Pending
          North Carolina
          • 1.0 general
          Unavailable
          North Dakota
          • 1.0 general
          Pending
          Ohio
          • 1.0 general
          Unavailable
          Oklahoma
          • 1.0 general
          Unavailable
          Oregon
            Not Offered
            Pennsylvania
              Not Offered
              Puerto Rico
              • 1.0 general
              Unavailable
              Rhode Island
              • 1.0 general
              Pending
              South Carolina
              • 1.0 general
              Unavailable
              Tennessee
              • 1.0 general
              Pending
              Texas
              • 1.0 general
              Unavailable
              Utah
              • 1.0 general
              Unavailable
              Vermont
              • 1.0 general
              Pending
              Virginia
              • 1.0 general
              Pending
              Virgin Islands
              • 1.0 general
              Pending
              Washington
              • 1.0 law & legal
              March 3, 2027 at 11:59PM HST Approved
              West Virginia
              • 1.2 general
              Pending
              Wisconsin
                Not Offered
                Wyoming
                • 1.0 general
                Unavailable
                Credits
                • 1.0 general
                Available until
                Status
                Unavailable
                Credits
                • 1.0 voluntary
                Available until
                Status
                Pending
                Credits
                • 1.0 general
                Available until
                Status
                Pending
                Credits
                • 1.0 general
                Available until
                Status
                Pending
                Credits
                • 1.0 general
                Available until
                Status
                Pending
                Credits
                • 1.0 general
                Available until
                Status
                Unavailable
                Credits
                • 1.0 general
                Available until
                Status
                Pending
                Credits
                • 1.0 general
                Available until
                Status
                Unavailable
                Credits
                • 1.0 general
                Available until
                Status
                Pending
                Credits
                • 1.0 general
                Available until
                Status
                Unavailable
                Credits
                • 1.0 general
                Available until
                Status
                Pending
                Credits
                • 1.0 general
                Available until
                Status
                Pending
                Credits
                  Available until
                  Status
                  Not Offered
                  Credits
                  • 1.0 general
                  Available until
                  Status
                  Pending
                  Credits
                  • 1.0 general
                  Available until
                  Status
                  Unavailable
                  Credits
                  • 1.0 general
                  Available until
                  Status
                  Unavailable
                  Credits
                  • 1.0 general
                  Available until
                  Status
                  Unavailable
                  Credits
                  • 1.0 general
                  Available until
                  Status
                  Pending
                  Credits
                    Available until
                    Status
                    Not Offered
                    Credits
                    • 1.0 general
                    Available until
                    Status
                    Pending
                    Credits
                      Available until
                      Status
                      Not Offered
                      Credits
                      • 1.0 general
                      Available until
                      Status
                      Pending
                      Credits
                      • 1.0 general
                      Available until
                      Status
                      Pending
                      Credits
                      • 1.0 general
                      Available until

                      June 13, 2025 at 11:59PM HST

                      Status
                      Approved
                      Credits
                      • 1.0 general
                      Available until
                      Status
                      Pending
                      Credits
                        Available until
                        Status
                        Not Offered
                        Credits
                        • 1.0 general
                        Available until
                        Status
                        Pending
                        Credits
                        • 1.2 general
                        Available until
                        Status
                        Pending
                        Credits
                        • 1.0 general
                        Available until

                        March 3, 2027 at 11:59PM HST

                        Status
                        Approved
                        Credits
                        • 1.0 areas of professional practice
                        Available until
                        Status
                        Pending
                        Credits
                        • 1.0 general
                        Available until
                        Status
                        Unavailable
                        Credits
                        • 1.0 general
                        Available until
                        Status
                        Pending
                        Credits
                        • 1.0 general
                        Available until
                        Status
                        Unavailable
                        Credits
                        • 1.0 general
                        Available until
                        Status
                        Unavailable
                        Credits
                          Available until
                          Status
                          Not Offered
                          Credits
                            Available until
                            Status
                            Not Offered
                            Credits
                            • 1.0 general
                            Available until
                            Status
                            Unavailable
                            Credits
                            • 1.0 general
                            Available until
                            Status
                            Pending
                            Credits
                            • 1.0 general
                            Available until
                            Status
                            Unavailable
                            Credits
                            • 1.0 general
                            Available until
                            Status
                            Pending
                            Credits
                            • 1.0 general
                            Available until
                            Status
                            Unavailable
                            Credits
                            • 1.0 general
                            Available until
                            Status
                            Unavailable
                            Credits
                            • 1.0 general
                            Available until
                            Status
                            Pending
                            Credits
                            • 1.0 general
                            Available until
                            Status
                            Pending
                            Credits
                            • 1.0 general
                            Available until
                            Status
                            Pending
                            Credits
                            • 1.0 law & legal
                            Available until

                            March 3, 2027 at 11:59PM HST

                            Status
                            Approved
                            Credits
                            • 1.2 general
                            Available until
                            Status
                            Pending
                            Credits
                              Available until
                              Status
                              Not Offered
                              Credits
                              • 1.0 general
                              Available until
                              Status
                              Unavailable

                              Become a Quimbee CLE presenter

                              Quimbee partners with top attorneys nationwide. We offer course stipends, an in-house production team, and an unparalleled presenter experience. Apply to teach and show us what you've got.

                              Become a Quimbee CLE presenter image