Stakeholders Reach Consensus on “Best Practices” for Commercial UAS

Year-long multistakeholder process convened by NTIA produces voluntary standards for protecting privacy in drone use.

As we reported last year, at the request of the President, the National Telecommunications and Information Administration (NTIA) has been overseeing a multistakeholder process looking toward the development of a set of "best practices" for the commercial and private use of unmanned aircraft systems (known to the cognoscenti as "UAS", but to others as "drones"). On the table were a set of three broad UAS-related issues: privacy concerns, transparency and accountability.

And we now have the product of that process: a document entitled Voluntary Best Practices for UAS Privacy, Transparency, and Accountability (a/k/a the "Best Practices").

Of course, the average UAS operator probably views the FAA as the main source of UAS regulation. And the FAA has, indeed, flexed its regulatory muscles, as we've recorded in multiple posts (for example, here and here) and also in a webinar devoted to the subject. But the FAA has so far limited its efforts to matters relating strictly to air safety; it has declined to address the average citizen's concern about personal privacy, a concern born of visions of the creepy neighbor hovering a camera-laden UAS outside a bedroom window or over the pool. The FCC has explicitly stated in its proposed small UAS rules that privacy issues are "beyond the scope of this rulemaking". But it has hedged on that slightly, if not entirely credibly, advising at least one party interested in privacy regulation that it "will consider [that party's] comments and argument" in its ongoing consideration of small UAS rules. (To protect their privacy, some people have taken matters into their own hands, but that's actually a Federal crime and not something we recommend.)

Meanwhile, a hodgepodge of state and local laws has popped up with respect to UAS operation (some of which the FAA has indicated it believes are preempted by its regulations), creating an extra layer of legal review and complexity for those seeking to operate lawfully.

And to this tangle of considerations we now add the NTIA-sponsored Best Practices.

It's important to recognize that the "Best Practices" are not binding rules or regulations. Rather, they are voluntary guidelines, the creation of a range of private sector participants - trade associations, public interest groups, vendors and others - who came together at the NTIA's invitation. While NTIA played the role of host and facilitator, it was not part of the decision-making process. Instead, NTIA merely helped the participants arrive to a consensus through discourse in various forms, from big, open meetings to one-on-one discussions. (For a complete overview of the multistakeholder process, check out this page on the NTIA's website.) In view of the wide range of views represented by the participants, it's a testament to the community and to the folks at NTIA that a final, comprehensive document exists at all, let alone so soon after the process began. The guidelines strike a balance between (a) parties who sought broad privacy rights and (b) others concerned about overly intrusive - and difficult to meet - restrictions on the collection of personal data. (Note: The end result was not embraced by all participants, including some on both sides of that divide.)

So what's in the "Best Practices"? They consist of broad guidelines for commercial UAS operators' management of "covered data," which is defined as "information collected by a UAS that identifies a particular person." According to the Best Practices, commercial UAS operators should:

• Inform people whose covered data will be collected by UAS (note, the guidance uses the term "inform," not "obtain consent");
• If covered data is collected, create internal policies governing what will be done with any data collected, and inform the public of those policies. Those policies would describe the kind of data to be collected and how the data will be used, retained and shared, especially when it comes to law enforcement requests for information;
• Avoid operation over private property without consent (though the guidelines recognize that some such operation may sometimes be necessary);
• Not engage in "persistent continuous collection" of specific individuals' covered data (in other words, don't use UAS for unconsented surveillance);
• Not retain covered data longer than necessary and allow requests from people whose data has been collected to have it deleted or modified to remove the personally identifiable information (for example, blurring faces or license plates);
• Keep covered data safe by developing and following good data security policies (that was a major concern of privacy advocates).

The Best Practices also include, as an appendix, some "Guidelines for Neighborly Drone Use" addressed to hobbyists. These track the guidelines for commercial use, with the added helpful suggestion: "Don't harass people with your drone."

Crucial to the implementation of any of the guidelines is the definition of "covered data". The term is only vaguely defined (as indicated above), although the Best Practices do further provide that "[i]f data collected by UAS likely will not be linked to an individual's name or other personally identifiable information, or if the data is altered so that a specific person is not recognizable, it is not covered data." While not separately defined in the Best Practices, the term "personally identifiable information" has acquired some generally accepted meaning among privacy experts.

Now that we have these Best Practices, what do they really mean for commercial UAS operators?

At this point, it's hard to say. The Best Practices are purely voluntary: that is, no one is under any obligation to adopt and implement them in whole or in part. In fact, the Best Practices expressly state that they're not meant to "create a legal standard of care by which the activities of any particular UAS operator should be judged" or to "serve as a template for future statutory or regulatory obligations". Rather, they supposedly reflect only the consensus of some (but not all) of the multistakeholders who participated in the NTIA process as to how commercial UAS operators should act.

Whether that will hold true indefinitely remains to be seen. Throughout the process the possibility of the guidelines eventually finding their way into formal, mandatory regulations was viewed by some as inevitable as states and localities search for ways to respond to people's concerns about intrusive UAS use.

Notwithstanding their current purely voluntary status, in our view it would be a mistake to ignore the Best Practices. Many of the big players in the UAS space did sign on, and many others are likely to adopt privacy policies very much in line with the Best Practices. If (as may be expected) acceptance of the Best Practices spreads widely though the commercial UAS universe, all participants may eventually sense pressure - from peers, the government, the public, etc. - to follow suit.

But be forewarned: If you do opt to adopt the Best Practices (or some variation thereof), you will need to stick to them carefully or risk having to deal with the Federal Trade Commission. That's because the FTC has taken the position that, when a company has adopted - even voluntarily - a privacy policy, a failure to abide by that policy may constitute an "unfair and deceptive trade practice" in violation of Section 5 of the Federal Trade Commission Act (FTCA). And making that point emphatically, a recent draft of the FAA Reauthorization Act legislation in the Senate specified that such violations related to UAS operations are covered by Section 5. In other words, you do not have to embrace the Best Practices in whole or in part, but if you do, you must be committed to implement whatever you do embrace carefully and consistently.

Important Note to Broadcasters and Journalists: The Best Practices do NOT apply to you. To the contrary, they include an express exemption arising from First Amendment considerations. A number of process participants argued that the use of UAS is no different from any other data collection means (such as helicopters and telephoto lenses) journalists use that are capable of collecting personal data from afar, and therefore UAS operations should not be singled out for specific treatment. The Best Practices explicitly state that the guidelines do not apply to "newsgatherers and news reporting organizations." Those groups are instead encouraged to follow their own "ethics rules and standards for their organizations and . . . Federal and state laws."

But heads up. Section 5 of the FTCA includes no exemption from enforcement for broadcasters and journalists. If you adopt a UAS privacy policy, whether based on the Best Practices or not, be sure to follow it to avoid potential penalties.

Interestingly, when NTIA initiated the multistakeholder process, the topics to be considered included, in addition to privacy, "transparency" and "accountability" in UAS operation. Those two extra topics still appear in the formal title of the Best Practices, but they do not appear elsewhere in the document. It's not clear whether any further effort will be made to address them, under the aegis of NTIA or otherwise.

Check back with us at CommLawBlog for future updates on UAS regulations. We expect to see the final version of the FAA's small UAS rules sometime in the next few weeks! Or months, you never know.