Navigating new federal and state drone privacy laws

In recent years, the aggregate industry has increasingly utilized unmanned aerial vehicles (UAVs), commonly known as drones, to map and survey quarry sites.

Certain drone systems used by aggregate producers have the ability to create survey-grade mine and quarry site maps spanning up to 1,000 acres in a single day. These can be used to plan blasting operations, track production, conduct workplace monitoring, and ensure operational safety and compliance, according to an April 2017 UAS Magazine article.

Aggregate producers seeking to employ drones for mapping and surveying purposes face a new challenge in the form of the provisions of the FAA (Federal Aviation Administration) Reauthorization Act of 2018 regulating the privacy practices of commercial drone operators. President Donald Trump signed the FAA Reauthorization Act of 2018 in October 2018 after it passed the Senate by a 93 to 6 vote.

The act requires any person or entity using a drone “in the furtherance of a business enterprise” and, like an aggregate mining company, does not use a drone for purposes protected by the First Amendment such as newsgathering, to develop and implement a publicly available privacy policy appropriate to the nature and scope of its activities regarding the collection, use, retention, dissemination and deletion of any data collected during the operation of a drone. Violations of such privacy policies constitute unfair and deceptive practices subject to enforcement by the Federal Trade Commission (FTC).

The FAA Reauthorization Act of 2018 requires that commercial drone operators’ required privacy policies protect and respect personal privacy consistent with the U.S. Constitution and all federal, state and local laws.

Currently, there are no federal information privacy laws governing the aggregate mining sector such as those governing the health care, financial services and education sectors. Still, aggregate producers using drones must ensure their privacy policies adhere to the rapidly changing patchwork of state statutes governing information privacy across all sectors.

Although courts have held that state data privacy laws are preempted as applied to airlines, courts have yet to decide whether or not state data privacy laws are similarly preempted as applied to commercial drone operators.

Regardless of how courts ultimately decide this issue, commercial drone operators must make their privacy policies consistent with state data privacy laws and operate as if they are subject to them, because the act requires commercial drone operators’ privacy policies to be consistent with state and local laws and deems violations of such privacy policies to be unfair and deceptive practices subject to FTC enforcement.

State examples

A number of states, including California, Colorado, Illinois, Texas and Utah, recently enacted statutes requiring entities that possess or process the privacy and security of personally identifiable information of state residents to implement and maintain reasonable procedures to protect such information from unauthorized disclosure such as being acquired or disseminated by a hacker during a data breach.

The New York SHIELD Act, which takes effect March 21, will require entities that possess the personally identifiable information of New York residents to implement data security programs. These programs include reasonable administrative safeguards that can include designation of one or more employees to coordinate the security program, identification of foreseeable external and insider risks, assessment of their existing controls, employee training, and contractually requiring third-party vendors to have compliant safeguards.

Although California and Nevada recently enacted statutes that give consumers extensive rights with regard to their personally identifiable information, these statutes have no impact on aggregate producers’ drone use because employees or bystanders observed by drones do not constitute consumers.

Considerations

Because it is not yet clear whether video or photographs of workers or bystanders captured by a drone would constitute personally identifying information under some state statutes that courts have yet to interpret, aggregate producers using drones would be well advised to consult experienced data privacy attorneys to determine what, if any, state data privacy statutes they could be subject to with regard to their drone use and ensure their privacy policies – as well as their data privacy and cybersecurity practice – are consistent with such statutes.

Aggregate producers using drones would also be well advised to avoid collecting or obtaining any biometric data using drones and expressly provide in their required privacy policies that they do not collect or obtain biometric data using drones at any time for any purpose. Biometric data is an identifier of a person that is used to electronically identify a person and can potentially include scans of a person’s face or iris, thermal imaging of a person or a fingerprint.

Unlike a photograph or video of a person working or engaged in ordinary activities, biometric data is considered personally identifying information subject to certain state data security statutes such as those in California and New York.

Illinois, Texas and Washington have enacted statutes prohibiting the collection of any state residents’ biometric data without their prior express informed consent, regardless of whether or not such data collection occurs in state. Illinois’ law is especially onerous in that it entitles any Illinois resident whose biometric data is collected in violation of the statute to statutory damages, regardless of whether or not they can demonstrate actual damages.

By ensuring their drones do not collect any biometric data and expressly providing in their privacy policies that they do not do so under any circumstances, aggregate producers can avoid liability under such state laws in connection with their drone use.

Still, if an aggregate producer uses or seeks to use drones to conduct thermal imaging of quarries or collect biometric data of workers or other people for security or monitoring purposes, they would be well advised to review such activities with experienced data privacy attorneys and work in conjunction with attorneys to develop efficient and effective protocols for complying with state biometric data statutes.

Moreover, because states such as Arkansas and Pennsylvania have enacted statutes expressly prohibiting drone voyeurism, aggregate producers using drones should provide in their privacy policies that the companies and their employees and agents are prohibited from using company drones for any and all non-business purposes, including voyeurism. Producers should screen and monitor their drone operators to ensure they do not misappropriate or misuse drones to engage in potentially voyeuristic activities.

Takeaways

Although the data privacy requirements of the FAA Reauthorization Act of 2018 may at first seem daunting, aggregate producers can successfully and efficiently navigate these challenges by developing effective and efficient compliance strategies with the assistance of experienced data privacy and drone attorneys, unleashing the full benefits of drone technology in aggregate mining.

---

Diane D. Reynolds is a partner and head of the cybersecurity, privacy and data protection practice at McElroy Deutsch, Mulvaney & Carpenter, a law firm with about 275 lawyers in nine states, with expertise in corporate, labor and employment, construction, environmental, and real estate law. Bradford P. Meisel is an associate at McElroy, Deutsch, Mulvaney & Carpenter, specializing in corporate, cybersecurity, data privacy and drone law.