Key Considerations in Addressing Privacy Concerns During Drone Operations

by Williams Mullen

Williams Mullen

Imagine that one of your employees uses his or her iPhone to take some pictures of work being done at a construction site. The employee captures several images that include teenagers sunbathing by a pool on the adjacent property. Several faces can be identified in the picture. Should you be concerned that your employee has violated the privacy of the teenagers? No, because as long as you or the employee did not publish or otherwise distribute the image, a court almost certainly would find that their privacy was not violated. Now, imagine that, instead of using an iPhone, the employee captured the same image of the adjacent property using an unmanned aircraft system (“UAS,” commonly known as drones). In some states, capturing the same image from a drone could be found to have violated the teenagers’ privacy. In addition, under voluntary guidelines recently published by the National Telecommunications and Information Administration (NTIA), a business might also be required take steps to secure and either blur or delete the image.

The reason for this difference is that increased privacy concerns associated with UAS is resulting in a unique legal and regulatory framework with regard to the information that they can collect. For example, several states have passed laws that restrict the collection of images that can identify individuals if they are on private property and if they have not given their consent to being imaged.


Generally in the U.S., individuals did not have a reasonable expectation of privacy while they were outside, even if they were on private property. For example, in Dow Chemical Co. v U.S,1 the court found that the Environmental Protection Agency (EPA) did not violate Dow Chemical’s Fourth Amendment rights when it used an airplane, without obtaining a warrant, to collect aerial photographs to inspect the company’s premises under the Clean Air Act. Similarly, in California v Ciraolo ,2 the Supreme Court ruled that the data obtained from a plane hired by the police to fly over a private home, again without a warrant, could be used as evidence in a trial.

However, with the rapid growth in UAS being used for both commercial and recreational purposes, lawmakers and regulators across the country have begun to respond to the public’s media-driven privacy concerns. As a result, in addition to complying with the Federal Aviation Administration’s (FAA’s) regulations regarding safe UAS operations, businesses will also need to determine whether they need to comply with any federal, state and even local laws designed to protect privacy.

Status of Federal Law

Currently, there is no one federal government agency responsible for privacy in the U.S. The Federal Trade Commission (FTC) has played the primary role in protecting consumer online privacy, but thus far it has not tried to assert its limited authority to cover drone operations.3 Some have suggested that the FAA should be responsible for regulating privacy issues associated with UAS. However, in December 2015, the FAA published a Fact Sheet on State and Local Laws that stated in part that “[l]aws traditionally related to state and local police power – including land use, zoning, privacy, trespass, and law enforcement operations – generally are not subject to federal [FAA] regulation. (emphasis added)4

In February 2015, the Obama Administration attempted to fill this void at the federal level by issuing a Presidential Memorandum titled, “Promoting Economic Competitiveness While Safeguarding Privacy, Civil Rights, and Civil Liberties in Domestic Use of Unmanned Aircraft System[s].” The Presidential Memorandum, which consists of two parts, was an effort by the White House to address the concerns of a very vocal privacy community while also protecting the drone industry from having to comply with a patchwork of 50 (or more) privacy laws.

The first part of the Presidential Memorandum directs each federal agency to develop a policy on data collected from UAS to protect privacy, civil rights and civil liberties. Such policies are to address the collection, use, retention and dissemination of the data. Moreover, although this section does not apply directly to commercial enterprises, it does direct agencies to ensure that federal contractors have adequate training and rules of conduct in place with regard to the use of UAS.

The second part of the Presidential Memorandum pertains to the use of UAS for commercial purposes. It directs the NTIA to bring together stakeholders from industry, academia, and the privacy community to develop voluntary “best practices” for commercial use of UAS. Beginning in August 2015, the NTIA held a series of meetings on the issue, and in May of 2016 it published “Voluntary Best Practices for UAS Privacy, Transparency, and Accountability” (the “Voluntary Best Practices”). The Voluntary Best Practices provides in part that:

“[w]hen a drone operator anticipates that a drone use may result in collection of covered data, the operator should provide a privacy policy for such data appropriate to the size and complexity of the operator, or incorporate such a policy into an existing privacy policy. The privacy policy should be in place no later than the time of collection and made publicly available.”5

“Covered data” means information collected by a UAS that identifies a particular person, such as an image of a face.

Companies are not required to follow the Voluntary Best Practices. But if they choose to do so, they should also:

  • establish a process (appropriate to the size and complexity of the operator) for receiving privacy or security concerns, including requests to delete, de-identify or obfuscate the data subject’s covered data. Commercial operators should make this process easily accessible to the public, such as by placing points of contact on a company website;
  • have a written security policy with respect to the covered data, appropriate to the size and complexity of the operator and the sensitivity of the data;
  • make a reasonable effort to regularly monitor systems for breach and data security risks;
  • make a reasonable effort to provide security training to employees with access to covered data; and
  • make a reasonable effort to permit only authorized individuals to access covered data.

Status at State & Local Level

Over the past several years, UAS-related legislation has been introduced in almost every state. So far, 32 states have enacted laws addressing UAS issues and an additional five states have adopted resolutions. Many laws restrict the use of UAS by state agencies for law enforcement and regulatory purposes. Others restrict the use of UAS for hunting or make it a crime to operate a drone near critical infrastructure. However, several states that also have passed laws that restrict the use of UAS to collect information about an individual on private property, even if the same information could be collected using other means.

For example, in Florida it is illegal to capture an image of a person with the intent to conduct surveillance in violation of a person’s reasonable expectation of privacy, without his or her written consent. Surveillance is defined as the observation of an individual with sufficient clarity to identify that individual. Moreover, the law provides that a person is presumed to have a reasonable expectation of privacy on his or her property if he or she is not observable by persons located at ground level. Similarly, in North Carolina, a person may not use a drone to conduct surveillance of a person without his or her consent.

Thus far only a few states have passed drone-specific privacy laws, although many expect the privacy community to push for more legislation at the state level given the lack of federal oversight. Some cities also have introduced drone-specific ordinances intended to protect citizens concerns regarding privacy, including bans. In addition, the National League of Cities recently published a model ordinance (the “Model Ordinance”) on UAS that cities can use. The Model Ordinance requires a drone operator to register with a city before operations. In addition, it states that:

“[t]he City Manager may adopt reasonable restrictions on the time, place and manner in which a person may land, launch or otherwise operate an Unmanned Aircraft so as not to interfere with the health, safety, and welfare of City residents.”6

What This Means for Businesses

As a result of the evolving nature of laws around the data collected by UAS, there are several steps that businesses should take. These include:

  • consider using UAS with geofencing that can minimize the collection of data outside of a prescribed area;
  • ensure that your drone operators understand the privacy concerns associated with UAS and instruct them to avoid collecting data on persons or properties outside the scope of work;
  • when practical, provide notice (signs, flyers, etc.) that a UAS is being used to collect imagery around a certain area; and
  • if you are likely to be collecting data that could raise privacy concerns, develop a written policy that outlines how the data should be stored, outlines a reasonable retention period and limits access to the data to employees that have a need.

1 476 U.S. 227 (1986)

2 476 US 207 (1986)

3  However it is important to note that the FTC recently held a forum on drones and privacy. See e.g. (accessed on October 17, 2016).

4  FAA Fact Sheet on State and Local Laws (accessed on October 17, 2016)

5  Voluntary Best Practices for UAS Privacy, Transparency, and Accountability (accessed October 17, 2016)

6  A Model for Cities: Ordinance for the Promotion of Drone Innovation & Accountability (accessed on October 17, 2016)

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Williams Mullen | Attorney Advertising

Written by:

Williams Mullen

Williams Mullen on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
Privacy Policy (Updated: October 8, 2015):

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.


JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at:

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.