Over the next five years in the United States, thousands of drones are expected to be deployed for an array of commercial and governmental purposes. This prospect has captured the public’s imagination, and there are concerns about the privacy implications and whether new laws and regulations are needed. We here provide an overview of existing privacy requirements for Unmanned Aerial Systems (UAS) operating in the United States, describe new privacy proposals, and outline three scenarios that, depending on decisions by policymakers, could govern the privacy requirements for the commercial use of UAS for years to come. 

Existing Requirements

UAS operators already must comply with a host of common law, state and federal privacy requirements.

Most states recognize the tort of “intrusion upon seclusion,” which can impose liability on those who intentionally intrude upon the seclusion of others in a manner that would be highly offensive to a reasonable person. Conducting surveillance in a person’s home would likely implicate this privacy right, and overzealous surveillance of public activities may constitute an intrusion upon seclusion as well. See Nader v. Gen. Motors Corp., 255 N.E.2d 765 (N.Y. 1970). Relatedly, state “peeping tom” laws prohibit capturing compromising images of individuals without their consents when those individuals have reasonable expectation of property. Taken together, these rules provide basic protections against potentially invasive surveillance by UAS. Indeed, it is reasonable to expect that more widespread use of UAS could lead to more lawsuits brought under these causes of action.

UAS operators face a patchwork of state laws impacting their operations. In 2013, thirteen states passed laws governing UAS operations, and three states – Idaho, Oregon and Texas – enacted laws that specifically address UAS use by private entities. Idaho’s law prohibits UAS from photographing or recording an individual for purposes of disseminating the information without written consent. The Oregon law allows landowners to sue UAS operators that fly UAS over property at an altitude of less than 400 feet. The Texas law prohibits the collection of images by UAS unless the collection falls within one of nineteen enumerated uses.

These state laws complement an emerging federal legal framework. The Congress required the FAA to designate six UAS test sites as part of a requirement for the FAA to establish a program to safely integrate UAS into the national airspace system. The FAA has imposed a number of requirements on the test sites, including the requirement that the six UAS test site operators must comply with all local, state and federal laws concerning privacy and civil liberties, and that UAS operators at the test sites must have a written plan for UAS use and information retention procedures. Additionally, test site administrators will be required to conduct annual privacy reviews and share the outcomes with the public. The FAA’s requirement that test site administrators review privacy practices and share those outcomes with the public also could subject UAS operators to the oversight of the United States Federal Trade Commission (FTC). The FTC has general authority to take action against companies when commercial privacy practices do not live up to privacy representations.

Proposals for Further Regulation

In spite of the rules already in place, there have been recent calls for additional UAS privacy requirements. At a recent Congressional hearing on UAS, Sen. Ed Markey (D-MA) pushed strongly for the passage of his comprehensive UAS privacy bill. Senator Markey’s proposal would, among other requirements, force UAS operators to publish flight plans, data collection practices and information sharing and retention policies. Both the FTC and State Attorneys General would be empowered to bring enforcement actions against operators for privacy violations related to these policies.

Markey’s policy prescriptions reflect many of the privacy rules proposed by privacy and civil liberty advocacy organizations. The Center for Democracy and Technology, for instance, has urged the FAA to adopt baseline enforceable standards for UAS privacy such as data minimization rules and transparency requirements that would inform the public about who operates UAS that may affect their privacy. Relatedly, the ACLU has called for mechanisms to allow citizens to opt out of property surveillance. There is no shortage of ideas for reform in the realm of UAS.

Future Regulatory Scenarios

Given this activity, we see three scenarios for the future of privacy and UAS.

The first scenario basically is a continuation of the status quo. Common law causes of action for privacy invasions would continue to be relevant, states would continue to enact laws addressing jurisdiction-specific privacy concerns, and the federal government would continue – over time – to develop piecemeal privacy rules addressing UAS. This scenario might include enforcement actions by the FTC for UAS activity that does not comply with privacy promises; class action lawsuits whenever an alleged privacy violation makes the news, and basic oversight of privacy policies and practices by the FAA or test site administrators.

The second scenario stems from the passage of federal legislation and/or significant new rules adopted by the FAA. In this scenario, new federal rules might not expressly preempt state law. Consequently, all of the aforementioned liability in the first scenario would still exist, and new liability pursuant to federal regulation would be imposed. Federal rules could take the form of Markey’s bill or follow the comments proposed by privacy and civil liberty organizations or other less prescriptive ideas.

The third scenario is the passage of federal law that preempts state regulations. Such a scenario would create the most consistency for UAS operations and, even if some uncertainty still existed, would allow operators and manufacturers to focus their attention on one set of rules rather than an ever-changing patchwork of state requirements. Additionally, this scenario could promote the use of industry standards, as the Obama Administration has shown an interest in relying on industry standards as an alternative to federal privacy regulation.

As the debate over the integration of UAS moves forward, it will be important for manufacturers and operators to monitor state and federal proposals and continue to help inform the discussion over the scope and breadth of future regulation. UAS undoubtedly is ready to take off; now is the time to ensure that privacy concerns do not interrupt the flight.  

Written By

Hogan Lovells


If you want to comment on this post, you need to login.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Get more News »

Find a KnowledgeNet Chapter Near You

Network and talk privacy at IAPP KnowledgeNet meetings, taking place worldwide.

Women Leading Privacy

Events, volunteer opportunities and more designed to help you give and get career support and expand your network.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

The Training Post—Can’t-Miss Training Updates

Subscribe now to get the latest alerts on training opportunities around the world.

New Web Conferences Added!

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Staff

Get your team up to speed on privacy by bringing IAPP training to your organization.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.

Learn more about IAPP certification »

Get Close-up

Looking for tools and info on a hot topic? Our close-up pages organize it for you in one easy-to-find place.

Where's Your DPA?

Our interactive DPA locator helps you find data protection authorities and summary of law by country.

IAPP Westin Research Center

See the latest original research from the IAPP Westin fellows.

Looking for Certification Study Resources?

Find out what you need to prepare for your exams

More Resources »

GDPR Comprehensive: Spots Going Fast

With the top minds in the field leading this exceptional program, it's no wonder it's filling quickly. Register now to secure your spot.

Be Part of Something Big: Join the Summit

Registration is open for the Global Privacy Summit 2016. Discounted early bird rates available for a short time, register today!

Data Protection Intensive Returns to London

Registration is now open for the IAPP Europe Data Protection Intensive in London. Check out the program!

P.S.R. Call for Speakers Open!

P.S.R. is THE privacy + cloud security event of the year, and you can take a leading role. Propose a session for this year's program.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

Exhibit at an Event

Put your brand in front of the largest gatherings of privacy pros in the world. Learn more.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»