In recent years, the water and wastewater industries have increasingly begun utilizing unmanned aircraft systems (UAS) — commonly known as drones — to conduct visual inspections and monitoring of facilities and infrastructure including water towers and other remote and hard to reach locations. In fact, New Jersey American Water, an early adopter of drone technology in the water industry, conducted nearly 200 drone flights in 55 locations in 2017.
Although drones have the ability to increase efficiency and decrease costs in the water and wastewater industry, water and wastewater entities utilizing drones are now required to comply with new federal laws enacted as part of the FAA Reauthorization Act of 2018, which govern the information privacy practices of commercial drone operators in all sectors. The FAA Reauthorization Act of 2018 passed both houses of Congress with widespread bipartisan support and was signed into law by President Donald Trump on October 5, 2018.
The Act contains a provision requiring any person or entity that uses a drone “in the furtherance of a business enterprise” to develop and implement a publicly available privacy policy appropriate to the nature and scope of its activities regarding the collection, use, retention, dissemination, and deletion of any data collected during the operation of a drone. The law deems any violation of such required privacy policies to constitute unfair and deceptive practices subject to enforcement by the Federal Trade Commission (FTC). The law does not exempt any sectors or entities from these new requirements except for those engaged in activities protected by the First Amendment, such as news gathering or publicly disseminating information. Therefore, entities in the water and wastewater sector must comply with the new law’s requirements.
Another statute of the Act expressly requires that commercial drone operators’ required privacy policies protect and respect personal privacy consistent with the United States Constitution and all federal, state, and local laws. Currently, there are no federal statutes other than the Act governing data collected or obtained by drones and there are no federal statutes governing data privacy and security in the water or wastewater industry, unlike industries such as financial services, healthcare, and education, whose data privacy and security practices are subject to sector-specific federal statutes and regulations. Although members of Congress have introduced legislation that would govern data privacy and security across all sectors, no such legislation has been enacted.
However, ensuring that their required privacy policies are consistent with state laws can pose a challenge to the water and wastewater industry given the rapidly evolving patchwork of data privacy and security statutes enacted by numerous states in recent months and years, many of which significantly differ from one another. States including New York, Massachusetts, California, Texas, Florida, and Pennsylvania have enacted statutes requiring businesses that collect or possess personally identifiable information to use reasonable proactive measures to protect such personally identifiable information from disclosure, including data breaches and cyberattacks that result in the dissemination of such information.
Although the California Consumer Privacy Act, which took effect on January 1, 2020, and the Nevada privacy statute, which went into effect October 1, 2019, impose significant obligations on businesses that process or collect the personal data of California and Nevada residents, these statutes only govern the collection or processing of data obtained from consumers. Since the water and wastewater industry does not use drones to collect data from or regarding consumers, these statutes are unlikely to be implicated by the industry’s use of drones. Since drone activity in the water and wastewater industries is largely limited to inspections of physical assets and infrastructure rather than monitoring or observing people, it is likely that water and wastewater industries could avoid having to comply with state data privacy laws simply by ensuring their drones do not collect any personally identifying information regarding people they inadvertently observe in the course of their activities. However, water and wastewater entities operating drones would be well advised to draft and adhere to privacy policies establishing that their drones are not used to observe or collect information regarding people and no such data will be collected regarding people inadvertently observed by drones.
Three states, namely Illinois, Texas, and Washington, have enacted strict laws with potential extraterritorial applicability requiring any entity to obtain state residents’ express informed consent prior to collecting any biometric data from them. Additionally, many other state statutes requiring proactive measures to prevent the unauthorized disclosure of personally identifiable information have definitions of personally identifiable information that encompass biometric data.
Biometric data is an identifier of a person that is used to electronically identify such a person and can potentially include scans of a person’s face or iris, thermal imaging of a person, or a fingerprint. Thermal imaging, facial scanning, and other similar technologies can inadvertently collect biometric information regarding a person inadvertently observed by a drone using such technologies to inspect infrastructure or equipment such as water towers and such technologies are not typically necessary for such purposes. Therefore, drone users in the water and wastewater industry should consider ensuring that their drones are not equipped with such technologies. Industry drone users would also be well advised to spell out in their privacy policies that their drones are not equipped with thermal imaging or any other technology capable of collecting biometric data and their drones will not collect any such data from any person they inadvertently observe in the course of their activities.
Moreover, since some states have recently enacted statutes prohibiting the use of drones for illicit purposes such as voyeurism and surveillance of certain facilities including critical infrastructure without owner approval, entities in the water and wastewater sectors should provide in their privacy policies that the companies and their employees and agents are prohibited from using drones for non-essential activities including corporate espionage, surveillance of third party assets, or filming or photographing people in a potentially voyeuristic manner.
Although the data privacy requirements of the FAA Reauthorization Act of 2018 may seem frustrating and confusing to entities in the water and wastewater industry, such entities can overcome these challenges and successfully utilize drone technology by developing effective, efficient compliance strategies with the help of experienced data privacy and drone attorneys. WW
About the Authors: Bradford P. Meisel, Esq. is an associate at McElroy, Deutsch, Mulvaney & Carpenter LLP specializing in corporate, cybersecurity, data privacy, and drone law.
Diane D. Reynolds, Esq. is a partner and head of the Cybersecurity, Privacy, and Data Protection Practice at McElroy Deutsch, Mulvaney & Carpenter LLP, a law firm with approximately 275 lawyers in nine states, with expertise in corporate, labor and employment, construction, environmental, and real estate law.