News, Policy & Regulation, T&D, Transmission

Privacy and the utility sector: how to comply with new drone privacy requirements

Unmanned aerial vehicles (UAVs)-commonly known as drones-have the potential to revolutionize countless industries.  The utility sector is no exception. 

Drones have numerous applications in the utility industry ranging from surveying storm damage, inspecting equipment, and monitoring and assisting with repairs and construction according to the American Public Power Association.  Drones can also be used to enhance utility infrastructure security by monitoring critical infrastructure and facilities and detecting suspicious activity, unsafe conditions, and potential employee misconduct.   By conducting such tasks, drones have the potential to increase efficiency and reduce costs for utilities.  In 2018, international accounting and consulting firm PriceWaterhouseCoopers valued the addressable market of drone technology in the utility sector at $9.6 Billion according to a February 23, 2018 article in Power Engineering International.    

However, utilities that use or seek to use drones must now confront the new federal laws enacted as part of the FAA Reauthorization Act of 2018 that regulate the privacy practices of commercial drone operators.  President Donald Trump signed the Act on October 5, 2018, after it passed the Senate by a 93-6 vote.  One provision enacted as part of the Act requires a person or entity who uses a drone “in the furtherance of a business enterprise,” other than engaging in Amendment-protected activities such as journalistic reporting and information gathering, to develop and implement a publicly available privacy policy appropriate to the nature and scope of its drone activities governing its drones’ collection, use, retention, dissemination, and deletion of data.  The Act provides that a violation of such a required privacy policy constitutes an unfair and deceptive practices subject to enforcement by the Federal Trade Commission (FTC). 

The Act requires that commercial drone operators’ required privacy policies protect and respect personal privacy consistent with the United States Constitution and all federal, state, and local laws.  Therefore, utilities that use drones must make their privacy policies and practices consistent with each state data privacy law to which they could potentially be subject.

In recent years and months, numerous states including New York, California, Texas, Pennsylvania, Louisiana, and Texas have enacted statutes requiring entities in all industries to use reasonable proactive measurers that are reasonable to protect the personally identifiable information they possess or collect from unauthorized disclosure such as disclosures resulting from cybersecurity incidents. 

Moreover, the California Consumer Privacy Act (CCPA), which takes effect January 1, 2020, applies to any entity that does business in California and (A) has annual gross revenues in excess of $25 M; (B) alone or in combination, annually buys, receives for the business‘ commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more customers, households, or devices; or (C) derives 50% or more of its annual revenues from selling customers’ personal information.  Covered entities must disclose to California data subjects upon request the categories and specific pieces of information it collected from them and the categories of third parties with whom such information is shared.  In addition to requiring covered entities to implement and maintain reasonable security procedures and practices, CCPA requires covered entities to give all data subjects the right to opt out of any sale of their personal information and delete any personal information collected from a California data subject upon his or her request.

Nevada enacted a statute that mirrors CCPA, which took effect on October 1, 2019, requiring businesses doing business in Nevada to refrain from selling the personally identifying information of customers located in Nevada who opt out of such sales.

Utilities that provide services to customers located in California and Nevada should consult with experienced data privacy attorneys to determine whether they could be subject to CCPA and the new Nevada privacy statute in the event that their drones collect personally identifying information regarding California and Nevada customers, which could potentially occur if drones are being used to inspect equipment, damage, or outages or assist with repairs near customers’ residences. 

Utilities should also consider refraining from collecting or obtaining people’s Biometric information, which constitutes personally identifying information under certain state data security and privacy statutes and is specifically regulated under stringent state statutes in Illinois, Washington, and Texas.

Further, since certain states have enacted statutes prohibiting the use of drones for certain criminal or noxious purposes such as stalking and surveilling of lawful hunting utilities’ drone privacy policies should expressly provide that they and their employees and agents are prohibited from using drones for non-business purposes and screen and monitor drone operators to ensure they do not misuse drones for purposes that could run afoul of state laws by engaging in prohibited activities, which have no relation to any legitimate purpose for which entities in the utility industry may utilize drones.    

Although the data privacy requirements of the FAA Reauthorization Act of 2018 may seem like an impediment to drone integration in the utility sector, these challenges can be successfully navigated by developing effective and efficient compliance strategies with the assistance of experienced data privacy and drone attorneys in order unleash the full benefits of drone technology. 

Lead Image by Thomas Ehrhardt from Pixabay