Authored by Scott Hall

Pursuant to a settlement agreement with the Attorneys General of nearly all 50 states¹, Target Corporation will pay $18.5 million to settle claims brought by the state Attorneys General arising from the November 2013 data breach – involving the credit or debit card information of approximately 40 million Target customers – caused by cyberattacks on Target’s network.

The settlement is the latest in a string of settlement payments made by Target as a result of the breach, which includes payments of over $100 million to banks and credit/debit card companies for fraudulent charges and other damages, as well as a $10 million payment to settle a civil class action brought by affected customers.  In total, Target reports that, to date, the cost of the data breach has exceeded $200 million.²

Notably, the settlement agreement with the Attorneys General goes beyond mere payment of monetary penalties.  It requires Target to take specific steps to ensure implementation of a comprehensive information security program aimed at avoiding future breaches.  The settlement agreement requires Target to implement this new security program within 180 days of the effective date of the agreement, and mandates that Target, among other things: (1) maintain a written policy that adequately addresses the administrative, technical and physical safeguards for personal information maintained by Target, taking into account Target’s size, the nature of its operations, and the sensitivity of personal information maintained by it; (2) employ an executive or officer with an appropriate background or experience to implement and maintain the program; and (3) maintain encryption protocols and related policies reasonably designed to protect personal information.  Target is also required to separate its customer credit and debit card data from the rest of its computer network and to test for, and correct, vulnerabilities in its computer network.³

Within one year of the settlement, Target must obtain a third-party “information security assessment” to review and report on the implementation of the new information security program.  The Attorneys General have the right to initiate a proceeding for any failure to comply with the provisions of the settlement agreement, as well as for any other failure to comply with applicable data security laws.  In other words, Target’s implementation of these data security policies and procedures will be under a regulatory microscope for the near future.

The moral of the story for other companies, as made clear in a statement by Connecticut Attorney General George Jepsen, is that “Companies across sectors should be taking their data security policies and procedures seriously.  Not doing so potentially exposes sensitive client and consumer information to hackers.”⁴  This is true even for companies that do not face the significant exposure of a large retailer like Target.  Regardless of company size or industry, the settlement sends a message that companies must either implement reasonable and adequate data security safeguards, or risk a breach that could result in government implementation and oversight of a much more rigorous and burdensome program.

In sum, this is reminder that now is a good time for all companies to review their data security policies and programs, data breach response protocols, and compliance with applicable consumer protection and data security laws, to ensure that they do not become the next example of what not to do.

^1.Alabama, Wyoming and Wisconsin are not parties to the settlement.  A copy of the settlement agreement is available at:  http://www.ct.gov/ag/lib/ag/press_releases/2017/20170522_targetmultistateavc.pdf

^2.See “Target in $18.5 million multi-state settlement over data breach” (Reuters May 24, 2017), available at: http://www.cnbc.com/2017/05/24/target-in-18-point-5-million-multi-state-settlement-over-data-breach.html

^3.Certain of the specific data security requirements expire after five years (Settlement Agreement ¶ 32.)

^4.See http://www.ct.gov/ag/cwp/view.asp?Q=593122&A=2341

Authored by Timothy Crudo and Andrew Schalkwyk

Originally published in ABTL Northern California Report, Volume 25, No. 2, Spring 2017. Republished with permission.

It is an age-old principle of corporate law: corporations can act only through their agents. Ensley v. City of Nashville, 61 Tenn. 144, 146 (1872) (“Corporations can only act through their agents, and must be held accountable for their acts, otherwise citizens may be ruined through irresponsible citizens.”)  Companies therefore are generally liable, both civilly and criminally, for the conduct of agents acting on their behalf.  But what about their thoughts?  Do corporations think only through their agents, or do they have a mind of their own?  The answer is more than a philosophical one, and it can have real consequences, as shown by two recent federal criminal trials in the Northern District of California.

In the olden days, it was accepted under the common law that “a corporation cannot commit treason, or felony, or other crime, in its corporate capacity: though its members may, in their distinct individual capacities.” 1 BLACKSTONE, COMMENTARIES ON THE LAWS OF ENGLAND 464 (1765).  The modern view is quite different, and criminal prosecutions of corporations have been widely accepted for more than a century.  In the seminal case, N.Y. Central & H.R.R. Co. v. United States, 212 U.S. 481, 492–93 (1909), the railroad argued that as a corporation it could not be held liable for payments of illegal rebates.  The Supreme Court rejected the argument, quoting a contemporary treatise: “[s]ince a corporation acts by its officers and agents, their purposes, motives, and intent are just as much those of the corporation as are the things done. If, for example, the invisible, intangible essence or air which we term a corporation can level mountains, fill up valleys, lay down iron tracks, and run railroad cars on them, it can intend to do it, and can act therein as well viciously as virtuously.”  At least for offenses where the crime consisted in purposely doing the thing prohibited (in N.Y. Central it was paying a rebate), the Supreme Court saw “no good reason why corporations may not be held responsible for and charged with the knowledge and purposes of their agents.”

But corporations often act through the acts of a combination of employees.  What  happens where no individual agent has the knowledge or intent necessary to be held criminally responsible for the corporation’s act – can the corporation still be legally culpable?  More recently, courts have considered the aggregation of individual employees’ knowledge in evaluating corporate knowledge.  This doctrine of “corporate collective knowledge” traces back primarily to the First Circuit’s decision in United States v. Bank of New England, 821 F.2d 844 (1st Cir. 1987).  In that criminal case, which involved alleged violations of the Currency Transaction Reporting Act by the Bank of New England, the government had to prove that the bank had acted “willfully.”  Proof of willfulness required evidence that the bank had “knowledge” of the reporting requirement and, separately, the “specific intent” to commit the crime.  On the issue of knowledge, the court applied the “collective knowledge” doctrine and determined that the bank knew everything that all of its employees knew, even if no single agent had sufficient knowledge to meet the elements of the offense: “So, if Employee A knows one facet of the currency reporting requirement, B knows another facet of it, and C a third facet of it, the bank knows them all.”  Id. at 855.  The court determined that the specific intent element could be satisfied either through the willful failure of a bank employee to file the necessary reports or through the bank’s own “flagrant indifference” to its reporting obligations.  Id. at 857.

Since Bank of New England, courts have applied the collective knowledge doctrine to determine what a corporation knew.  But few have applied that doctrine to determine what a corporation intended, and there has been little discussion of whether specific wrongful intent of a corporation can be found without the prosecution identifying a particular individual who had such intent.  The idea raises some profound philosophical problems.  If, as N.Y. Central and many later cases have held, the actions, motives, and intent of an individual can be attributed to a corporation for purposes of criminal culpability, what evidence is needed to prove that the corporation itself had such intent even if no individual employee did?

As the First Circuit observed in the language above taken from Bank of New England, knowledge can exist in discrete portions.  It can be measured, combined, and added to.  Although the corporate collective knowledge doctrine has been criticized (See e.g. Thomas A. Hagemann & Joseph Grinstein, The Mythology of Aggregate Corporate Knowledge: a Deconstruction, 65 GEO.WASH L. REV. 210, 226-36 (1997)), there is some logic to the idea that employees’ knowledge can be “collected” and attributed as a whole to the corporation.

But can intent be similarly combined and accumulated?  Whereas sufficient knowledge is primarily a question of quantity, sufficient intent is a question of quality. If a specific intent is required for finding culpability of a specific intent crime, can the otherwise innocent intent of individuals be combined to create a collective intent that is of a distinctly different – i.e., guilty — character?  In other words, can the corporation be deemed to have the necessary criminal intent if none of its agents does?

There is scant law on the question, itself perhaps a clue to the answer.  One case that did address the question of corporate willfulness is United States v. T.I.M.E.- D.C., Inc., 381 F. Supp. 730 (W.D. Va. 1974), which upheld a criminal conviction that a trucking company knowingly and willfully violated federal regulations concerning driver safety.  The court held that because the corporation knew, under the collective knowledge doctrine, that it was not complying with its duties under the regulations and declined to act on that knowledge, there was sufficient evidence to find that it had thereby acted willfully, a holding consistent with the later result in Bank of New England.

But other cases have noted the problem with attributing intent to a corporation absent an individual wrongdoer who harbors the required state of mind. In Saba v. Compagnie National Air Fr., 78 F. 3d 664, 670 n. 6 (D.C. Cir. 1996), the court cited Bank of New England for the proposition that while knowledge of facts by employees could be attributed to the corporation, “the proscribed intent (willfulness) depended on the wrongful intent of specific employees.”  See also, e.g., First Equity Corp. v. Standard & Poor’s Corp., 690 F. Supp. 256, 260 (S.D.N.Y. 1988) (“A corporation can be held to have a particular state of mind only when that state of mind is possessed by a single individual.”); Gutter v. E.I. Dupont De Nemours, 124 F. Supp. 2d 1291, 1311 (S.D. Fla. 2000) (“The knowledge necessary to form the requisite fraudulent intent must be possessed by at least one agent and cannot be inferred and imputed to a corporation based on disconnected facts known by different agents.”)

Even T.I.M.E. itself has been cited for the idea that, unlike knowledge, “specific intent cannot be similarly aggregated [and therefore] there must be evidence from which a jury could reasonably determine that at least one agent of LBS had the specific intent to join the conspiracy to defraud the government.”  United States v. LBS Bank-New York, Inc., 757 F. Supp. 496, 501 n. 7 (E.D. Pa. 1990).  In one case decided shortly before Bank of New England the court, in a bench trial, was required to determine whether the defendant corporation intended to commit mail fraud.  Citing T.I.M.E., the court determined that to find the defendant liable “for fraud, I must find that a[n] employee had the specific intent required” by the statute.” Louisiana Power and Light Co. v. United Gas Pipe Line Co., 642 F. Supp. 781 (E.D. La. 1986).  (That said, the court found the company had committed fraud based on the fact that the corporation was “blind[] to obvious truths” and so violated the mail fraud statute, without identifying, or even discussing, an individual employee’s specific intent.)  Similarly, in State v. Zeta Chi Fraternity, 696 A.2d 530 (N.H. 1997), the New Hampshire Supreme Court cited to T.I.M.E. in upholding the conviction of a college fraternity, finding that there was sufficient evidence that fraternity members were aware of the facts surrounding underage drinking.  Because the fraternity’s “mental state depend[ed] on the knowledge of its agents,” the fraternity could be said to have acted recklessly in conscious disregarded of the risks involved.  Id., at 535.

Fast forward to 2016, when simultaneous corporate criminal trials were unfolding in the Northern District of California against PG&E (Case No. 3:14-cr-00175) and FedEx (Case No. 14-cr-00380).  PG&E was accused primarily of violating the Pipeline Safety Act.  FedEx was accused of conspiring with online pharmacies to deliver illegal prescriptions.  No individuals were prosecuted in either case.  The corporations alone stood trial.

Both corporate defendants argued that when prosecuting a corporation for a specific intent crime the government must prove that at least one individual acting on behalf of the corporation had the sufficient intent necessary for conviction.  Both lost on the issue.  In PG&E, the court brushed aside concerns raised with the collective knowledge doctrine, focusing instead on collective intent.  The court ultimately followed T.I.M.E., noting the similarity in the regulatory violations at issue in both cases.  The Court held that because PG&E had an affirmative legal duty to follow safety regulations (such as the Pipeline Safety Act) and “where the knowledge of the corporation’s employees demonstrates a failure to discharge that duty, the corporation can be said to have ‘willfully’ disregarded that duty.”  PG&E, 2015 WL 9460313 at *5.  In FedEx, the court cited to the PG&E order and, without further discussion, held that FedEx had “failed to identify controlling authority that calls into doubt any instructions on ‘collective knowledge’ or ‘collective intent.’”  United States v. FedEx, No. C14-00380 CRB, slip op. at 2 (N.D. Cal. Apr. 18, 2016).

The result in FedEx was perhaps more surprising, given that the charges there involved a conspiracy to distribute illicit drugs rather than the type of regulatory and/or reporting violation at issue in PG&E, T.I.M.E., and Bank of New England.  PG&E was accused of not fulfilling affirmative regulatory obligations imposed by law, and distilling corporate intent from collective knowledge in such cases is perhaps not that big a jump from already accepted concepts of “reckless disregard” or willful blindness.  (The nature of the charged crimes in PG&E was crucial in the court’s decision on the collective intent instruction.)  FedEx, on the other hand, was accused of agreeing to commit affirmative acts with the knowledge and intent to achieve an unlawful result, the first time that the collective intent doctrine had ever been applied in a criminal prosecution to a non-regulatory offense.

To be fair to the FedEx trial court, the case resolved before it was required to rule on the final instruction for corporate intent, and perhaps it would have ruled differently.  (Its prior ruling on collective intent occurred during pretrial skirmishing.)  We will see whether the rulings in PG&E and FedEx embolden prosecutors to pursue criminal charges against corporate defendants in the absence of at least one culpable individual.  Criminal prosecutions against corporations are rare enough, especially when no individual is prosecuted as well, and even with the favorable rulings on collective intent the ultimate result in PG&E and FedEx may cause prosecutors to think twice before prosecuting a corporation standing alone.

Authored by Scott Hall

On May 19, 2017, the U.S. Court of Appeals for the D.C. Circuit issued a ruling vacating the Federal Aviation Administration’s “Registration Rule,” which required owners of small unmanned aircraft (“drones”) operated for recreational or hobby purposes to register with the FAA.¹  The Registration Rule, implemented in December 2015 (strategically, in the midst of a holiday season during which nearly half a million hobby drones were expected to be sold), garnered immediate criticism and opposition from drone users who questioned the FAA’s authority to regulate drones not intended to be operated for commercial purposes.  Indeed, given the FAA’s history of a hands-off policy with respect to hobby drones, the Registration Rule was viewed by some as a test of power – something akin to the FAA dipping its toe into the waters of hobby drone regulation to see how far it could go.  The D.C. Circuit’s ruling decisively ends the inquiry and precludes further FAA involvement in hobby drone regulation absent some action to the contrary by the Supreme Court or Congress.

History of FAA Regulation of Drones

Under 49 U.S.C. section 40103, the federal government has exclusive sovereignty over U.S. airspace, and the FAA has the authority to regulate all “aircraft,” which includes drones.²  However, in 2012, Congress passed the FAA Modernization and Reform Act, which states that the FAA “may not promulgate any rule or regulation regarding a model aircraft,” which term encompasses drones flown for hobby or recreational purposes.³

In light of this clear restriction, and in response to petitions challenging the Registration Rule to the extent it purports to apply to hobby drones, the D.C. Circuit concluded that the Registration Rule was barred by the plain wording of the statute because it was, in fact, a rule that created a new regulatory regime for model aircraft, regardless of whether the rule might improve aviation safety.⁴  As the Court noted, “[s]tatutory interpretation does not get much simpler.”⁵

Although the Registration Rule was likely doomed from its inception given the historical restrictions on FAA authority over hobby drones, the motivation behind the rule – i.e., the view that there should be a more formal or consistent framework for regulating hobby drones – is not outrageous.  After all, hobby drones are just as capable of, and perhaps even more likely to, violate personal privacy or engage in nuisance, trespass, or other misuse than drones used for commercial purposes.  And the number of hobby drones currently existing and anticipated in the national airspace over the next five years dwarfs the number of small commercial drones.  For example, the FAA anticipates that the number of hobby drones sold by 2021 may exceed 4 million, up from approximately 1.1 million in 2016.⁶  By contrast, the FAA forecasts that small commercial drones, which numbered just 42,000 in 2016, may increase to 420,000 by 2021.⁷  The FAA has argued that uniformity in drone regulation – regardless of whether the drones are used for commercial or hobby purposes – is essential for the safe and effective management of air traffic in the national airspace.  Thus, when faced with a substantial and unprecedented increase of hobby drones in the nation’s skies over which it had no control, the FAA rolled the dice and took a shot at reigning in what otherwise may prove to be an unmanageable contingent of this rapidly expanding technology.  The FAA lost – for now.

Where To Go From Here

The fight regarding federal-state authority over drones, including hobby drones, is far from over.  The FAA’s uniform rules for commercial operation of small drones, which went into effect last August, provide a general federal framework for limited commercial drone use (and preempt many aspects of state commercial drone regulation), but explicitly do not apply to hobby drones.⁸  In fact, the FAA maintains a Fact Sheet on its website that identifies specific areas of law potentially applicable to drones – whether commercial or hobby – that would not be subject to federal regulation, including land use, zoning, privacy, trespass, and law enforcement operations.⁹  But while many states have started to enact drone-specific laws,¹⁰ there is still much to be done by state and local governments if they are to effectively and comprehensively regulate hobby drones, particularly as usage and technology continue to expand.

Ultimately, the D.C. Circuit’s ruling creates a fork in the road for hobby drone regulation:  Congress can either extend FAA authority over hobby drones or leave it to state and local governments.  The Court’s opinion was explicit in this regard, noting, “Congress is of course always free to repeal or amend its 2012 prohibition on FAA rules regarding model aircraft.  Perhaps Congress should do so.  Perhaps not.  In any event, we must follow the statute as written.”¹¹

In the wake of the decision, the FAA will likely take the Court’s suggestion and seek to have Congress expand FAA authority over hobby drones.  But both the FAA and Congress should think carefully before proceeding down this path.  Although expansion of federal authority for limited purposes such as registration may not seem problematic, such a grant of authority would start down a slippery slope of exclusive federal authority over all drone regulation.  Before Congress takes that step, serious consideration should be given to whether the FAA is best positioned to regulate hobby drones, which, for the most part, operate within limited geographical areas, in typically lower altitudes than commercial aircraft, and in volumes that would be extremely difficult, if not impossible, for the FAA to effectively police.

State and local governments may be much better suited to enact and enforce laws and restrictions applicable to hobby drones, particularly with respect to issues or operational concerns unique to their locale.  And, although some measure of coordination between federal and state governments will certainly be necessary to ensure that hobby drones can safely operate in the national airspace along with commercial drone traffic, Congress should not hastily put all regulatory authority in the hands of the federal government without carefully weighing the potential drawbacks of an exclusively federal drone regime.  The preferred course may be for federal and state governments to share authority over drones and work collaboratively to create a cooperative and comprehensive framework for commercial and hobby drones alike.  For this to be effective, however, state and local governments must step up and actively address drone issues through local legislation to a greater extent than they have done previously.

For now, hobby drone users can operate their drones free of any registration requirement or other federal oversight.¹²  However, hobby drone users should not get too comfortable with the current lack of formal regulation.  Given the ever-increasing popularity of drones, as well as rising concerns regarding drone privacy violations, trespass, and other misuse, a more formal regulatory framework for hobby drones – be it state, federal, or combined – appears all but inevitable.

^1. See Taylor v. Huerta, Case No. 15-1495 (D.C. Cir. May 19, 2017).  A copy of the opinion is available at: https://www.cadc.uscourts.gov/internet/opinions.nsf/FA6F27FFAA83E20585258125004FBC13/$file/15-1495-1675918.pdf

². See 49 U.S.C. § 40102(a)(6), defining aircraft as “any contrivance invented, used, or designed to navigate or fly in the air.”  See also Michael P. Huerta, Administrator, Federal Aviation Administration v. Raphael Pirker, NTSB Order No. EA-5730, Docket CP-217 (Nov. 18, 2014) (holding that drones are “aircraft” subject to federal regulations).

^3. Pub. L. No. 112-95, § 336(a), 126 Stat. 11, 77 (2012) (codified at 49 U.S.C. § 40101).

^4. Taylor, Case No. 15-1495, at 7-8.

^5. Id. at 7.

^6. See FAA Aerospace Forecasts, available at: https://www.faa.gov/data_research/aviation/aerospace_forecasts/media/Unmanned_Aircraft_Systems.pdf

^7. Id.

^8. 14 C.F.R. Part 107.

^9. December 7, 2015 Fact Sheet: State and Local Regulation of Unmanned Aircraft Systems (UAS).

^10. For an overview of current or pending state drone laws, see http://www.ncsl.org/research/transportation/current-unmanned-aircraft-state-law-landscape.aspx

^11. Taylor, Case No. 15-1495, at 8.

^12. The ruling does not take effect immediately, however, and provides 7 days for the parties to petition for rehearing.  See https://arstechnica.com/wp-content/uploads/2017/05/faastay.pdf

Authored by Scott Hall

On March 15, 2017, Senator Edward Markey (D-Mass.) and Representative Peter Welch (D-Vt.) introduced federal legislation entitled the Drone Privacy and Transparency Act of 2017.¹  The proposed legislation seeks to address growing concerns regarding personal privacy violations anticipated by (or, perhaps, already resulting from) the continuing increase of unmanned aircraft systems (“UAS” or “drones”) in the nation’s skies.  To that end, the proposed legislation would require every person or entity seeking to use a drone for commercial purposes to provide certain information about where, when, and for what purposes the drone will be flown, and whether it will collect, sell, or otherwise use personal information about any individuals.  The legislation would also require the FAA to publicly disclose this information on the Internet.  Additionally, the legislation would ban any use of drones by law enforcement personnel without a warrant.

The proposed legislation  purports to be a necessary response to the threat of “invasive and pervasive” drone surveillance that is predicted to occur as commercial drone use in the U.S. continues to expand.²  However, while certain privacy concerns based on the ever-increasing use and rapidly evolving technological capabilities of drones may be warranted, the proposed legislation appears to be both underinclusive and overbroad in its attempt to address potential violations of personal privacy.  For example, if enacted, the bill would impose additional pre-authorization requirements on anyone seeking approval to operate a drone, and would also require public disclosure of the time and location of planned drone operations, as well as details regarding the specific technical capabilities of the drone – regardless of the drone’s actual or intended operation.  But, the bill does not specifically prohibit any particular type of drone operation or method of data collection as long as the required pre-authorization and disclosure requirements have been satisfied.  Moreover, the bill explicitly does not apply to “model aircraft” (i.e., drones flown for hobby purposes), which are generally understood to be outside the Federal Aviation Administration’s scope of authority.  Yet, hobby drones are just as capable of violating personal privacy as drones used for commercial purposes.  In fact, hobby drones are frequently involved in national news stories regarding privacy violations (such as drones hovering near bedroom windows or over backyard pools), and have likely contributed more to the current public sentiment of fear and distrust underlying the proposed legislation than commercial drones.

Additionally, the proposed legislation would have the federal government wade into – and most likely preempt – areas of law typically left to the states, such as privacy, trespass, and state and local police power.  In recent years, many states and localities have enacted drone-specific laws aimed at protecting privacy.  Several states have also passed laws regulating law enforcement use of drones.  The proposed federal legislation would likely preempt many of these state and local laws.  Therefore, before granting such broad federal power over drone regulation, more thought should be given to whether, and in what contexts, states are better suited to decide what drone operations should or should not be permitted in their jurisdiction and how their local law enforcement agencies should be permitted to conduct their work (within constitutional limits).  Indeed, given that hobby drones are generally not subject to FAA regulation, state drone legislation has become increasingly important.  Thus, the potential preemption of state laws that may occur as a result of vesting the federal government with broad authority over issues like privacy and state police power may impair the ability of state and local governments to effectively address drone concerns specific to their locale.

In light of the many valuable current and anticipated applications of drone technology – which the bill explicitly recognizes – the preferred course of action may be to avoid forcing a federal “one-size-fits-all” privacy law on drones.  Rather, it may be better for the federal government to continue to work cooperatively with states to define respective areas of state and federal responsibility over drones and to target particularized unlawful or undesirable conduct for specific regulation, while avoiding imposing more burdensome pre-authorization requirements on all drone operators, which could discourage or inhibit beneficial drone use and innovation.

I. The Proposed Legislation

The Drone Privacy And Transparency Act proposes three main methods to safeguard personal privacy threatened by drones: (1) required pre-authorization information statements about the intended use of the drone, including potential data collection and use; (2) public disclosure of information relating to the ownership, operation and capabilities of each drone authorized to operate in the national airspace; and (3) prohibition on law enforcement use of drones without a warrant, as well as required statements and policies to minimize collection of data outside the necessary scope of an investigation or warrant.

A. Pre-Authorization Data Collection Statements

First, the bill proposes to implement additional procedures for anyone seeking authorization to operate a drone for non-hobby use.  Specifically, the bill would prohibit the FAA from approving, issuing or awarding any license, certificate or other grant of authority to operate a drone in the national airspace unless the person seeking such authorization or approval provides a “data collection statement” detailing, among other things: (1) the identity of individuals or entities that will use the drone, (2) the specific locations and time period in which the drone will operate, and (3) what types of information or data about individuals or groups will be collected by the drone, including (a) how such data will be used or sold, (b) how information unrelated to the specified use will be minimized, (c) how long any such data will be retained, and (d) how such data will be destroyed.  The data collection statement must also identify the possible impact of the drone on individual privacy, the specific steps that will be taken to mitigate any such impact, and contact information for reporting complaints and/or requesting information related to the collection of personally identifiable data.  The bill would allow individuals whose data has been collected to request and obtain such data, as well as to challenge the accuracy of that data and/or challenge the denial of access to the data.³

B. Public Disclosure Of Authorized Drone Operations

Second, the bill seeks to promote transparency of drone data collection by requiring the FAA to make publicly available, on the Internet, the names and contact information for each owner and operator of an authorized drone, the tail/identification number for each authorized drone, a description of the technical capabilities of each authorized drone (including cameras, thermal imaging, mobile phone interception, facial recognition, license plate reader, etc.), information detailing where, when and for what purpose each authorized drone will be operated, and the applicable data collection statement, data minimization statement, and applicable license, approval or grant of authority for each authorized drone.  The bill would also require public disclosure of any data security breach with respect to information collected by a drone.

C. Restrictions On Law Enforcement Use Of Drones

Third, the bill seeks to address concerns over law enforcement use of drones by prohibiting a governmental entity (including any federal or state agency) from using drones for law enforcement or intelligence purposes without a warrant.  Moreover, the bill would prohibit the FAA from authorizing any drone operation by a law enforcement agency (or its contractor or subcontractor) unless the agency submits a “data minimization statement.”  The data minimization statement must detail the specific policies adopted by that agency to minimize the collection by a drone of information that is unrelated to the investigation of a crime under a warrant, as well as to require the destruction of information no longer relevant to such an investigation or an ongoing criminal proceeding.  The bill would also require law enforcement agencies to describe their audit and oversight procedures with respect to ensuring that the agency’s drone operation is compliant with the submitted data collection statement and data minimization statement.

II. Balancing Privacy Rights Against The Benefits Of Drone

The proposed legislation purports to apply to every person or entity that currently uses, or that seeks to use, drones for any non-hobby purpose.  Thus, the effects of the legislation would be significant given the substantial increase in the use of drones by businesses across numerous industries over the past few years.  Of course, because of the variety of technology that can be employed by drones to conduct surveillance, including cameras for photographs or video recording, thermal imaging, GPS trackers, license-plate readers, facial recognition software and more, public concern over potential violations of privacy and misuse of personal information is certainly valid.  However, careful consideration is warranted before passing the proposed legislation given that its actual application is likely to have far-reaching effects that go beyond merely protecting privacy to potentially stifling desirable drone operation and innovation.

In fact, the bill’s prohibition on any license, approval or other authorization to operate a drone absent compliance with the required data collection statement constitutes a sharp departure from the FAA’s recent direction of reducing regulatory hurdles to drone operation.  Just last summer, for example, the FAA adopted uniform rules for the operation of small drones (14 C.F.R. Part 107), which allow for the operation of drones for commercial or non-hobby purposes without a specific certificate of authorization or waiver from the FAA, as long as drone operators abide by certain rules and restrictions, including operating only during daylight hours, abiding by certain speed and weight limits, and having an operator with a remote pilot certificate.  This recent relaxing of formal regulatory approval for commercial drone operation has been widely applauded by the drone industry.  The proposed privacy legislation may therefore be seen as a step backwards for the industry, which, despite recent progress, still suffers from heavy regulation and uncertainty.  Indeed, many blame the current regulatory restrictions on drones as the reason many drone companies have chosen to conduct research or operations in foreign countries that do not have such restrictions.⁴  Thus, while privacy concerns relating to drones need to be addressed, the proposed legislation’s focus on pre-authorization procedures and public disclosures, rather than specific misconduct, may adversely impact drone operations that raise no serious privacy concerns.

III. Balancing Federal And State Responsibility Over Drones

The proposed legislation would also raise new preemption issues and fresh ambiguity about the proper role of state and local governments in regulating drones.  Indeed, the bill is in direct conflict with statements currently maintained on the FAA’s website regarding the proper role of state and local regulation of drones, which identify privacy and law enforcement operations, among other issues, as generally not being subject to federal regulation.⁵  Consistent with this position, the small drone rules adopted by the FAA last summer explicitly avoided privacy issues and warned drone operators that “state and local authorities may enact privacy-related laws specific to UAS operations.”⁶  To the extent the proposed legislation is viewed as a decision by Congress to legislate privacy issues for drones at the federal level, this departure from the previous federal-state division of authority could have wide-ranging impacts, particularly given that many states have already passed laws regulating various aspects of drone operation.

Although states differ in their approaches to privacy protection, several states have recently passed or revised laws to protect personal privacy against drone misuse.  Some states, for example, have passed laws prohibiting the use of drones to commit voyeurism, stalking, or other surveillance in violation of an individual’s reasonable expectation of privacy.  Other states, including California, have attempted to protect privacy by prohibiting, as trespass, the capture of images, sounds, or other data of a personal nature by drones over private property.  Still other states prohibit surveillance or capture of images or data in specific locations, such as schools, prisons, or at public events.  At least one state (Oklahoma) has even recently proposed legislation that would permit property owners to shoot down or otherwise destroy drones flying over their property or “where a reasonable expectation of privacy exists.”  Thus, although there is still much work to be done to ensure a comprehensive legal framework sufficient to safeguard personal privacy against all potential drone intrusions, this area appears to be one in which states are actively involved and uniquely positioned to address the specific concerns and needs of their locale.  It is therefore questionable whether a broad, federal privacy law that might preempt such state and local laws is the preferred course of action.

Additionally, many states have already passed laws regulating the use of drones by law enforcement personnel.  The proposed legislation, however, purports to apply to all federal and state law enforcement agencies and imposes a blanket prohibition on any drone use not authorized by a warrant.  While it makes sense to require a warrant to use certain drone technology, such as thermal imaging, facial recognition software, or GPS tracking, there is less justification for prohibiting use of drones by law enforcement personnel for simple aerial monitoring or the capture of images or video available to any member of the public.  In fact, the U.S. Supreme Court has specifically held that any place that could theoretically be viewed by a member of the public, including from an aircraft, can also be observed by a government agency without constituting a violation of the Fourth Amendment.⁷  Of course, the Court left open the question of when any specific instance of observation might constitute a violation of privacy, but suggested that it should be addressed on a case by case basis, as opposed to the uniform ban contemplated by the proposed legislation.  To be sure, misuse of drones by law enforcement is certainly cause for concern.  But state and local governments have typically been given authority to regulate their own police power within constitutional limits, and nothing suggests that this should change merely because the methods of surveillance continue to change.

IV. Protecting Against Privacy Violations By Hobby Drones

Notably, the proposed legislation explicitly does not apply to “model aircraft,” which includes small drones that are flown strictly for
obby or recreation purposes, as opposed to commercial use.  Thus, although the legislation would monitor and disclose the collection, sale or other commercial use of personal information by drone operators, it does not cover activity such as stalking, voyeurism, or other surveillance in which drone operators collect private images, video, or other data for their own personal use.  While large-scale collection and commercial exploitation of personal data is certainly one type of privacy harm that could be committed by drones, the instances of drones “peeping” in bedroom windows, hovering over swimming pools, or personally stalking or harassing individuals also constitute serious privacy concerns that are more likely to be committed by hobby drone users not covered by the proposed legislation.

It may therefore be preferable to allow state and local governments to continue to enact privacy-related legislation focused on specific unlawful or undesirable conduct that applies to both commercial and non-commercial drone operation.  At the same time, certain existing federal and state laws that already regulate the maintenance and disclosure of personally identifiable information could be updated to explicitly apply to personal data collected by drone technology.  This combination of federal and state protection to prohibit particularized, objectionable drone conduct, while also regulating the maintenance, use and disclosure of personal data, could be far more effective – and much less burdensome on those seeking to use drones for purposes other than data collection – than to require all drone operators to comply with burdensome pre-authorization and public disclosure requirements.

V. Other Issues

A few other issues in the proposed legislation are worth noting:

The bill specifically excepts from its coverage drones “operated for news-gathering activities protected by the First Amendment.”  Although this is an important exception in principle, the ambiguity regarding what drone operation might properly be covered by this provision will undoubtedly raise difficulties in application.

The bill also makes any operation of a drone in violation of the statutory provisions unlawful, and vests enforcement power principally with Federal Trade Commission.  It also permits civil actions by states (subject to notice to and coordination with the FTC) against violators that are deemed to have threatened or harmed the interests of residents of the state.

Notably, the bill also creates a private cause of action for any person injured by an act in violation of the statute and allows both injunctive relief and monetary damages, including the greater of actual monetary loss or $1,000 per violation.  As discussed above, because the proposed legislation focuses on compliance with pre-authorization and public disclosure requirements – as opposed to any actual misuse of personal information – it is questionable whether this private right of action would be effective in terms of safeguarding privacy, or whether it would become simply another statute under which individuals seek monetary damages based solely on an individual’s or entity’s failure to comply with regulatory requirements.

VI. Conclusion

Given the current technological landscape, protection of personal privacy and personally identifiable information has never been more important.  But there are already various federal and state laws that govern how personal information may be collected, used and disclosed.  Drones merely present a new method by which personal information and data may be collected.  However, not all drones are, or will be, operated for the purpose of collecting personal information.  Many individuals and businesses seek to operate drones to perform tasks related to precision agriculture, aerial photography, infrastructure monitoring, product delivery, search and rescue, disaster response, and many other beneficial services that do not involve the collection of individuals’ personal data or personally identifiable information.  Rather than imposing additional regulatory hurdles on all drone users, it may be preferable to focus on regulating specific conduct or data collection and disclosure practices by those seeking to engage in such conduct.  This may be most effectively accomplished by having the federal government share – rather than usurp – authority over drone privacy-related regulation.  Caution should therefore be taken before enacting the proposed legislation, which would potentially nullify a substantial amount of state legislation already addressing drone impacts on personal privacy.

Ultimately, the proposed legislation, at least in its current form, may never become law.  In fact, similar legislation was introduced in 2015 without success.  However, the proposed legislation highlights important issues of privacy that should be considered and discussed as drone use and capabilities expand.  The difficult task is finding the right balance between safeguarding individuals’ reasonable expectations of privacy while still fostering innovation and expansion of the many beneficial current and anticipated uses of drones.  To the extent the bill’s purpose is to put the conversation regarding drones and privacy issues front and center, that mission will hopefully be accomplished.  The public should be informed and aware of potential privacy concerns caused by drones and participate in legislative processes aimed at addressing those concerns.  However, with regard to privacy protection, at least some of that legislation may be best handled at the state and local level.  In any event, with the drone industry expected to continue its rapid growth for the foreseeable future, it is likely that public discussion and debate about drones and privacy has only just begun.

^1. A copy of the proposed legislation is available at: https://www.markey.senate.gov/imo/media/doc/2017-03-14-DronePrivacy-Bill-text.pdf

^2. The proposed legislation references estimates indicating that commercial drone sales may reach 2.7 million annually by 2020.

^3. Although the bill only purports to require data collection statements for any drone approval or authorization as of the date of the enactment of bill, it nonetheless requires the FAA to publicly disclose information required in the data collection statement for every drone authorized to operate in the national airspace, including those operating pursuant to licenses or grants of authority awarded before the date of enactment.  (See Sec. 339(a), (b)(1).)  Thus, as a practical matter, the provisions of the bill would apply to all drones authorized to operate in the national airspace, whether approved before or after passage of the proposed legislation.

^4. Although the proposed legislation does not discuss how its requirements would interact with the current regulatory framework, including the FAA’s small drone rules, the legislation purports to require compliance with its provisions for any certificate, license, “or other grant of authority” to operate a drone – including authority granted prior to enactment of the law – which presumably encompasses any authorization bestowed by Part 107, as well as the remote pilot certificate required for operation under that section.

^5. December 7, 2015 Fact Sheet: State and Local Regulation of Unmanned Aircraft Systems (UAS).

^6. The FAA’s decision not to address privacy issues in its small drone rules caused an uproar among many groups who hoped to see privacy regulation addressed by the FAA’s drone rules.  In fact, following release of the FAA’s rule last year, the Electronic Privacy Information Center (“EPIC”) sued the FAA for failing to address privacy issues in its rules.

^7. See Florida v. Riley, 488 U.S. 445, 455 (1989).

Auhored by Lindsay Gehman

Influencer marketing saw explosive growth in 2016, with 86% of marketers having used the tactic, 94% of whom found it effective. In 2016, most marketers spent between $25,000 to $50,000 per influencer marketing program, which amounts are expected to double in 2017, with overall budgets increasing as well. Influencer marketing is a type of marketing that focuses on using key subject matter experts (or influencers) to drive a brand’s message to the larger market in a more personalized, authentic way. An influencer is anyone who has a sizable network of people who follow and engage with them, usually over social media channels such as Facebook, Twitter, Instagram, Snapchat or YouTube.

While the reach and impact of influencer marketing is without question, the Federal Trade Commission (FTC) and other governmental and industry organizations are closely scrutinizing influencer marketing campaigns for indications of deceptive marketing practices, which could have financial and reputational repercussions for advertisers and agencies alike. The FTC publishes Guides Concerning the Use of Endorsements and Testimonials in Advertising (Guides), which are designed to reflect the principle that endorsements must be honest and not misleading. Generally speaking, the Guides provide that (i) an endorsement must reflect the honest opinion of the influencer and (ii) if a connection exists between an influencer and an advertiser that consumers would not expect and such connection would affect how consumers evaluate the endorsement, that connection should be disclosed.

Odds are, if you’re an advertiser or agency, you’ve probably already incorporated influencer marketing as part of the your overall marketing strategy or offering. If not, you probably should. Either way, understanding FTC guidelines and recent decisions and adopting appropriate policies and best practices are crucial. A best practices checklist for how disclosures should be made, and what advertisers and advertising agencies can do to ensure compliance, are set forth below.

Best Practices

Advertisers and agencies must ensure that influencer disclosures are “clear and conspicuous.” Below is a best practices checklist for disclosures:

• Use clear, plain and unambiguous language so that consumers understand the disclosure.
• Place the disclosure at the beginning of the post (or “above the fold”) and as close as possible to the ads to which it relates.
• Ensure that the size, color and graphic treatment of the disclosure are easy to read in relation to the other parts of the post.
• Ensure that the disclosure is clear and visible on all devices, including mobile.
• Ensure that the disclosure is appropriate for the platform and complies with any applicable terms of use. For character-restricted platforms (such as Twitter), a hashtag such as #ad or #sponsored may be appropriate. For video platforms (such as YouTube), the disclosure needs to remain on screen long enough to be noticed and read (in other words, a disclosure in the description box alone is not enough).
• Repeat disclosure as necessary on lengthy websites and/or in connection with repeated claims.
• Ensure that the disclosure remains intact when ads are republished or reposted.

The FTC holds advertisers responsible for ensuring that influencers comply with the FTC’s guidelines. While the FTC has not yet held agencies or influencers themselves directly responsible for compliance, agencies and influencers may be held contractually liable through indemnification or other provisions vis-à-vis the advertiser. As such, advertisers and agencies are highly encouraged to take appropriate steps to ensure that the influencers engaged by them or on their behalf are in compliance. Below is a best practices checklist for what advertisers and agencies should do with respect to the influencers they engage:

• Adopt a written social media policy for all influencers they engage with.
• Train, instruct and contractually require influencers to make proper disclosures regarding their relationship to the advertiser and/or its products.
• Monitor influencers to ensure they are making the proper disclosures, both before, during and after posting.
• Terminate influencers who fail to make the proper disclosures and/or require them to take down or edit the applicable posts.

Click here to download a PDF of this checklist.

For further information and assistance, including with respect to drafting social media policies and/or influencer agreements, contact Lindsay Gehman at lgehman@coblentzlaw.com.