A new California privacy law could change everything for drone operators in the state – and could be used as a model across the country.

The following is a guest post by attorneys from law firm Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C.  This piece was authored by Cynthia Larose, Laura Stefani, Jonathan Markman, and Elana R. Safner.

Drone Operators Face a New Challenge: The CCPA

It’s 2020, and the crystal ball isn’t the only thing that dropped. January 1st ushered in a new year, a new decade, and implementation of the California Consumer Privacy Act of 2018 (“CCPA”). While businesses that are more traditional collectors and processors of personal information (“PI”) have been preparing for the CCPA’s implementation date, many other companies that collect PI only incidentally may find themselves ensnared by the expansive scope of the nation’s most far-reaching data privacy law.

Where does this leave companies like drone operators that only incidentally create and store camera footage with such personal information as images of faces during the course of carrying out their business purpose? What if such companies never make any effort to identify that personal information? As this article will explain, such companies are not entirely excused from compliance with the CCPA and must carefully consider their business practices and next steps to come into compliance.

This problem arises because the CCPA defines “personal information” very broadly, whereas exceptions to the definition – such as publicly available information and de-identified information – are defined quite narrowly. These deliberate choices by the California legislature make the CCPA the most expansive U.S. privacy law to date. They also assign obligations to defined businesses and service providers that engage in business practices – such as the inadvertent collection of images of faces – that generally had been untouched by other privacy laws in the United States. This article lays out issues to consider and a set of action items for such businesses to work toward CCPA compliance.

Why Should Drone Operators be Concerned?

The CCPA applies to an unexpectedly broad range of data. A misconception about the CCPA is that it applies only in the context of directly collecting personal information from consumers through methods such as online purchases, search histories, cookies, and other behavioral preferences. In reality, the CCPA’s definition of PI casts a much wider net. It also applies to PI collected on and offline.

Under the CCPA, “personal information” is defined as “information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” This includes, among other things, biometric information such as faces captured by drones, surveillance cameras, and other means of video recording. “Personal information” specifically excludes publicly available information. One might reasonably think that the presence and visage of a person outdoors or on public property might be considered publicly available. The CCPA, however, takes a different position. It states, “‘[p]ublicly available’ does not mean biometric information collected by a business about a consumer without the consumer’s knowledge.” This means that photos and video – and also audio, thermal, olfactory, and other data – fall under the definition of personal information. Importantly, the PI collected by video does not have to be actuallylinked by the business to the consumer, only reasonably capable ofbeing linked “directly or indirectly”.

But We Don’t Identify the Data!

The definitions of these terms raise many questions about how the CCPA will be applied in certain contexts. Although publicly available information is exempt from the definition of personal information, we see that this does not necessarily spare drone operators from CCPA compliance, as described above. The CCPA also exempts de-identified information. Surely this will save drone companies and other collectors of incidental video footage from CCPA obligations? Such companies do not, after all, link the faces they have collected to actual people, much less attempt to build any kind of behavioral profile based on that information.

The California legislature considered – and did not pass – an amendment (AB-873) that would have resolved this issue. That is likely because the CCPA was, in part, intended to address the risk that even though the business collecting the PI does not seek to identify it, PI can be breached and re-identified using an outside dataset. AB-873 would have addressed the operational concerns of businesses like drone companies that collect PI incidentally, rather than intentionally during the normal course of business. De-identified information is not considered personal information under the CCPA, and AB-873 would have expanded the definition of “de-identified” to include any information that “does not identify and is not reasonably linkable” to a consumer. The legislature did eventually narrow the definition of “personal information” to include only information “reasonably” capable of being associated with a consumer or household, which gives drone companies and those similarly situated cause for optimism. They may be able to argue that the steps they or other companies would need to take to actually link their information are not reasonable. It is unclear, however, what courts interpreting the law will consider “reasonable.” It is possible that we will need to rely on enforcement actions to interpret the scope of “reasonableness.” With robust facial recognition databases now widely available, an argument could be made either way.

The CCPA raises many other questions. For example, can a drone flying at the legally permitted altitude actually capture reasonably identifiable footage of faces? Does it count if the video must be zoomed in to make the faces reasonably linkable to individuals? Does a consumer “have knowledge” of the collection of footage or biometric information – thereby making the information “publicly available” and outside of the CCPA – if a company posts signs stating that video footage and/or surveillance is collected in an area? If so, how many signs and where must they be posted to impute knowledge?

So What?

The CCPA grants consumers various rights with regard to their PI held by businesses, including a right to opt out of the sale of PI, a right to know the PI that has been collected about them, a right to data portability, a right to request deletion of personal information, and a right to nondiscrimination for having exercised their rights under the law. In addition to numerous requirements about how consumers must be made aware of these rights through privacy notices, companies will also face the challenge of creating business processes to comply with these requests when they receive them.

These challenges are particularly acute for businesses such as drone operators, who do not process the type of information which the CCPA considers PI in the first place. Significantly, the California Attorney General’s recent draft regulations on the CCPA clarified that “[i]f a business maintains consumer information that is de-identified, a business is not obligated to provide or delete this information in response to a consumer request or to re-identify individual data to verify a consumer request.” Businesses should avoid collecting new personal information, unless it is necessary for verification of customer requests. This could support arguments by drone or surveillance businesses that they simply cannot satisfy customers’ right to know or right to delete requests because they cannot verify the identity of the requester or re-identify their footage without obtaining new PI. This is an open issue for which there is currently no clear answer under the CCPA, and it is unclear whether un-blurred facial data will be considered de-identified.

Action Items

Giving some insight into California’s planned enforcement of the law, Attorney General Xavier Becerra said “we will look kindly on those that . . . demonstrate an effort to comply.” That means even if businesses are not reasonably able to satisfy all consumer requests, they should still make every effort to comply with other parts of the law.

To prepare for CCPA implementation, surveillance and drone companies should:

• Update their privacy policies to explain their processes, customer rights, incidental collection of PI, and other data uses in “plain English”
• Revise their privacy policies to let customers know they do not sell PI (if, in fact, they do not)
• Review the business purposes of their PI collection, and ensure that their retention policy is for a period of time no longer than needed for those purposes
• De-identify as much data as business goals allow, including blurring faces whenever possible.This includes:
  • implementingtechnical safeguards that prohibit re-identification of the consumer to whom the information may pertain,
  • implementing business processes that specifically prohibit re-identification of the information,
  • implementing business processes to prevent inadvertent release of de-identified information, and
  • making no attempt to re-identify the information.
• If they are service providers, review their agreements with their business customers
• Implement processes for customers to place requests and exercise their rights under the law
• If certain requests, or categories of requests, cannot be satisfied due to the nature of the business’s data collection, determine how those will be handled. Requests cannot simply be ignored!

What’s Next?

The transition does not seem likely to be smooth. Due to the law’s wide scope and the many questions it leaves unanswered, many businesses likely do not even realize the law will apply to them. A survey released in November by Osterman Research and Egress Software Technologies found that only 48 percent of companies said they would be compliant by the end of 2019. But with potential penalties of up to $2,500 per violationor $7,500 per intentional violation, unprepared businesses are taking a large business risk. Attorney General Becerra will not issue any penalties under the CCPA until July 1, 2020, giving companies an additional six months to adjust to the new requirements. But if significant violations occurred during that six-month period, the AG retains discretion to “reach back.” Offering companies another small point of solace, the CCPA authorizes a private right of action only for breaches involving the non-redacted and unencrypted PI of California consumers, not for other CCPA violations.

Many businesses cite the numerous gray areas and lack of clarity as a major obstacle to compliance. The regulations released by the AG’s office clarified some issues, but many questions regarding CCPA implementation remain unresolved. The AG’s office is now reviewing the public comments it received on its draft regulations, but it seems likely that the unanswered questions in the law will be resolved through enforcement actions, litigation, or possibly, legislative clarifications well after the law has taken effect. That means businesses will have to find a line of sight and fly ahead through the fog.

The following representatives of Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C. authored this article.

Cynthia Larose is Chair of Mintz’s Privacy & Cybersecurity Practice, a Certified Information Privacy Professional-US (CIPP-US), and a Certified Information Privacy Professional-Europe (CIPP-E). She works with clients in various industries to develop comprehensive information security programs on the front end, and provides timely counsel when it becomes necessary to respond to a data breach.

 

 

Laura Stefani counsels clients seeking to bring new wireless technologies to market on regulatory issues. Her areas of focus include unlicensed and licensed wireless technologies, unmanned aircraft, satellite, medical devices, and the Internet of Things.

 

 

 

Jonathan Markman focuses on wireless and emerging technologies, with a particular emphasis on UAS (commonly known as drones) and wireless spectrum. He has experience with FCC and FAA procedures and rulemakings, formal and informal complaints, and FCC investigations, as well as filing and prosecuting applications with the FCC and FAA.

 

 

Elana Safner (CIPP-US) advises clients on public policy, regulatory issues, and disputes affecting the TechComm sector, as well as privacy and cybersecurity matters. She also has experience with FCC procedures and rulemakings.