Privacy guidelines for drone users

Privacy laws may not mention drones by name but these laws do apply to pictures, videos or other information collected by a drone. It’s important for you to be aware of privacy rules when flying.

Some violations of a person’s privacy may go beyond privacy laws and may be offences that result in charges. This includes using drones in a way that could be:

  • voyeurism
  • mischief
  • creating a nuisance
  • violations of provincial or municipal laws

You’re responsible for knowing all the laws that may apply to your drone use.

On this page

Personal information

Personal information is defined as information about an identifiable person. It can include a name, a picture of a person’s face or a license plate number.

Privacy guidelines for recreational drone operators

Keep in mind the following privacy principles when using recreational drones.

Be accountable

When you fly a drone, you’re a pilot. You’re responsible for all the personal information collected by your drone.

Limit collection

Take reasonable steps to avoid capturing personal information you don’t need. It’s also a good idea to make the personal information captured without consent in a video anonymous. For example, blur faces or license plates.

Obtain consent

If it’s likely you will capture people’s personal information on your flight, take reasonable steps to tell those affected and get their consent.

Store information securely

If you save recordings that contain personal information, take reasonable steps to ensure that no one else can access the information.

Be open and responsive about your activities

If someone complains that your drone flight is harming their privacy, you should respond with respect and courtesy.

Privacy guidelines for commercial drone operators

Businesses in Canada must follow the Personal Information Protection and Electronic Documents Act (PIPEDA) when using drones.

PIPEDA doesn’t apply if your organization operates entirely within Alberta, British Columbia or Quebec. The exceptions are when the collection, use or disclosure of personal information crosses borders or the organization is federally-regulated. These 3 provinces have their own private-sector laws for privacy.

Under PIPEDA, your organization must get consent for collecting, using and disclosing (sharing with others) personal information. People must understand the nature, reason and consequences of what they are consenting to for their consent to be valid.

Your business must show a high degree of professionalism and respect in handling people’s personal information. The Office of the Privacy Commissioner of Canada outlines the 10 fair information principles under PIPEDA. These include identifying your reason for collecting personal information and giving people access to their personal information.

You’re responsible for the protection and fair handling of personal information throughout your business.

Exemptions to privacy rules

PIPEDA doesn’t apply if you’re collecting, using or disclosing personal information for purposes that are:

  • journalistic
  • artistic
  • literary
  • academic
  • for not-for-profit organizations or charities

For more guidance on following the principles and the act, consult the:

Privacy guidelines for government drone operators

The Privacy Act applies to federal government institutions, including parent Crown corporations and wholly owned subsidiaries of these corporations. The act allows personal information to be collected where:

  • the information relates directly to the institution’s programs or activities, and
  • the person whose information is being collected is told the reason for the collection

For more detailed information on the Privacy Act, consult the Office of the Privacy Commissioner’s Privacy Act page.

To reduce privacy concerns around using drones you should first ask whether:

  1. Your program or activity needs the information collected by drones
  2. Using drones is an effective way to achieve your goal
  3. A less intrusive alternative is possible

If drones are necessary, you must ensure you follow the act.

Reducing privacy risks

You are required to complete a Privacy Impact Assessments (PIA) before introducing new or redesigned programs and services that handle personal information. This is required by the act and by Treasury Board Secretariat (TBS) policy.

Government institutions provide completed PIAs to the: