eCFR.io
Daily eCFR

§ 124.14 Privacy and civil liberties.

6 CFR 124.14

Citation6 CFR 124.14
CorpusDaily eCFR
Displayed edition2026-07-06
Last updated2026-07-06

§ 124.14 Privacy and civil liberties.

(a) General. In exercising authority under 6 U.S.C. 124n(a)(2), an SLTT law enforcement or correctional agency and its personnel must comply with the requirements of 6 U.S.C. 124n(e), including the implementation of privacy protections with respect to the interception, acquisition, access, maintenance, use, and dissemination of communications, consistent with the First and Fourth Amendments to the Constitution of the United States and applicable provisions of Federal law. All operations under this part must comply with the requirements of the Fourth Amendment and the policies of the applicable SLTT law enforcement or correctional agency with respect to searches and seizures, and individual searches and seizures conducted during C-UAS operations remain subject to the Fourth Amendment reasonableness requirement.

(b) First Amendment. No C-UAS authority under this part may be used solely to seize, monitor, deter, interfere with, or disrupt individuals exercising rights protected by the First Amendment to the Constitution of the United States. When C-UAS operations are conducted at events or locations where individuals are exercising First Amendment rights, personnel must take affirmative steps to minimize the collection, retention, and dissemination of information about those individuals, and must not use C-UAS-derived information to identify, track, or build records on individuals based on their exercise of protected rights.

(c) Scope of interception. Communications may be intercepted or acquired only to the extent necessary to support an action described in 6 U.S.C. 124n(b)(1).

(1) Material captured that is not control communications is incidental capture. Agencies must configure systems to minimize incidental capture, and incidentally captured material determined not to be relevant to a C-UAS, law enforcement, or national security purpose must not be reviewed, retained, or disseminated and must be purged as soon as practicable.

(2) During the contemporaneous C-UAS operation, personnel may view incidentally captured material only to the extent necessary for C-UAS detection, tracking, identification, or mitigation purposes and may not use it for general surveillance or monitoring. If it becomes apparent that the captured video, audio, or other data stream is not control communications, the interception of such communications must be discontinued, and the interception of incidentally captured material must be documented in the post-operation report. When a system's configuration permits adjustment of the scope of interception, such as frequency range, geographic coverage, or signal type, operators must use the narrowest configuration consistent with operational effectiveness.

(3) For standing detection deployments exceeding 30 days, the agency must conduct a review, not less than quarterly, to confirm that the scope of interception remains proportionate to the operational need, that incidental collection of non-UAS communications is being minimized, and that data handling and purge procedures are being executed on schedule. The review may be conducted on a program-wide basis for facilities.

(4) Where identifying the threat requires processing the control signaling of all unmanned aircraft in range, the control communications of an unmanned aircraft determined not to pose a threat may not be retained or used beyond what is needed to make the threat determination and must be purged on the same schedule as other incidental material.

(d) Records of communications and retention. (1) Control communications captured, recorded, or maintained by SLTT C-UAS systems constitute records of communications to or from a UAS within the meaning of 6 U.S.C. 124n(e)(3) and must be maintained only for as long as necessary, and in no event for more than 180 days, unless the Agency Approving Official or the agency's chief legal officer determines that maintenance of such records is necessary to investigate or prosecute a violation of law, to directly support an ongoing security operation, for the purpose of any litigation, or is required under Federal, State, local, Tribal, or territorial law, consistent with 6 U.S.C. 124n(e)(3).

(2) Data retained under the ongoing security operation exception must be reviewed at 90-day intervals and purged when the operation concludes, unless another exception applies.

(3) When an agency determines that records of communications will be retained beyond 180 days under any exception, the agency must notify the Federal Bureau of Investigation through the portal within 30 days of the determination.

(4) Pattern data, once extracted and recorded independently, is not a record of communications and is not subject to the 180-day limit. Data generated by systems whose operation does not implicate the electronic surveillance laws referenced in the notwithstanding clause of 6 U.S.C. 124n(a)(2) is likewise not subject to the 180-day limit.

(5) For data retained under the investigation or prosecution exception, the existence of an open investigative or prosecutorial case file documenting the data as evidence satisfies the required determination. For data retained under any other exception, the Agency Approving Official or the agency's chief legal officer must document the specific basis for retention. If an agency has neither an Agency Approving Official nor a chief legal officer, an official holding a rank not below a Senior Executive or Senior Official, or its equivalent, must document the specific basis for retention.

(6) A standing operational window authorized under § 124.8(h) does not itself constitute an ongoing security operation for purposes of the retention exception; that exception applies only when a specific, identified threat or other intelligence justifies continued retention of specific records to support a discrete protective objective, and the 90-day review must assess whether the specific security basis for retention continues to exist.

(7) The exception for retention required under Federal, State, local, Tribal, or territorial law applies when a specific provision of law affirmatively requires retention of the particular type of data at issue, not when a general records retention schedule incidentally encompasses C-UAS data.

(e) Dissemination. (1) Control communications acquired under this part may be disclosed outside the disseminating agency only as authorized by 6 U.S.C. 124n(e)(4): when necessary to investigate or prosecute a violation of law; to support the Department of Defense, a Federal law enforcement agency, or the enforcement activities of a regulatory agency of the Federal Government in connection with a criminal or civil investigation of, or any regulatory, statutory, or other enforcement action relating to an action described in 6 U.S.C. 124n(b)(1); or as otherwise required by law.

(2) This part does not prohibit the use, as evidence in a subsequent proceeding, of information lawfully obtained incidental to an SLTT law enforcement or correctional agency C-UAS operation, consistent with applicable law.

(3) At the time of any dissemination of control communications, the disseminating agency must document, in the audit trail required by paragraph (g) of this section, the 6 U.S.C. 124n(e)(4) basis for the dissemination, the category of recipient, whether the handling caveat required by paragraph (f) of this section was conveyed, and whether the dissemination included control communications.

(4) A real-time detection feed is governed by the substantive character of the data it transmits. A feed that transmits control communications acquired under this part is subject to the requirements of this section applicable to such data and the limitations under 6 U.S.C. 124n(e)(1), (2), and (4). A feed that transmits only data described in paragraph (e)(6) of this section is not subject to those limitations.

(5) Pattern data that contains no control communications may be disseminated consistent with the agency's standard data handling and information sharing policies and applicable law. Before disseminating pattern data beyond the agency, the disseminating agency must verify anonymization in accordance with its implementation policy and screen the product for operationally sensitive information that would reveal specific coverage patterns, capabilities, gaps, or methods. Public release of pattern data products requires approval at the level designated by the agency's implementation policy.

(6) Data not acquired using the authorities or reliefs provided by 6 U.S.C. 124n, including data generated by systems whose operation does not implicate the electronic surveillance laws referenced in the notwithstanding clause of 6 U.S.C. 124n(a)(2), is not subject to the disclosure limitations of paragraph (e)(1) of this section and may be shared consistent with the agency's standard data handling and information sharing policies and applicable law. Sharing for situational awareness with recipients that are not law enforcement or correctional agencies, including critical infrastructure owners or operators and the public, is limited to data described in this paragraph, unless the disclosure of control communications is authorized under paragraph (e)(1) of this section.

(f) Protective purpose limitation. Because the authority of 6 U.S.C. 124n(a)(2) is limited to mitigation of a credible threat, an SLTT law enforcement or correctional agency may disseminate control communications acquired pursuant to the agency's authorities and statutory reliefs under 6 U.S.C. 124n(a)(2) only for law enforcement action arising from the UAS activity that prompted the C-UAS operation, or for aviation safety. An SLTT law enforcement or correctional agency may not disseminate such control communications for use in an investigation or enforcement action unrelated to UAS activity unless the communications are independently obtainable through lawful means not dependent on the authorities and statutory reliefs under 6 U.S.C. 124n(a)(2). At the time of dissemination, the disseminating agency must communicate the protective purpose for which the control communications are being shared.

(g) Audit trail. Each SLTT law enforcement or correctional agency exercising authority under this part must maintain an audit trail sufficient to document each instance in which C-UAS authority was exercised, the basis for the action, the disposition of any data acquired, and any dissemination of data under this part. The audit trail must be searchable and accessible to compliance auditors, protected against unauthorized modification or deletion, and retained for a minimum of 6 years. The agency's implementation policy must specify the format and system of records for the audit trail.

(h) State and local retention conflicts. When an SLTT law enforcement or correctional agency determines that a State, local, Tribal, or territorial records retention requirement applicable to law enforcement or correctional agency records encompasses C-UAS communications data and the agency cannot comply with both the 180-day retention limit and that retention requirement, the agency must retain the data for the period required by the applicable law and must apply the handling restrictions of this part, including the prohibition on use for unrelated law enforcement purposes and the dissemination restrictions of this section, for the full duration of retention.

(i) Third-party acquisition. An SLTT law enforcement or correctional agency may not request, purchase, subscribe to, or operationally rely on intercepted UAS control communications acquired by any actor lacking lawful authority and relief from certain otherwise applicable laws for the underlying interception, regardless of whether the agency directed or facilitated the original interception. An agency acquiring UAS intelligence from a third-party source must document the source's lawful authority and relief from otherwise applicable laws for any intercepted content and must apply the retention and dissemination requirements of this section to data so acquired. The agency's implementation policy must specify procedures for evaluating third-party source authority and relief from certain otherwise applicable laws, which must include review and concurrence by appropriate State, local, territorial, or Tribal legal counsel.

(j) Vendor data sharing. An SLTT law enforcement or correctional agency may provide operational raw sensor data to system vendors for purposes of system diagnostics, troubleshooting, and performance validation, provided that any communications content is removed before disclosure and the data is used solely for the specific purpose identified. The agency's implementation policy must establish the conditions for vendor data sharing consistent with this paragraph and applicable privacy protections.