Privacy Law Archives – Southern California Law Review

Quis Custodiet Ipsos Custodes: Labor & Privacy in the Age of Kidfluencers and the Internet’s Stage Mothers

March 2026March 2026Elinor J. Haddad*

INTRODUCTION

In 2022, a group of minors sued Tiffany Smith, mother and producer of prolific child influencer Piper Rockelle, and her corporation Piper Rockelle Inc. (“PRI”), alleging nineteen claims in total, nearly all for violations of either state tort law or the California Labor Code.¹ The minors had previously appeared in monetized content on Rockelle’s YouTube channel, which then boasted over 8.5 million followers,² as part of a group of children self-nicknamed “the Squad.”³ According to their complaint, they devoted long hours—in some cases more than twelve hours a day for seven days a week⁴—over three years to producing “hundreds” of “highly lucrative” videos but were never compensated, were denied meal and rest breaks while filming, and did not receive regular on-set education.⁵ Following the suit’s initial filing, YouTube demonetized Rockelle’s channel, and venues where Rockelle had upcoming tour dates canceled her appearances.⁶ In 2023, Smith countersued for $30 million, accusing plaintiffs and their parents of defamation, fraud, and extortion; before plaintiffs responded, Smith dropped her lawsuit.⁷ In March 2024, a Los Angeles Superior Court judge denied Smith’s motion for summary judgment, thus scheduling the case for trial.⁸ By October 2024, the parties had settled for $1.85 million.⁹

The suit illustrates the potential for severe damage inherent in the world of child influencers—a world that is, as of now, largely unregulated. The plaintiffs in the suit, and Rockelle herself, represent a common demographic among child influencers (“kidfluencers”): children between ten and sixteen years of age with public, monetized accounts on large social-media platforms like YouTube, Instagram, and TikTok, and talent and training in skills like dancing and singing as well as video editing and other skills required for content creation. Between 2017 and 2020, the plaintiffs appeared in content on Rockelle’s YouTube channel and on her accounts on other platforms; while Rockelle’s early postings were relatively innocuous (videos with titles like “My trip to the Los Angeles Zoo”¹⁰ and “Getting a pet turtle!!!”¹¹), the channel’s tone quickly took a questionable turn, with videos featuring children performing skits, challenges, and pranks in various stages of undress and in suggestive situations accompanied by clickbait thumbnails and titles¹² such as “24 HOURS HANDCUFFED to my ‘BOYFRIEND’ ” (featuring a then-ten-year-old Rockelle),¹³ “11 YEAR OLD BELLY PIERCED **PRANK** (Can’t Say No 24 Hour Challenge) 🚫👌,”¹⁴ and “Asking STRANGERS To Be My BOYFRIEND Challenge **1 DATE = $100** ❤️💵” (featuring a then-twelve-year-old Rockelle).¹⁵

Using the Piper Rockelle lawsuit (“the PRI lawsuit”) as a case study,¹⁶ this Note will focus on the growing number of kidfluencers and the need for standardized, federal laws ensuring their fair labor conditions and preservation of personal privacy. In particular, this Note will discuss the inadequacy of federal and state regulation of two forms of exploitation that present concerns in the kidfluencer context: (1) labor (exploiting a child’s work without compensation, meaningful consent, or regulation) and (2) privacy (exploiting a child’s image or likeness without compensation and meaningful consent).¹⁷ Part I of this Note presents an overview of the kidfluencer phenomenon and the evolution of stage parents from vaudeville and the early motion picture industry to the Internet and social media. Part II describes kidfluencers’ vulnerability to labor exploitation, discussing how measures protecting child performers remain largely unavailable to kidfluencers and require expansion to cover this new demographic of child workers. Part III details the rampant exploitation of kidfluencers’ privacy and analyzes how the increasing legal spotlight on protecting children as social-media users has yet to acknowledge kidfluencers’ privacy and publicity interests and must do so to adequately protect them. Part IV proposes that, in addition to enacting laws to protect the labor and privacy rights of kidfluencers, Congress should empower social-media platforms as enforcers of kidfluencer laws and impose liability on platforms that host content produced in violation of these recognized kidfluencer rights. Ultimately, this Note presents a holistic set of common-sense regulations, grounded in analogous, existing law, that are designed to close the critical gaps in kidfluencer protections as quickly and effectively as possible. This all-encompassing approach—covering both privacy and labor—to regulating children in monetized content is essential given the pervasiveness of their online presence and the reality of ever-advancing online technology that is here to stay.

I. THE ARRIVAL OF KIDFLUENCERS

The influencer economy is worth over $250 billion worldwide¹⁸ and is expected to swell to $480 billion before the year 2030.¹⁹ U.S. brands spend more than $5 billion on influencers each year.²⁰ Massive content-sharing platforms like YouTube, Instagram, and TikTok host millions of influencers who then share content to millions more subscribers.²¹ On YouTube, influencers creating and sharing videos on their “channels” earn revenue based on the number of views their videos generate. When a YouTube channel is monetized, YouTube collects forty-five percent of advertising revenue from the creator’s videos, and the creator receives the remainder.²² With this formula, top creators earn tens of millions of dollars each year—and kidfluencers with at least one million followers can earn $10,000 or more for each sponsored post they share.²³ Before the onset of the PRI lawsuit, PRI made between $4.2 million and $7.5 million annually from social-media advertising alone, and the PRI plaintiffs averaged up to $28,000 per month in YouTube revenue.²⁴

And kidfluencers are a fast-growing demographic in monetized social-media content.²⁵ Social-media accounts listed in children’s names but managed by parents (typically with a moniker like “Managed by Mom” in the account biography) feature young children almost exclusively, with little to no regulations governing the children’s compensation, working conditions, or content output. Thus, children can work extensive hours, receive little to no formal schooling, and have their intimate details shared on the Internet at-large with essentially no recourse and no safeguarding of their earnings from parents or other adults controlling their accounts. Many kidfluencer accounts boast massive followings, with subscribers in the hundreds of thousands or even millions, and the financial payout is huge. Roughly a century ago, states began regulating labor conditions for child performers, many of whom were pushed into the entertainment industry by their parents and subsequently experienced extensive exploitation.²⁶ Now, social media has given stage parents a new arena—one with novel and potentially catastrophic dangers if left unchecked.

A. A Brief History of Stage Mothers

The concept of “stage parents” and “stage mothers” enjoys a long and controversial history in American culture.²⁷ Early discussion of overbearing and even abusive parents pushing their children into careers on stage and in film arose from personal anecdotes of early film stars. Legendary movie star Judy Garland often recounted growing up on a vaudeville stage in the 1920s and 1930s, and the intensity with which her mother, Ethel Gumm, pushed her to perform; in a 1967 interview, Garland, recalling her early days of performing onstage, stated, “[My mother] would sort of stand in the wings . . . and if I didn’t feel good, if I was sick to my tummy, she’d say, ‘You get out and sing, or I’ll wrap you around the bedpost and break you off short!’ So, I’d go out and sing.”²⁸ Garland, cemented in American culture by her performance as Dorothy in 1939’s The Wizard of Oz, later characterized her mother as “the real Wicked Witch of the West” and described how Ethel began giving her pills to increase energy or to promote sleep before Garland’s tenth birthday.²⁹

Nearly a century and the passage of much legislation for child performers later, stage parents like Ethel Gumm remain, motivated by many of the same interests—money, fame, power, attention—as their twentieth-century counterparts. These interests can easily collide with children’s needs, and the development of laws protecting child actors demonstrates a commitment by the traditional entertainment industry to limiting the effects of such conflict. Today, child actors in multiple states, including California and New York, and members of entertainer unions like SAG-AFTRA have protections that Judy Garland’s generation did not, such as guaranteed access to wages, adequate education, and limitations over working hours.³⁰ These regulations acknowledge both the potential conflict of interest between stage parents and child performers as well as the reality of children as a key and enduring presence within the entertainment industry. But while child actors today are more protected from parents who squander their earnings or force them to work oppressively long hours, children are still at the mercy of their parents as to whether they ultimately pursue an entertainment career in the first place and, if they do, the relentlessness of that pursuit.

In 2022, former child star Jennette McCurdy released her memoir I’m Glad My Mom Died. Chronicling her ascent from poverty to fame on the highly successful Nickelodeon show iCarly, McCurdy detailed her late mother’s longstanding obsession with McCurdy’s success as a child actor, regardless of McCurdy’s own disinterest in such a career. Recalling the initial signing meeting with her first agent, McCurdy wrote,

“It’s important that Jennette wants to act, in order for her to do well,” [the agent] says.

“Oh, she wants this more than anything,” Mom says as she signs on the next page’s dotted line.

Mom wants this more than anything, not me. [Auditioning] was stressful and not fun, and if given the choice, I would choose to never do anything like it again. On the other hand, I do want what Mom wants, so she’s kind of right.³¹

McCurdy emphasized her lack of agency and meaningful choice in embarking on her career as an actor, framing her mother’s eventual death from cancer as the catalyst that allowed McCurdy to leave behind the career she never wanted—though she could not as easily escape her fame.³²

When I was six years old, she pushed me into a career I didn’t want. I’m grateful for the financial stability that career has provided me, but not much else. I was not equipped to handle the entertainment industry and all of its competitiveness, rejection, stakes, harsh realities, fame. I needed that time, those years, to develop as a child. To form my identity. To grow. I can never get those years back.³³

B. Reality Television Bridges the Gap from Film and Television to the Internet

In 2011, the Lifetime reality series Dance Moms premiered, unwittingly marking the beginning of a new era and a new medium for twenty-first-century stage parents. Following a group of young competitive dancers and their intense and argumentative mothers, Dance Moms became an overnight sensation and launched the show’s young dancers into stardom. In the show’s early seasons, the dancers’ mothers spoke of their hopes for their children to achieve careers on a Broadway stage and in film.³⁴ In 2011, Instagram was in its infancy and the advent of TikTok was years away; a handful of hit reality shows featuring children, like Jon and Kate Plus 8 and the ill-fated 19 Kids and Counting,³⁵ existed but the children on those shows were not positioned adjacent to entertainment careers and also had not built independent followings or fanbases—the concept of kidfluencers was entirely new. Dance Moms changed the game.³⁶

Today, the original Dance Moms dancers are in their early to mid-twenties and their primary careers are as social-media influencers.³⁷ Instead of becoming “stars” in a traditional sense on stage and in film, the Dance Moms girls achieved stardom as themselves, beloved by young fans of their show who flocked to follow them on social media as Instagram and other platforms simultaneously took off.³⁸ While the first Dance Moms dancers did not begin their time on the show imagining kidfluencer fame, cast members during the show’s later seasons arguably did. In 2016, a group of younger dancers joined the now-wildly successful Dance Moms cast; entering the show in the post-Instagram and Musical.ly (TikTok’s forerunner application) world, these new dancers had social-media pages ready when the show’s global audience began following them in droves. Now teenagers, many members of Dance Moms’ second generation work as kidfluencers today³⁹—and the world of kidfluencers and reality child stars is a small one. Dance Moms’ second generation includes seventeen-year-old Lilliana Ketchman and eighteen-year-old Elliana Walmsley. Ketchman was named by the PRI plaintiffs as a perceived competitor to Rockelle, “anger[ing]” Smith; the plaintiffs believed Smith subsequently used “dirty tactics” to cause a significant decline in Ketchman’s followers, viewership, and revenue in January 2021.⁴⁰ Meanwhile, Walmsley is a former member of Rockelle’s Squad, though she was not a party to the PRI lawsuit.⁴¹

Image 1. Former Dance Moms Cast Member and Current Influencer Kendall Vertes’s Instagram⁴²

Image 2. Former Dance Moms Cast Member and Current Influencer Chloé Lukasiak’s Instagram⁴³

Barely a decade after Dance Moms’ premiere and Instagram’s launch, kidfluencing is now eclipsing the once-well-trodden paths to child stardom found on television and in film. Piper Rockelle exemplifies this phenomenon:

Paparazzi don’t wait outside Piper’s fuchsia-painted mansion in the San Fernando Valley, but among a young, YouTube-fixated demographic, the ebullient brunette is idolized. As a rising star on the most-watched video-content platform of her generation, Piper bypassed the traditional paths of Nickelodeon and Disney to become a millionaire through the monetization of her social media content.

Propelled by the force of millions of likes and heart emojis, Piper was making between $4.2 million and $7.5 million a year before the Squad’s lawsuit. Her YouTube videos had amassed over 1.87 billion views, and companies such as NBCUniversal, Disney and Amazon were paying her to promote their products on Instagram and TikTok. Super-VIP tickets on her tour—a live variety show that trades on the Squad’s online personas—went for $599.99. She was also selling merchandise on her website, offering personalized greetings via Cameo and making music. She has released seven singles.⁴⁴

The PRI “empire[],” much like many YouTube money machines, “was built at home.”⁴⁵ Smith’s live-in boyfriend, Hunter Hill, also a defendant in the PRI lawsuit, filmed and edited the Squad’s videos in the Smith home, and Smith planned video content and coordinated filming schedules for Squad members.⁴⁶ Initially, Rockelle and other members of the Squad sought success as actors on stage and in film; after her social-media channels took off, however, Rockelle narrowed her focus solely to kidfluencing, while Smith “strongly discouraged” other Squad members from continuing to pursue work beyond their growing YouTube empire.⁴⁷

And though stage parents like Smith are pursuing fame for their children in a new medium, the same conflicts of interest between parents and children that persist in film and television recur in the Internet-child-stardom era. In the early 2000s, the challenges of living in poverty colored Jennette McCurdy’s high-stress journey into the television industry; just a few years later, PRI would allegedly take advantage of children also coming from limited means in order to profit from their involvement in the Squad. Said one PRI plaintiff, “[s]ingle mothers using YouTube to support the family—there’s a lot of those in the [Squad’s families].”⁴⁸

While the PRI lawsuit is seemingly unique (as of now) in terms of its size and the breadth of the allegations at-issue, Rockelle and the Squad are in good company as part of a vast, bankable movement of kidfluencer content creators. Kidfluencer accounts are undeniably popular: a 2019 study revealed that videos featuring a child younger than thirteen-years-old receive three times the views garnered by videos without children.⁴⁹ And critics of the kidfluencer phenomenon say that platforms like YouTube, as well as brands that partner with kidfluencers for paid product placements, are deliberately skirting child labor laws because of kidfluencer accounts’ popularity and payoff; in their view, the legal gray area surrounding kidfluencers enables platforms and brands to make “billions” from kidfluencer content while avoiding the costs and coordination that film and television productions are legally required to undertake to work with child performers.⁵⁰ YouTube currently makes it fairly easy, with strategic use of algorithmic tools like hash-tagging, to achieve monetized status, requiring that channels reach just 1,000 subscribers and 4,000 viewing hours within twelve months to become monetized; as of last year, YouTube hosted roughly two million monetized accounts.⁵¹

Between YouTube, Instagram, and TikTok, opportunities for children to build a massive online presence—and for adults to make serious money off their backs—are exploding. As the last century of developing adequate legal protections for child actors demonstrates, this level of financial promise coupled with children as the key moneymakers is a recipe for exploitative disaster. Now that the recipe has found a new home on the Internet, the potential for lifelong damage to the children behind the money machines has reached devastating levels. The baby steps that some lawmakers are beginning to take toward protecting, primarily, kidfluencers’ compensation are, to be sure, essential regulatory efforts. But the reality of the kidfluencer world demands a much more all-encompassing approach—one that treats kidfluencers as the professionals they are and treats the Internet as the uniquely permanent and wide-ranging medium it is. Making parents the unchecked shot-callers over their children’s labor conditions and privacy is an untenable arrangement because of the potential conflict of interest inherent in parents choosing between substantial monetary gain and their children’s best interests. Kidfluencers and the Internet (much like child film stars and the motion picture industry as seen a century ago) are not going anywhere. So, lawmakers must get serious about how to regulate them.

II. REGULATING THE LABOR OF KIDFLUENCERS

While federal law does provide some protections for child labor, it expressly exempts child performers from those protections. Thus, to the extent that child entertainers receive protection from labor exploitation, those protections come either from state law or from unions for media professionals such as SAG-AFTRA. However, summarizing what relevant federal law is present in this area helps contextualize the gaps in child entertainer regulations that state laws and unions have had to attempt to fill. And while neither state laws (for the most part) nor unions protect kidfluencers’ labor rights, they do protect child entertainers and thus provide helpful and relevant models for what effective legal protections for kidfluencers’ labor should entail.

Only a handful of states have laws governing child entertainers, and the most stringent laws exist in California and New York; both states limit child entertainers’ working hours, regulate their education, mandate their on-set supervision and advocacy, and protect their wages. All of these regulations should be expanded to cover kidfluencers; further, because kidfluencers primarily work at home and thus are not restricted by a need to live within range of entertainment hubs like Los Angeles and New York City, these regulations should apply to kidfluencers in every state through federal legislation. Recent legislation in California, Illinois, Utah, and Minnesota protecting primarily kidfluencers’ wages, while helpful, is but one small piece of the comprehensive regulatory scheme needed to adequately protect kidfluencers’ labor.

A. Existing Labor Regulations for Child Entertainers

1. Federal Measures for Child Workers: The Fair Labor Standards Act

In 1938, the Fair Labor Standards Act (“FLSA”) marked a new era for regulation of child workers. Setting the minimum age of employment for most non-agricultural work at sixteen,⁵² the act came on the heels of the United States Supreme Court striking down laws aimed at regulating commercial goods produced by child workers in Hammer v. Dagenhart⁵³ and the Child Labor Tax Case.⁵⁴ These decisions were but one component of a long struggle by labor reformers to protect child workers—by the twentieth century, reformers heavily emphasized how child labor led to extensive health problems and the deprivation of adequate education.⁵⁵ In developing their platform regarding child labor, advocates also had to reckon with the difficult but inescapable reality that many child workers came from immense poverty. Some reformers lobbed heavy criticism at parents who they claimed were “too lazy to work” and had “become accustomed to subsist[ing] by their children’s labor.”⁵⁶

The FLSA still has multiple exemptions, some critical to child entertainers and kidfluencers alike: the FLSA exempts from regulation “a parent employing his own child”⁵⁷ and does not apply to “any child employed as an actor or performer in motion pictures or theatrical productions, or in radio or television productions.”⁵⁸ The latter exemption is known as the “Shirley Temple Act” because without it, the then-wildly popular child star would have disappeared from movie screens.⁵⁹ Further, the lawmakers behind the FLSA did not consider entertainment work especially hazardous or oppressive, unlike the dangerous factory and agricultural labor the FLSA was intended to address, and thus excluded minors in entertainment from coverage.⁶⁰ Due to this exclusion of child performers from federal regulation, labor rights for child performers fall under state law, and states have adopted a variety of protections (including, in seventeen states, no protections at all) for this demographic.⁶¹

2. SAG-AFTRA, States’ Approaches & the Coogan Law

Some of the most comprehensive protections for child entertainers come from SAG-AFTRA, the primary union for media professionals in the United States. SAG-AFTRA’s collective bargaining agreements with production companies require that companies adhere to the standards delineated in SAG-AFTRA’s contracts as well as applicable state law regarding employment of minors.⁶² Thus, SAG-AFTRA functions as the enforcer of its own standards for employing child performers; its collective bargaining agreements act as a bottleneck against potentially negligent or exploitative employment practices because production companies that are SAG-AFTRA signatories must comply with these standards in order to employ children with SAG-AFTRA membership.⁶³ SAG-AFTRA restricts the working hours of child entertainers working anywhere in the United States, stipulating that minors may not work before 5:00 a.m. or after 10:00 p.m. on days preceding a school day (and may not work after 12:30 a.m. on mornings of non-school days); SAG-AFTRA further limits total working hours per school day to four hours for children ages six to eight, five hours for children ages nine to fifteen, and six hours for children ages sixteen and seventeen.⁶⁴ School days for SAG-AFTRA contract purposes conform to the public school calendar for the district where the minor resides, and SAG-AFTRA requires that school-age minors receive an average of at least three hours of educational instruction on school days.⁶⁵ Minors between six months and two years old may work up to two hours while minors between two and five years old may work up to three hours; only preschool-age minors do not attend on-set school.⁶⁶

SAG-AFTRA’s protections for child actors’ compensation also conform to applicable state law, where present.⁶⁷ Originally passed in California in 1939, the Coogan Law now requires that fifteen percent of all minors’ earnings for entertainment work be placed in a blocked trust account (known as a “Coogan Account”) accessible only by the minor once they reach adulthood.⁶⁸ The law’s namesake, child actor Jackie Coogan, enjoyed a tremendously successful career in the 1920s after being discovered by Charlie Chaplin.⁶⁹ But despite Coogan’s millions of dollars in earnings as a child star, he only ever received a weekly allowance of $6.25 from his mother until, when Coogan turned twenty-one, she ultimately refused to ever turn over more of his earnings to him.⁷⁰ Though intended to prevent exploitation like that Coogan suffered from befalling future young actors, the first iteration of the Coogan Law had critical gaps, including merely permitting, rather than mandating, trust accounts for child performers.⁷¹ It was precisely these gaps that enabled the parents of Shirley Temple herself to devote her earnings entirely to supporting their family of twelve even after the initial passage of the Coogan Law; after her acting career slowed down in her teenage years, the generation-defining star’s “only assets were a few thousand dollars and the deed to her dollhouse in the back yard [sic] of her parents’ Beverly Hills home.”⁷² California closed the gaps in its Coogan Law in January 2000 following advocacy by SAG-AFTRA for unequivocal legal recognition that minors’ earnings from entertainment work are their own.⁷³ Currently, New York, Illinois, Louisiana, and New Mexico all have trust-account mandates for child actors comparable to California’s Coogan Law.⁷⁴

Meanwhile, some states also have laws concerning child performers’ labor conditions in addition to compensation requirements and union protections. California mandates a maximum eight-hour workday for child entertainers in addition to three hours of on-set education for each weekday that children work; California also requires that a state-licensed teacher or welfare worker be present at all times on sets where child performers are working,⁷⁵ and that adults obtain permits before employing children and ensure that a minor’s parent or guardian is within their sight and hearing range at all times that the minor is on set.⁷⁶ In New York, employers of child entertainers working three or more consecutive days must provide a credentialed on-set teacher to ensure that state educational requirements for child entertainers are met.⁷⁷

3. When Does the Home Become a Set?

State laws protecting child entertainers, however well-established, largely do not extend to kidfluencers—even in states like California, which has very strict regulations for child performers⁷⁸ (PRI is located in Los Angeles and the Squad’s videos were filmed there⁷⁹). If we apply California and SAG-AFTRA’s labor regulations for child actors to PRI and the Squad, PRI—sometimes allegedly, other times admittedly—fell far short.⁸⁰ Smith did not obtain permits to work with the minors in the Squad.⁸¹ Some PRI plaintiffs claimed they worked up to twelve hours per day, seven days a week, without rest and meal breaks and without compensation.⁸² The mother of two plaintiffs, sisters, worried that one of her daughters “was falling behind in school because she wasn’t getting enough sleep” due to Smith’s demanding filming schedule.⁸³ Some of the plaintiffs’ parents alleged that Smith “regularly forbade other adults from being on set”;⁸⁴ Smith reportedly only ever “briefly” hired an on-set teacher for Squad members and “was uninterested in the children’s education,” even though none of the minors attended traditional in-person school during their years filming.⁸⁵ After some of the plaintiffs’ parents hired a private tutor to work with the minors in Smith’s guesthouse, Smith “barged” into the guesthouse mid-lesson, “screaming” that the child currently studying needed to “report to set immediately” and that “she didn’t care whether the tutor’s hour wasn’t up.”⁸⁶ The tutor left her position teaching the Squad after the incident.⁸⁷ Plaintiffs also reported that Rockelle herself had significant educational gaps, claiming Rockelle, who has only ever been homeschooled,⁸⁸ had trouble reading and “never” did schoolwork.⁸⁹

Commenting on the allegations in the PRI lawsuit regarding failure to provide compensation as well as the maintenance of an oppressive work environment, plaintiffs’ attorney Matthew Sarelson remarked, “Imagine if these kids had been on a movie set for Lionsgate . . . . People would go to jail if this had happened at a studio.”⁹⁰ But kidfluencers occupy a legal gray area existing somewhere between professional child performers and the kids-next-door getting together to make a funny video.⁹¹ And the PRI plaintiffs assert that that legal gray area has given rise to a “Wild West atmosphere of content creation” where adults can push children into extensive, high-profile content creation with little to no oversight.⁹²

Throughout the PRI lawsuit, Smith emphasized that she “did not view her home as a workplace” nor herself as the plaintiffs’ employer; she described the Squad’s activities as “ ‘kids get[ting] together voluntarily to collaborate on making videos,’ ” a far cry, in her view, from a professional studio environment that would necessitate her compliance with state child labor laws.⁹³ Smith’s lawyer commented, “There is tremendous uncertainty about what labor laws apply in the context of filming a YouTube video at home, with an iPhone . . . . At what point is that a professional production?”⁹⁴ Meanwhile, Sarelson argued that “PRI should be treated no differently than a traditional production company” and expressed “hopes [that] the lawsuit sparks change in the social media space.”⁹⁵ Some of PRI’s activities—including using a professional camera to film content and posting audition notices for young actors to film with Rockelle—could indicate that the corporation was effectively operating as a professional production company.⁹⁶ But currently, no federal legislation exists delineating the line between making home videos and shooting professional social-media content.

B. New Efforts: Expanding Child Labor Regulations to Cover Kidfluencers

A handful of states are beginning to enact labor protections for kidfluencers, underscoring the desire and need for a comprehensive, federal approach to kidfluencer regulation.⁹⁷ In July 2025, Minnesota enacted some of the most significant kidfluencer regulations so far: not only does the state now mandate protected trust accounts to safeguard kidfluencers’ earnings, but it also prohibits children less than fourteen years old from appearing in monetized content at all.⁹⁸ Instead of designing its law solely as a means of “legitimizing” kidfluencers as akin to child entertainers, University of Minnesota Law School Dean William McGeveran said Minnesota “ ‘set [its law] up as almost a child labor law. . . . It’s about kids needing to be able to be paid for work that they do . . . . And if they’re 13 and under, kids can’t work in the ice cream shop and they can’t work in their parents’ content creation either.’ ”⁹⁹ Minnesota’s statute does not enshrine any further labor regulations for kidfluencers over fourteen beyond protecting their earnings.

For the other six states that now protect kidfluencers’ labor, their measures are limited to regulating kidfluencers’ compensation. In July 2024, Illinois became the first U.S. state to enact laws expressly protecting kidfluencers’ earnings.¹⁰⁰ Content creators in Illinois must now set aside a portion of earnings in a protected trust account for all minors age sixteen and under who appear in at least thirty percent of their monetized content.¹⁰¹ Illinois Senator Dave Koehler, who introduced the law, took action after Shreya Nallamothu, a fifteen-year-old high school student in his district, alerted him to the issue of young children being featured extensively online with no labor protections for them in place.¹⁰² “This new digital age has given us tremendous opportunities to connect with one another, but it’s also presented legal issues that have never existed before,” said Koehler.¹⁰³ “We need to work with our children to see the problems they face and tackle them head-on before any further harm is done.”¹⁰⁴

The Illinois law protects earnings for minors under the age of sixteen while stipulating that minors under sixteen who produce their own videos are not considered “vlogger[s]” subject to the compensation and record-keeping requirements established by the law.¹⁰⁵ The law explicitly includes “famil[ies]” in its definition of “vlogger[s],” thus requiring parents who produce content featuring their own children (as well as any other children) to set aside the minors’ earnings if their inclusion reaches the specified threshold. The law also amends Illinois’ Child Labor Law by allowing teenagers who are at least eighteen years old to take legal action against their parents for failing to compensate them in accordance with the new requirements.¹⁰⁶ In response to the law, University of Alabama professor of digital media Jessica Maddox called the legislation “long overdue” and pushed for other states to take similar steps as well as expand protections to allow eighteen-year-olds to petition for the removal of social-media content that features them.¹⁰⁷ Emphasizing the need for regulations that adequately measure up to the reality of the kidfluencer phenomenon, Maddox commented:

[Kidfluencing and vlogging] are actual jobs, possible ways of earning income, that need protection . . . . Since there aren’t unions, there isn’t systemic protection in terms of laws, that is why Illinois law is super important for setting the precedent that this type of labor needs to be protected, especially for minors.¹⁰⁸

Meanwhile, on September 26, 2024, California Governor Gavin Newsom signed legislation expressly expanding the state’s Coogan Law to cover kidfluencers sharing content on YouTube and similar platforms.¹⁰⁹ The bill in question, AB 1880, defines “content creator” as “an individual who creates, posts, shares, or otherwise interacts with digital content on an online platform,” including “vloggers, podcasters, social media influencers, and streamers”; “online platform” is defined as “any public-facing website, web application, or digital application.”¹¹⁰ Regarding Governor Newsom’s support for the bill, bill author Assemblymember Juan Alanis remarked:

I thank Governor Newsom for signing AB 1880 and for his commitment to addressing the unique challenges minors face as online content creators in the rapidly growing digital entertainment industry. Child content creators deserve the same protections under the Coogan Law as their counterparts in traditional entertainment. With this bill, California takes a significant step in protecting the financial rights and well-being of child online influencers by extending critical protections against exploitation and ensuring they receive a fair share of earnings from their content.¹¹¹

Former child actor and successful musician Demi Lovato championed the bill as a critical step toward “grant[ing] agency” toward kidfluencers upon reaching adulthood.¹¹²

Signed alongside AB 1880 was SB 764,¹¹³ the Child Content Creator Rights Act (“CCCRA”), authored by Senator Steve Padilla.¹¹⁴ The CCCRA stipulates that video bloggers (“vloggers”) engage a minor “in the work of vlogging” when at least thirty percent of the vlogger’s monetized visual content includes “the likeness, name, or photograph of the minor.”¹¹⁵ Vloggers engaging minors in vlogging work under the definition of the CCCRA are required to keep detailed records of the minor’s age during the vlogging period and the extent of their appearance in and compensation for monetized content.¹¹⁶ Contracts for vlogging work between a minor and their parent must be approved by a court to avoid application of the bill’s terms; “[i]n determining whether to approve such a contract, the court shall consider whether the terms of the contract are at least as beneficial to the minor as the compensation the minor would otherwise receive under [the CCCRA].”¹¹⁷

And as of May 2025, Utah now also mandates protected trust accounts for kidfluencers.¹¹⁸ With similar provisions to those in California and Illinois, Utah’s law also lays out procedures for managing kidfluencers trusts and also requires that content creators “inform a minor’s parents that the minor is featured” in their content if, as in the PRI lawsuit, the creator is not themselves the minor’s parent.¹¹⁹ In the same vein, Virginia, Arkansas, and Montana all enacted kidfluencer laws in 2025, and each state focused its labor protections for kidfluencers on compensation safeguards, mandating Coogan Account-esque trusts for kidfluencers appearing in a certain percentage of creators’ content.¹²⁰

As lawmakers in California, Minnesota, Illinois, Utah, Arkansas, Montana, and Virginia have recognized, kidfluencing is a job, plain and simple. It demands the same safeguards against labor exploitation that are accepted throughout the United States for children in traditional entertainment jobs, along with additional protections that are necessary to address issues unique to kidfluencing. Thus, while the recent legislation in these states represents important progress, much more robust protections for kidfluencers—regulations modeled after California’s existing laws for child actors—are needed. Because of the geographic flexibility inherent in kidfluencer work, such protection is needed at the federal level to be fully comprehensive; further, kidfluencer regulations must not only mandate safeguards to compensation, but also ensure limits on working hours, guaranteed access to education, on-set supervision and advocacy, and the obtainment of permits to employ minors. As it stands today, even for kidfluencers now protected from financial exploitation in a handful of states, the rest of their working conditions remain largely unregulated—as does their privacy.

III. REGULATING THE PRIVACY OF KIDFLUENCERS

Growing up in the pop culture spotlight compromises a child’s privacy and reputation in ways that can be painful and enduring. As child actor Jennette McCurdy put it, “Growing is wobbly and full of mistakes, especially as a teenager—mistakes that you certainly don’t want to make in the public eye, let alone be known for for the rest of your life. But that’s what happens when you’re a child star.”¹²¹ And for kidfluencers, the extent to which their privacy and reputations are at stake is much greater. For Shirley Temple and Judy Garland, while the laws protecting them were still woefully inadequate, the personal information they shared with the public was limited to their performances as fictional characters, filmed on a soundstage by a camera that never followed them home. But for kidfluencers, the camera lives at home. Nothing is off-limits and every experience, every mistake, every embarrassment is potential content with dollar signs attached to it.

If labor regulations for kidfluencers are largely undeveloped, laws protecting kidfluencers’ privacy seem like less than an afterthought—perhaps even conceptually oxymoronic given that the point of kidfluencer content, in general, is to share children’s personal lives online. Even as lawmakers take steps to protect children as Internet users, kidfluencers are nowhere to be found in their policies. Though states have common law rights to privacy and publicity and a 1998 federal act regulates online platforms’ collection of children’s personal data, these rights can all generally be waived with consent—and for children, the consenting parties are their parents. Meanwhile, online platforms typically limit accounts to users aged thirteen and older, but given the numerous active kidfluencer accounts heavily featuring children under thirteen, platforms do not appear to restrict accounts that overwhelmingly feature children if the accounts are set up and managed by adults. These gaping loopholes in existing rights and policies allow kidfluencer accounts to thrive unchecked,¹²² leading to severe, long-term harm to and exploitation of kidfluencers that society is likely only beginning to reckon with.¹²³

A. Privacy Regulations for Children as Users Online

Existing and Proposed Federal Regulations for Children Online

i. The Children’s Online Privacy Protection Act of 1998

The Children’s Online Privacy Protection Act of 1998 (“COPPA”) is the primary set of federal regulations concerning children’s online privacy, covering consent and notice requirements for online platforms and entities that collect personal data from children.¹²⁴ COPPA’s “primary goal . . . is to place parents in control over what information is collected from their young children online,”¹²⁵ and it focuses on protecting children as users of online platforms as opposed to children appearing in online content. COPPA requires the Federal Trade Commission (“FTC”) to regulate online collection of children’s data and was last amended in 2013 in an effort to keep up with advancing technology.¹²⁶ Kidfluencers are not explicitly covered by COPPA or any other federal law.

As a protective measure for children who are merely consumers of online content, COPPA is reasonably comprehensive (though it needs continuous updates to remain effective). Its critical failure as a protective measure for kidfluencers, however, lies in its parental-consent-based structure—and in the fact that it makes no actual mention of kidfluencers at all. COPPA only applies to children under thirteen and requires that online entities obtain parental consent before collecting children’s personal data from children. COPPA prohibits “unfair and deceptive acts and practices in connection with the collection and use of personal information from and about children on the Internet.”¹²⁷ The act applies to websites or online services “directed to children”; in determining whether a given platform qualifies under this standard, the FTC considers the platform’s “subject matter,” “use of . . . child-oriented activities and incentives,” and “presence of child celebrities” as among relevant factors.¹²⁸ COPPA defines “collection” as “the gathering of any personal information from a child by any means, including . . . [r]equesting, prompting, or encouraging a child to submit personal information online,” “[e]nabling a child to make personal information publicly available,” and “[p]assive tracking of a child online.”¹²⁹ “[P]ersonal information” under COPPA includes identifiers like first and last name, physical address, and a “photograph, video, or audio file where such file contains a child’s image or voice.”¹³⁰ “Child” under COPPA includes only “individual[s] under the age of 13.”¹³¹

Before online entities collect personal data from a child, COPPA requires that the child’s parent receive adequate notice about the information collected and its intended use and that the parent consent to such collection.¹³² Online platforms also must provide parents with a “reasonable means . . . to review the personal information collected . . . and to refuse to permit its further use or maintenance.”¹³³ COPPA specifies that any means employed for parents to review collected information cannot be “unduly burdensome” to the parent and asserts that parents have the right to “at any time . . . refuse to permit . . . further use or future online collection of personal information . . . and to direct the [online platform] to delete the child’s personal information.”¹³⁴ Platforms have the right to terminate a child’s use of its services if the child’s parent revokes consent and requests deletion of collected information.¹³⁵ Platforms also must only retain children’s information for “as long as is reasonably necessary to fulfill the purpose for which the information was collected.”¹³⁶

Lastly, COPPA includes safe harbor provisions, allowing online entities that follow approved sets of self-regulatory guidelines to be deemed compliant with COPPA and eligible for safe harbor treatment shielding them from potential liability.¹³⁷

ii. COPPA 2.0

In May 2023, U.S. Senator Edward Markey, the author of COPPA, alongside Senator Bill Cassidy, introduced a new version of COPPA, “COPPA 2.0.”¹³⁸ After the Senate Commerce, Science, and Transportation Committee unanimously advanced COPPA 2.0 in July 2023, the Senate passed the bill in August 2024.¹³⁹ Senators Markey and Cassidy then reintroduced the bill in March 2025.¹⁴⁰ In early 2024, COPPA 2.0 cosponsor Senator Ted Cruz described the bill’s purpose as ensuring that no child leaves behind a digital footprint:

When Congress first passed the Children’s Online Privacy Protection Act, Americans were using dial-up to search “Ask Jeeves” instead of Google. Now, kids can access the Internet in the palm of their hands, and tech companies routinely surveil and target America’s youth. I’m proud to have worked with Sens. Markey, Cantwell, and Cassidy on bipartisan legislation to empower parents to safeguard their children’s online privacy and hold tech companies responsible for keeping minors safe from data collection. Every child deserves to grow up free of a digital footprint, and this bipartisan legislation is one step closer to achieving that goal.¹⁴¹

Championed as a means of bringing “children and teen’s online privacy standards into the 21st century,”¹⁴² COPPA 2.0 enumerates additional categories of online platforms, including mobile applications,¹⁴³ and forms of personal data, including biological and physiological information.¹⁴⁴ Most significantly, however, COPPA 2.0 creates an entirely new class of protected minors: teenagers between thirteen and sixteen years old.¹⁴⁵ Under COPPA 2.0, teenagers—not their parents—consent to collection of their own personal data and are empowered to request review of collected data as well as revoke consent for data collection.¹⁴⁶ However, COPPA 2.0 does not permit teenagers to withdraw consent for their own data that was collected with their parents’ consent before they turned thirteen.¹⁴⁷ The omission of this right, under either iteration of COPPA, is particularly sobering in the kidfluencer context because it prevents kidfluencers from compelling platforms to remove their data, collected before age thirteen, in the event that their parents cannot or will not do so.

2. Online Platforms’ User Age Restrictions

The largest social-media platforms typically require users to be at least thirteen years old,¹⁴⁸ though caveats to this rule exist. YouTube’s terms of service specify that users “must be at least 13 years old to use [YouTube]; however children of all ages may use [YouTube and YouTube Kids] . . . if enabled by a parent or legal guardian.”¹⁴⁹ TikTok requires users to be at least thirteen years old,¹⁵⁰ and TikTok’s settings default accounts associated with minor users to private mode; TikTok users ages sixteen and seventeen can choose to make their accounts public.¹⁵¹

Instagram also requires that users be at least thirteen;¹⁵² on September 17, 2024, Instagram began defaulting all accounts created by users who indicated they are under eighteen to private mode.¹⁵³ These changes, which Instagram says are being “rolled out on an individual basis,”¹⁵⁴ are part of Instagram’s new “Teen Accounts” initiative promoted as a means of increasing safety for minors using the platform.¹⁵⁵ Under the “Teen Accounts” setup, users ages sixteen and seventeen can change the default privacy setting themselves to make their accounts public; minors under sixteen need their parents’ permission to do so.¹⁵⁶

It is not clear whether Instagram’s recent changes will affect accounts that feature minors but are at least ostensibly managed by an adult (as most kidfluencer accounts typically are); however, Instagram makes no mention of such accounts in its communications about this new measure, while stipulating that the “Teen Accounts” setup applies to “users.” Thus, even as platforms begin rolling out age restrictions, kidfluencer accounts continue to

occupy a gray area outside of the growing spotlight on child social-media users.

B. Relevance and Current Limitations of the Common Law Rights of Privacy and Publicity

In the United States, the common law rights of privacy and publicity are “distinct” from one another and “intended to vindicate different interests,” though the latter initially evolved out of the former.¹⁵⁷ While the right of publicity enshrines the “right to control the commercial value of one’s identity,”¹⁵⁸ the right of privacy “protects one’s right ‘to be let alone.’ ”¹⁵⁹ The common law right of privacy comprises four tort causes of action: intrusion upon seclusion, public disclosure of private facts, false light, and appropriation.¹⁶⁰

The common law right of publicity developed out of both the right of privacy and intellectual property law, and has existed formally in the United States since the 1970s.¹⁶¹ While the United States Supreme Court recognized the existence of the right of publicity in 1977 in Zacchini v. Scripps-Howard Broadcasting Co.,¹⁶² there is no federal right of publicity; rather, the right of publicity exists at the state level and is currently recognized in thirty-five states, including California.¹⁶³ The right of publicity stipulates that individuals have a common law right against appropriation of “the commercial value of [their] identity . . . without consent”;¹⁶⁴ inherent in the right is the recognition that “an individual’s likeness” is that individual’s “own property.”¹⁶⁵ The right of publicity is based on three core justifications: (1) the right to “reap the fruit of [one’s] labors,” connected to concerns about unjust enrichment;¹⁶⁶ (2) the “copyright-incentive theory” that the law must protect the individual’s persona so as to promote creative artistry; and (3) the need to protect “consumer[s] from advertising deception.”¹⁶⁷ Section 3344 of the California Civil Code (“section 3344”) codifies California’s common law right of publicity and prohibits use of another’s image or “likeness” for profit without consent.¹⁶⁸ For minors, however, it is precisely the element of “consent” that is likely to prove most challenging if and when section 3344 is invoked to protect their rights, for the law expressly recognizes consent by a minor’s parent or guardian as equivalent to the minor’s own consent.¹⁶⁹

While the PRI lawsuit is currently unique, it illustrates how disputes over consent are likely to be central to any efforts to protect kidfluencers’ privacy and publicity rights under the common law and corresponding statutes. Three plaintiffs in the PRI lawsuit alleged violations of both section 3344 and California’s common law right of publicity;¹⁷⁰ Smith argued that she could not be liable under section 3344 and the common law precisely because the parents of the three plaintiffs had consented to the use of their children’s likenesses for commercial purposes on Rockelle’s channel.¹⁷¹ The plaintiffs disputed the fact of such consent¹⁷² and, in denying summary judgment in March 2024, the Superior Court of California ruled that these claims created issues of triable fact. Presumably, parents of the other eight plaintiffs had consented to use of their children’s likenesses for profit by Smith and PRI. And given that no plaintiff ever alleged that their parent had no knowledge whatsoever of their appearance in videos on Rockelle’s channel, it follows that the parents of the three children alleging publicity violations simply may not have given meaningful consent.

At least for situations like the ones in which these three PRI plaintiffs found themselves, requiring that online platforms verify meaningful consent and notice by kidfluencers or their parents to use of the child’s likeness in monetized content would counteract harm. But still further, the lack of application of recognized privacy and publicity rights to the kidfluencer context as well as the parental-consent waiver’s potential for conflicts of interest in that context is representative of the current limitations of existing laws. Looking at the plain language and spirit of the recognized rights of privacy and publicity alongside the raw reality of the kidfluencer phenomenon, as typified by the PRI lawsuit, it follows not only that our society and legal system should care about protecting kidfluencers’ privacy and publicity rights, but that we in fact do care about it. However, our society has not yet recognized how our concern for privacy and publicity rights implicates kidfluencers due to their novelty; and it would likely take years of litigation—and kidfluencer exploitation—before the common law could produce a legal framework appropriate for the competing claims of parents and kidfluencers to control over the child’s rights to privacy and publicity.

C. Falling Through the Gaps: Protecting Kidfluencers’ Privacy

1. Kidfluencing’s Unique Threat to Privacy

The Senate’s passage of COPPA 2.0 indicates a strong desire on the part of lawmakers to protect children online. But thus far, kidfluencers are missing entirely from that conversation—and to disastrous results. The types of information COPPA and COPPA 2.0 mention specifically as constituting “personal” data worth protecting—full names, online contact information, photographs, video and audio files containing a child’s image or voice, geolocation information, and more—are available in droves on kidfluencer accounts. And even as social-media platforms place age restrictions on users, kidfluencer accounts need only include a few words claiming to be managed by a parent in their description to post massive amounts of kidfluencer content to vast online audiences without constraint.

And kidfluencers’ audiences grow more dangerous as their accounts gain traction: in early 2024, the New York Times published an in-depth investigation into kidfluencers’ follower demographics, and the results are sobering. The proportion of kidfluencer account followers who are adult males grows “dramatically” as accounts grow in popularity.¹⁷³ While men made up approximately 35 percent of kidfluencer audiences overall, “[m]any [accounts] with more than 100,000 followers had a male audience of over 75 percent,” while some had over 90 percent.¹⁷⁴ The Times discovered men previously charged with or convicted of sex crimes among kidfluencer followers and found that some of these men participated in chat rooms with thousands of members, “treat[ing] children’s Instagram pages . . . as menus to satisfy their fantasies.”¹⁷⁵

While some parents are ignorant of the dangers posed by their children’s audiences,¹⁷⁶ others have grown “numb” trying to beat back the unending tide of suspicious followers.¹⁷⁷

“You are so sexy,” read one comment on an image of a 5-year-old girl in a ruffled bikini. “Those two little things look great thru ur top,” said another on a video of a girl dancing in a white cropped shirt, who months later posted pictures of her 11th birthday party.

For many mom-run accounts, comments from men—admiring, suggestive or explicit—are a recurring scourge to be eradicated, or an inescapable fact of life to be ignored. For others, they are a source to be tapped.

“The first thing I do when I wake up and the last thing I do when I go to bed is block accounts,” said Lynn, the mother of a 6-year-old girl in Florida who has about 3,000 followers from the dance world.

Another mother, Gail from Texas, described being desensitized to the men’s messages. “I don’t have as much of an emotional response anymore,” she said. “It’s weird to be so numb to that, but the quantity is just astounding.”¹⁷⁸

Still other parents are taking knowing advantage of this population: men in the chat rooms that the Times uncovered “frequently praise[d] the advent of Instagram as a golden age for child exploitation” and “trade[d] information about parents considered receptive to producing and selling ‘private sets’ of images.”¹⁷⁹ And among the allegations in the PRI lawsuit was a claim by one plaintiff that she accompanied Smith in mailing “several of Piper’s soiled training bras and panties to an unknown individual,” whereupon Smith told the plaintiff that “old men like to smell this stuff.”¹⁸⁰ Plaintiffs also alleged that Smith often “boast[ed] . . . about being the ‘Madam of YouTube’ ” and a “Pimp of YouTube,” and about making “kiddie porn.”¹⁸¹

Rockelle’s content and the PRI plaintiffs’ allegations paint a stark picture of the rampant sharing of invasive kidfluencer content carrying on unchecked throughout social media. For the members of the Squad, their experience working with PRI shares themes with Jennette McCurdy’s recollection of losing her childhood, autonomy, and privacy to child stardom. The Squad made countless videos centered around the group’s internal “crushes” and these videos performed much more strongly than the more innocent videos from Rockelle’s early days.¹⁸² Smith and Hill documented Rockelle’s first kiss on camera at age eleven¹⁸³ and filmed challenges among the Squad in which the minors competed to see who could kiss without stopping for the longest period of time.¹⁸⁴ The mother of two PRI plaintiffs, who is also Rockelle’s aunt, claimed that Smith sent Rockelle “a daily iPhone checklist cataloging the attention she needed to pay to her boyfriend, including sending him heart emojis [and] giving regular kisses, hugs and loving touches.”¹⁸⁵

In addition to the suggestive video content on Rockelle’s channel, the thumbnail images for the videos themselves are clearly set up to provide shock value and drive an increase in viewership. The mother of one PRI plaintiff alleged that Smith “often urged [plaintiffs] to pose more provocatively for thumbnail photo shoots,” ¹⁸⁶ and the lawsuit claimed that Smith, declaring that “sex sells,” “would frequently tell [the Squad members] to make ‘sexy kissing faces’ for thumbnails, to ‘push their butts out,’ to ‘suck their stomachs in,’ ‘wear something sluttier’ and would otherwise position [the p]laintiffs’ bodies in explicitly and sexually suggestive positions.”¹⁸⁷ As a result, minors are frequently depicted in provocative, revealing, or otherwise exploitative positions and situations in Rockelle’s thumbnails.

Image 3. Video on Piper Rockelle’s YouTube Channel, Featuring Eleven-Year-Olds¹⁸⁸

Image 4. Video on Piper Rockelle’s YouTube Channel, Featuring Eleven-Year-Olds¹⁸⁹

Image 5. Video on Piper Rockelle’s YouTube Channel, Featuring Eleven-Year-Olds¹⁹⁰

Image 6. Video on Piper Rockelle’s YouTube Channel, Featuring Eleven-Year-Olds¹⁹¹

The following YouTube video thumbnail images are merely described herein to protect the privacy of the minors featured in them:

Six teenagers (four female, two male), aged thirteen to seventeen, photoshopped to appear crowded together inside a bubble bath. The two male teenagers are shirtless, while the female teenagers appear to be wearing tank tops. The female teenager in the center has her hair arranged covering the straps of her tank top. The video is entitled “LAST TO LEAVE THE BUBBLE BATH!!” and has 2.3 million views.¹⁹²

Six teenagers (three female, three male), aged twelve to fifteen, arranged in co-educational pairs, each in one of three horizontal panels. Each female is touching her male counterpart. The male in the center panel is shirtless and his female counterpart is touching his bare torso. The video is entitled “LAST TO STOP MASSAGING THEIR BOYFRIEND WINS **Couples Challenge** 💆‍♀️💕” and has 1.9 million views.¹⁹³

One female aged eleven pictured in a cropped shirt pointing at her navel. A fake piercing is attached to her navel and a yellow circle is superimposed around her stomach while a zoomed-in image of her navel with the piercing appears in the right-hand side of the thumbnail. In the center of the thumbnail, the words “11 YEARS OLD!!” appear in large block lettering. The video is entitled “11 YEAR OLD BELLY PIERCED **PRANK** (Can’t Say No 24 Hour Challenge) 🚫👌” and has 4.6 million views.¹⁹⁴

Two females, aged eleven and twelve, wearing fake “baby bumps” designed to look like a pregnant woman’s belly with their shirts raised to expose the bumps. The video’s description includes the note, “We are only 11 and 12 so [this is] a pretty crazy challenge for us.” The video is entitled “24 Hours Being PREGNANT Challenge in PUBLIC with TWINS **FUNNY REACTIONS** 🍼🎀” and has 14 million views.¹⁹⁵

According to the Los Angeles Times’ investigation of the PRI lawsuit, PRI’s videos chronicling the Squad’s “crushes” performed the best with Rockelle’s online audience.¹⁹⁶ This data combined with the New York Times’ findings regarding dangerous followers of kidfluencers reflect the significant market that exists for kidfluencer content that is sensitive at best and criminal at worst. If, in the words of COPPA 2.0 cosponsor Senator Ted Cruz, “[e]very child deserves to grow up free of a digital footprint,”¹⁹⁷ the law is currently failing kidfluencers to a staggering degree.

Further, even content that perhaps falls short of the hallmark suggestiveness of Rockelle’s brand victimizes kidfluencers—according to some kidfluencers themselves. In July 2023, Ruby Franke, former figurehead of the now-defunct YouTube channel “8 Passengers,” made headlines when her two youngest children, then ages nine and twelve, were found emaciated and wounded.¹⁹⁸ The children had been imprisoned and suffered months of abuse by both Franke and her business partner Jodi Hildebrandt.¹⁹⁹ Franke had stopped posting videos of her children over a year before, changing the name of her channel to “Moms of Truth” and posting solemn videos alongside Hildebrandt discussing parenting strategies and religion. But in the 8 Passengers heyday, Franke posted videos of her family of eight almost daily, chronicling her six children’s lives as they grew up in front of an audience of up to two million subscribers.²⁰⁰

By 2022, 8 Passengers viewers had started to grow concerned about Franke’s behavior—while the harrowing nature of Franke’s eventual abuse would have been impossible for viewers to predict, many subscribers began to notice that Franke showed an indifference, at best, to her children’s privacy.²⁰¹ Franke spoke at length in her YouTube videos about sensitive matters in her children’s lives; over the course of several videos, she described in-depth her and her husband Kevin’s decision to send their oldest son, then fourteen, to a behavioral modification camp in the Arizona wilderness. At one point, Franke played a voicemail for viewers that her son had left her while at the camp; her son cried throughout the voicemail as he described his experience.²⁰² Another video featured the parents taking their preteen daughter to buy her first bra. After Kevin asked his preteen, “How come you’re all embarrassed?” his oldest daughter Shari spoke up off camera: “Because you’re filming her and you’re her dad?”²⁰³

2. Adapting COPPA 2.0 and the Necessity of a Right to Removal

In October 2024, Shari, now twenty-one, addressed Utah’s Business and Labor Interim Committee; Utah Representative Doug Owens, who sponsored Utah’s subsequent bill regulating kidfluencers, introduced her testimony.²⁰⁴ Shari told lawmakers that she appeared before them “as a victim of family vlogging” in hopes of “shed[ding] light on the ethical and monetary issues that come from being a child influencer.”²⁰⁵ Her words highlighted how adequate compensation is but one small component of a comprehensive regulatory scheme to protect kidfluencers; her experiences as a kidfluencer also evoke many of the same themes as Jennette McCurdy’s retelling of her time as a child actor—in particular, the sense that the compensation she received, while helpful, was simply not worth the loss of her childhood.

[Being a kidfluencer] is more than just filming your family life and putting it online. It is a full-time job with employees, business credit cards, managers, and marketing strategies. The difference between family vlogging and a normal business, however, is that the employees are all children. Children, from before they are born to the day they turn eighteen, have become the stars of family businesses on YouTube, Instagram, and most other social media platforms.

. . . .

At first, family vlogging is an alluring business that can bring high revenue. For my family, it became the primary source of income . . . . Many child influencers are paid for their work as I was, and this money has helped me in my adult life. However, this payment was usually a bribe. For example, we’d be rewarded $100 or a shopping trip if we filmed a particularly embarrassing moment or an exciting event in our lives. . . . Any payment that happens is under the table, with no paper trail. And how do we determine how much a child should make from appearing in family content? What price is worth giving up your childhood?

. . . Some of our most popular videos were when my eyebrow was accidentally waxed off, and the whole world saw a crying teenager when I just wanted to mourn in private. Or the time I was violently ill and got the leading role in the video for that day. My friends became scarce because dates were filmed and none of my friends wanted to be on camera. The camera never stops and there is no such thing as a [vacation] from filming.

. . . .

[A]s children, we do not understand the consequences of filming our lives and [having it] post[ed] for the world to see. We cannot give consent to our parents to post our lives. . . . I did not realize the impact that filming as a child would have on me now. . . .

. . . .

If I could go back and do it all again, I’d rather have an empty bank account now and not have my childhood plastered all over the Internet. No amount of money I received has made what I’ve experienced worth it. . . . I promise you that my experiences are not unique and are happening to child influencers all over Utah and the country. Let’s tackle this issue before it becomes a bigger crisis than it already is.²⁰⁶

As Shari’s words illustrate, kidfluencing is currently too unchecked and too profitable—for parents—to be safe; thus, common-sense regulations aimed at deterring parents from overworking and oversharing their children for a financial payout are critically necessary. Just as labor protections for kidfluencers would be most effective if enacted at the federal level, protective measures for kidfluencers’ privacy need federal support. COPPA presents a key opportunity to begin developing that support by empowering kidfluencers to wield greater control over their digital footprints long term. While COPPA 2.0 takes an important step forward by expanding online privacy protections for teenagers, a truly comprehensive and effective COPPA amendment would also cover kidfluencers.

Protections for kidfluencers under a new version of COPPA would make explicit the right of teenaged kidfluencers to consent (or not) to sharing their personal information in monetized content and their right to revoke that consent at any time; this system would empower teenaged kidfluencers by allying them with the social-media platforms hosting their content—regardless of a parent’s role in producing kidfluencer content, platforms would require the kidfluencer’s consent before new content could be shared. For kidfluencers under thirteen, the consent that their parents give to sharing their children’s information and to commercial use of their likeness would become provisional only and revocable by the child upon reaching age thirteen. This change would allow kidfluencers to retroactively revoke consent to personal data their parents had agreed to share and compel platforms to remove it.²⁰⁷ And in situations where groups of kidfluencers create content together, as in the case of Piper Rockelle’s Squad, a kidfluencer-focused COPPA section would provide legal scaffolding to discourage casual content-sharing to large online audiences without informed consent by every parent or teenager involved. These amendments would be a first step in giving kidfluencers the privacy protections that they currently lack.

Four of the states that now regulate kidfluencers’ compensation have also taken steps in this direction: recent laws in Montana, Arkansas, Utah, and Minnesota include provisions aimed at empowering kidfluencers to request removal of content featuring them. In particular, Minnesota’s flat ban on children thirteen and under working as kidfluencers is well worth lawmakers’ consideration both in other states and at the federal level; such a ban would have automatically made much of the Squad’s early content unlawful due to the children’s ages, while also avoiding the challenges of enforcing more nuanced regulations. Yet gaps persist—Minnesota’s law provides that “[c]ontent containing the likeness of a child must be deleted and removed from any online platform by the individual who posted the content, the account owner, or another person who has control over the account when the request is made,” either by a kidfluencer at least thirteen years old or by a former kidfluencer who is now an adult.²⁰⁸ However, the law does not provide an explicit enforcement mechanism or a means for relief for kidfluencers whose requests for removal go unheeded; it also seemingly exempts social-media platforms from responsibility entirely as it has no “effect on a party that is neither the content creator nor the minor who engaged in . . . content creation.”²⁰⁹

Meanwhile, Utah’s law does involve social-media platforms that host kidfluencer content explicitly in its removal provisions, requiring that platforms “provide a readily apparent process” for former kidfluencers who are now at least eighteen to request removal of content featuring themselves as minors.²¹⁰ But under Utah’s system, creators can still refuse to comply with removal requests. The law provides only an ex post, litigation-dependent right of action for former kidfluencers to challenge a creator’s refusal; at that point, a court would then consider the “emotional harm or substantial embarrassment” the challenged content poses to the former kidfluencer and both “the interests of the content creator” as well as “the public interest served by” that content.²¹¹ Thus, while Utah and Minnesota’s protections are certainly better than nothing, they are also critically limited; because kidfluencer exploitation is so rampant and systemic, an expensive, slow, after-the-fact system of relief available only on a state-by-state basis is simply not enough to protect them.

From that perspective, Arkansas and Montana have gone the furthest toward effecting an adequate legal solution: both states’ kidfluencer laws put responsibility on platforms, though with some caveats, to enforce kidfluencer protections, including removing kidfluencer content upon request. In Montana, creators are removed from the takedown process entirely; instead, Montana’s law triggers platforms’ responsibility to “take all reasonable steps to permanently delete” kidfluencer content as soon as former kidfluencers (who are at least eighteen) request removal.²¹²

Arkansas’ kidfluencer law is arguably even more sweeping; under that law, platforms must allow for removal requests by kidfluencers and then notify content creators of their obligation to remove the applicable content within thirty days; if creators do not do so, platforms “shall review and take all reasonable steps to remove the content.”²¹³ Unlike Montana, Arkansas does include caveats to platforms’ mandated removal, including for content that the platform finds “sufficiently newsworthy or of other public interest to outweigh the privacy interests” of the kidfluencer in question.²¹⁴ However, Arkansas also elevates platforms’ responsibilities in an additional, consequential area: its law makes it “unlawful to financially benefit from knowingly producing or distributing publicly . . . any visual depiction of a minor with the intent to sexually gratify or elicit a sexual response in the viewer or any other person.”²¹⁵ This section mandates platforms to “develop and implement a risk-based strategy to help mitigate risks related to monetization of the intentional sexualization of known minors” in a content-creation context; the structure of such strategies is at platforms’ discretion and can include monetization policies, “automated system[s] to identify and enforce against potentially problematic content and accounts,” and “[q]uality assurance processes” to monitor the effectiveness of platform’s policies in this area.²¹⁶ While the precise standard for determining whether content has “the intent to sexually gratify or elicit a sexual response” under Arkansas’ law are unspecified, much of the PRI Squad’s content could likely qualify. Thus, in addition to placing responsibility on social-media platforms to effectuate kidfluencer content removal, Arkansas also made the critical first step, at the state level, toward mandating that platforms develop ongoing procedures to monitor for at least some kinds of problematic kidfluencer content, and, ideally, prevent exploitation before it occurs.

Overall, both Arkansas and Montana’s regulatory approaches—situating platforms as the enforcers of newly-recognized kidfluencer privacy and publicity rights—represent the most effective way forward for a comprehensive federal scheme to protect kidfluencers.

IV. THE SOLUTION—FEDERAL LABOR AND PRIVACY PROTECTIONS AND REQUIRING SOCIAL-MEDIA PLATFORMS TO ENFORCE KIDFLUENCER RIGHTS

Kidfluencers need comprehensive labor and privacy protections, and because the Internet transcends the geographical limits that made state-specific labor regulations for child actors practical, adequate kidfluencer labor and privacy regulations must be set at the federal level. But once enacted, these comprehensive federal protections will require an effective enforcement mechanism—and the social-media platforms that host kidfluencer content are likely the entities best situated to moderate and enforce kidfluencer regulations. Thus, a robust set of federal kidfluencer labor and privacy protections would include an imposition of liability on platforms that feature kidfluencer content on monetized accounts (thereby creating revenue for the platform itself as well as for those managing the kidfluencer accounts) when that content is produced under conditions that violate kidfluencer laws. So far, only two states, Montana and Arkansas, have placed legal responsibility squarely on platforms to remove kidfluencer content upon request; lawmakers seeking to adequately protect kidfluencers must follow these states’ lead by pushing for federal measures that regulate kidfluencers’ labor and privacy and enable platforms to enforce those laws.

A. Section 230 and Techlash

Any conversation surrounding potential liability for online platforms based on a platform’s third-party content implicates section 230 of the Communications Decency Act of 1996 (“section 230”). Recognizing how “[t]he rapidly developing array of Internet . . . services available to individual Americans represent[s] an extraordinary advance in the availability of educational and informational resources,”²¹⁷ and how the Internet “ha[s] flourished, to the benefit of all Americans, with a minimum of government regulation,”²¹⁸ section 230 provides limited immunity to any online platform for content posted by third-party users.²¹⁹ In the nearly thirty years since section 230’s passage, its supporters have credited it with enabling some major online platforms to grow from start-ups into global giants,²²⁰ particularly with regard to the largest companies commonly referred to as a whole as “Big Tech.”²²¹ And many of those supporters have defended section 230 in the last ten years as an increasing number of detractors began voicing concerns over Big Tech’s ever-growing and seemingly unchecked power, a phenomenon dubbed “techlash.”²²²

Kidfluencers are glaringly missing from this increasingly heightened debate over the virtues and dangers of section 230 and, more broadly, about the responsibilities or lack thereof that Big Tech owes to users. Any federal proposal to impose liability upon platforms who violate laws designed to prevent kidfluencer exploitation will prompt questions about whether imposing such liability would infringe platforms’ rights under section 230 and their constitutional rights to freedom of expression. Crucially, however, section 230 itself already includes limiting language: in addition to protecting the right of platforms to “voluntarily” and “in good faith” “restrict access to or availability of material that [the platform] considers to be obscene, lewd, . . . or otherwise objectionable, whether or not such material is constitutionally protected,”²²³ section 230 dictates explicitly that it has “[n]o effect on intellectual property law.”²²⁴ Thus, new kidfluencer regulations, if modeled after this exception for intellectual property law, could be fully consistent with section 230.

B. Contributory Liability as a Basis for Platform Enforcement

In keeping with section 230’s unrestricted exception for intellectual property concerns, the Digital Millennium Copyright Act (“DMCA”), passed two years later, empowers copyright owners to compel online entities to remove infringing material hosted on their platforms or otherwise face liability.²²⁵ Under the DMCA’s “notice-and-takedown system,” online platforms can qualify for limitations on liability, known as safe harbor provisions, provided that they comply with an owner’s takedown request.²²⁶ Thus, the system enables copyright owners to safeguard their work from infringement while avoiding litigation and also ensures, via its safe harbor provisions, that online platforms are not impeded in their industrial development by these intellectual property protections. The DMCA has roots in common law contributory liability doctrine in recognizing partial responsibility on the part of online entities for infringement happening on their platform.²²⁷ In this way, the DMCA serves as an analog for a potential liability model for platforms hosting kidfluencer content produced in violation of expanded regulations.

In the kidfluencer context, online platforms also go a step further than inadvertent sharing of objectionable material—they profit directly from kidfluencer content by collecting a percentage of advertising revenue from the accounts they monetize.²²⁸ Thus, under expanded labor and privacy protections for kidfluencers, adapted from existing laws for child actors and child social-media users, platforms hosting monetized kidfluencer accounts would more than meet the criteria for contributory liability for profiting off of content produced in violation of these new regulations. Yet at the same time, platforms are also likely the most well-situated party to enact protocols that can effectively monitor and enforce updated kidfluencer laws.

Platforms can develop a more robust application process for kidfluencer account monetization requiring that adults running kidfluencer accounts to comply with the same laws regulating studios employing traditional child entertainers: obtaining permits to employ minors, tracking and reporting kidfluencers’ working hours and staying within working hour limits, providing proof of regular education and on-set supervision, and setting up protected trust accounts to safeguard kidfluencers’ compensation. Under this regulatory system, would-be kidfluencer accounts would have to meet these requirements as part of applying for account monetization, and existing kidfluencer accounts would have to provide documentation showing that they are maintaining these mandates to retain their monetized status on a continuing basis. Further, if federal protections for kidfluencers’ privacy were enshrined in an expansion of COPPA, online platforms could also be required to actively monitor kidfluencer accounts’ adherence to COPPA’s expanded mandates; specifically, platforms must obtain consent by teenagers and provisional consent by parents of children under thirteen to appear in monetized content and provide a means to revoke consent and compel removal upon request. Just as proof of continuing adherence to expanded kidfluencer labor regulations should be required for kidfluencer accounts to achieve monetization, so too should kidfluencer accounts be required to demonstrate compliance with privacy protections in order to keep gaining revenue. Online platforms already have established procedures to conform with COPPA’s existing mandates for children’s data collection that are similar to DMCA’s safe harbor criteria—in particular, COPPA includes its own self-regulatory guidelines for platforms to keep themselves eligible for COPPA’s longstanding safe harbor provisions. Thus, platforms are poised with a foundation to further develop protocols that monitor compliance with kidfluencer regulations. And despite the ongoing debate over the fate of section 230, imposing liability for online platforms in the kidfluencer context arguably need not threaten section 230, or platforms’ free expression more broadly, at all; such liability would not be without precedent given section 230’s blanket exception for intellectual property infringement, the DMCA’s subsequent imposition of the notice-and-takedown system, and COPPA’s longstanding restrictions on how online platforms interact with child users.

CONCLUSION

While some former kidfluencers like Shari Franke have explicitly called for a ban on kidfluencing entirely, such a drastic measure would be remarkably difficult, if not impossible, to achieve. At the same time, though the PRI lawsuit is unique, as of this writing, in its involvement of kidfluencers personally suing adult content producers, the PRI plaintiffs are part of an ever-growing cohort, the oldest of whom are only beginning to reach adulthood. As the first generation of kidfluencers comes of age while regulations to protect kidfluencers remain, at best, in their infancy, courts could see a rise in litigation by former kidfluencers only now independent enough to seek legal recourse. Rather than Shari’s proposed all-out ban on kidfluencing or a slew of merely reactive, post-exploitation lawsuits in the spirit of the PRI lawsuit, the more promising approach to addressing kidfluencer exploitation lies in enacting strict labor and privacy regulations at the federal level; once these regulations are created or expanded, lawmakers can then explore mechanisms for imposing liability on social-media platforms that host kidfluencer content produced in violation of these expanded regulations. If kidfluencers are to remain a fixture of the content-creator world (and they likely will, given the pervasiveness of their online presence as well as their financial value to the platforms that feature them), their career field needs to be regulated like the bona fide occupation that it is. Thus, federal law must ensure the right of kidfluencers in every state to limits on their working hours, guaranteed access to education, on-set supervision and advocacy, and compensation safeguards—the same protections that the most stringent states afford to professional child actors.

But merely applying labor regulations for child actors to kidfluencers as an overall protective measure still falls short because the nature of kidfluencing itself presents an unprecedented privacy intrusion. Child actors have built-in privacy protections by virtue of conducting their work on a set, away from home, playing characters. Their work, by and large, is only seen by people who pay to see it and is only broadcast subject to intellectual property and other licensing agreements between production companies and distributors. In contrast, when kidfluencers’ parents say, “Action!” the entire world immediately has an unrestricted window directly into their personal, private life. Thus, just as federal law must be expanded to regulate kidfluencers’ labor, COPPA should be amended to explicitly cover kidfluencers and also to make parental consent to collection of kidfluencers’ personal data provisional only—once children turn thirteen, they must be able to retroactively withdraw consent for data their parents turned over on their behalf. Under this new regulatory system, social-media platforms would be charged with monitoring kidfluencer accounts’ adherence to these requirements and suspending accounts in violation, drawing upon their existing safe harbor guidelines that currently ensure their compliance with COPPA and the DMCA as a model. This all-encompassing approach will serve to close the gaps in kidfluencer protections as quickly and effectively as possible, preventing future generations of kidfluencers from needing to wait to reach adulthood before they can pursue legal recourse after years of exploitation. It defies common sense that, as far as kidfluencers’ labor and privacy are concerned, the younger—and more vulnerable—they are, the fewer rights they have.

APPENDIX

My name is Shari Franke. My mother, Ruby Franke, is the prominent family vlogger arrested last year for child abuse. I don’t come today as the daughter of a felon, nor a victim of an abnormally abusive mother. I come today as a victim of family vlogging. My goal today is not to present any idea of a solution to this problem, but to shed light on the ethical and monetary issues that come from being a child influencer.

When children become stars in their family’s online content, they become child influencers. It is more than just filming your family life and putting it online. It is a full-time job with employees, business credit cards, managers, and marketing strategies. The difference between family vlogging and a normal business, however, is that the employees are all children. Children, from before they are born to the day they turn eighteen, have become the stars of family businesses on YouTube, Instagram, and most other social media platforms.

Utah is specifically a hotspot for family content due to the LDS culture around family and the goal to share the church with the world. We also have large families which makes family content more lucrative. Specifically, many parents film their regular family life as an online video blog, called a vlog. But I want to be clear that there is never, ever a good reason for posting your children online for money or fame. There is no such thing as a moral or ethical family vlogger.

At first, family vlogging is an alluring business that can bring high revenue. For my family, it became the primary source of income as is often the case for full time family vloggers. Many child influencers are paid for their work as I was, and this money has helped me in my adult life. However, this payment was usually a bribe. For example, we’d be rewarded $100 or a shopping trip if we filmed a particularly embarrassing moment or an exciting event in our lives. Or other times, simply going on vacation was expected to be payment enough—because most kids don’t get to go on regular and expensive trips. Never mind the fact that the child’s labor is actually what paid for the vacation or trip. There is no law in place to guarantee that child influencers get any money from their work. If a family account does not become an LLC, parents are taxed heavily for paying their children. But parents receive tax write offs for the regular clothes they wear, the gas money used to drive places, and even the houses they live in—anything that is filmed can be written off. And even after registering their business as an LLC, there is no guarantee that children will get paid. Any payment that happens is under the table, with no paper trail. And how do we determine how much a child should make from appearing in family content? What price is worth giving up your childhood?

But despite any monetary payment children may receive, don’t let this excuse the 24/7 labor that these children are subjected to. As a child, I was fully aware that I was an employee. The business was successful when I was happy or when I shared my hardships with the world. Some of our most popular videos were when my eyebrow was accidentally waxed off, and the whole world saw a crying teenager when I just wanted to mourn in private. Or the time I was violently ill and got the leading role in the video [for] that day. My friends became scarce because dates were filmed and none of my friends wanted to be on camera. The camera never stops and there is no such thing as a [vacation] from filming.

At the time, I’d tell you that I had a choice in what was filmed. But I’ve come to learn that every child influencer, in a way, suffers from Stockholm syndrome. Most child influencers would probably tell you they have full control over what is posted; but the reality is that their parents bribe and shame them into posting their most vulnerable moments. In fact, many child influencers may tell you they enjoy their work because of the monetary perks they receive, or the fun experiences that they can have. After all, what child would say no to a fun vacation or shopping spree if all they needed to do was film [a mental breakdown or] an embarrassing moment?

But as children, we do not understand the consequences of filming our lives and [having it] post[ed] for the world to see. We cannot give consent to our parents to post our lives. In any other context, it is understood that children cannot give consent—but for some reason, people think family vlogging is different. I did not realize the impact that filming as a child would have on me now. My social media became flooded with rumors of having sexual relations with my own brother, to being called a baby birthing machine at the age of thirteen. All these things have stuck with me, and I will forever live between the ages of thirteen to seventeen in many of my viewer’s minds. In addition, pedophiles stalk the internet, specifically seeking out child influencers. I promise you that the parents are aware of these predators and choose to post their children anyway.

I understand that this a big issue to tackle. I am not asking you to ban family vlogging, though that is my end goal. I also understand that as Utahns, we don’t appreciate big government overreach. But when it comes to protecting children, it should be a bipartisan issue. The only people harmed by child influencer laws are the parents exploiting their children. While this may not seem like an issue now, as child influencers in Utah continue to grow up, I foresee there will be legal crises with these children realizing that vlogging has brought severe emotional distress. Or these kids may realize they don’t have an appropriate amount of money to show for their [forced] labor. After all, how does that child know how much they should have made versus what their parents may or may not have paid them? Let’s deal with this now, before we reach that point. But even despite a good paycheck, I want to be absolutely clear that there is no amount of money can justify selling your soul, as a child, to the world. In no other industry would we justify unregulated child labor with a huge paycheck, and we should not do that here.

If I could go back and do it all again, I’d rather have an empty bank account now and not have my childhood plastered all over the Internet. No amount of money I received has made what I’ve experienced worth it. While I don’t have all the answers, nor many feasible solutions for this problem, I am proud to be one of the first child influencers in the state of Utah to speak against this issue. I don’t want people to look at me and blame my unique circumstances, with a mother in prison, to the Franke criminal case. Family vlogging ruined my innocence long before Ruby committed a crime. I promise you that my experiences are not unique and are happening to child influencers all over Utah and the country. Let’s tackle this issue before it becomes a bigger crisis than it already is. Thank you.²²⁹

99 S. Cal. L. Rev. 449

Download

Elinor J. Haddad*

*Executive Postscript Editor, Southern California Law Review, Volume 99; J.D. Candidate, 2026, University of Southern California Gould School of Law; B.A. Law, History, and Culture, 2016, University of Southern California. This Note is dedicated to the memory of my grandmother Nan Johnson. Thank you to my advisors Professors Jonathan Barnett and Jef Pearlman for their support and guidance; to Cristopher Swain for his unconditional encouragement; to Mark E. Haddad for his faith and wisdom; to Miranda Johnson-Haddad for her unwavering support; to Madeline Goossen and Robyn Kazemaini for their loyal mentorship; and to Kelcey Sholl, Isabella Flaherty, Nicholas Considine, and the staff of the Southern California Law Review for their thoughtful and dedicated editing.

Life Story Rights Litigation: Negotiating for a Happy Ending

May 2022May 2022Kendall Ota*

Filmmakers, television writers, and authors alike have made millions of dollars in the entertainment industry by telling stories that have already been lived by real people. Not only do these creative works force enormous public exposure upon the real people portrayed, but they often portray these real-life inspirations in inaccurate, or even harmful ways. Furthermore, without an agreement to sell their life story rights, many of these real-life inspirations receive no compensation from the use of their life story in these highly successful creative works.

* Senior Submissions Editor, Southern California Law Review, Volume 95; J.D. Candidate, 2022 University of Southern California, Gould School of Law; B.A. Communication 2017, University of Southern California. A huge thank you to the editors of the Southern California Law Review for all of your guidance throughout the publication process, and to all of my family and friends for their support throughout law school

Download

Data Protection in the Wake of the GDPR: California’s Solution for Protecting “the World’s Most Valuable Resource” – Note by Joanna Kessler

November 2019January 2020Southern California Law Review Admin

Note | Privacy Law
Data Protection in the Wake of the GDPR: California’s Solution for Protecting “the World’s Most Valuable Resource”

by Joanna Kessler*

From Vol. 93, No. 1 (November 2019)
93 S. Cal. L. Rev. 99 (2019)

Keywords: California Consumer Privacy Act (CCPA), General Data Protection Regulation (GDPR)

This Note will argue that although the CCPA was imperfectly drafted, much of the world seems to be moving toward a standard that embraces data privacy protection, and the CCPA is a positive step in that direction. However, the CCPA does contain several ambiguous and potentially problematic provisions, including possible First Amendment and Dormant Commerce Clause challenges, that should be addressed by the California Legislature. While a federal standard for data privacy would make compliance considerably easier, if such a law is enacted in the near future, it is unlikely to offer as significant data privacy protections as the CCPA and would instead be a watered-down version of the CCPA that preempts attempts by California and other states to establish strong, comprehensive data privacy regimes. Ultimately, the United States should adopt a federal standard that offers consumers similarly strong protections as the GDPR or the CCPA. Part I of this Note will describe the elements of GDPR and the CCPA and will offer a comparative analysis of the regulations. Part II of this Note will address potential shortcomings of the CCPA, including a constitutional analysis of the law and its problematic provisions. Part III of this Note will discuss the debate between consumer privacy advocates and technology companies regarding federal preemption of strict laws like the CCPA. It will also make predictions about, and offer solutions for, the future of the CCPA and United States data privacy legislation based on a discussion of global data privacy trends and possible federal government actions.

*. Executive Senior Editor, Southern California Law Review, Volume 93; J.D. Candidate 2020, University of Southern California Gould School of Law; B.A., Sociology 2013, Kenyon College.

View Full PDF

93_1_Kessler

Navigating the Atlantic: Understanding EU Data Privacy Compliance Amidst a Sea of Uncertainty – Note by Griffin Drake

November 2017March 2018Southern California Law Review Admin

From Volume 91, Number 1 (November 2017)
DOWNLOAD PDF

Navigating the Atlantic: Understanding EU Data Privacy Compliance Amidst a Sea of Uncertainty

Griffin Drake [*]

TABLE OF CONTENTS

INTRODUCTION

I. BACKGROUND

A. Key Principles of Privacy Regulations

B. Schrems I and the Invalidation of the Safe Harbor

C. The Road to the Privacy Shield

D. Other Available Transfer Mechanisms

II. THE FUNDAMENTAL DIFFERENCES BETWEEN U.S. AND EU DATA PRIVACY POLICIES

A. EU Privacy Policies

B. U.S. Privacy Policies

III. HOW THE GDPR AFFECTS THE CURRENT AND FUTURE DATA PROTECTION LANDSCAPE

A. What’s New in the GDPR?

B. How Does This Affect Data Transfer Mechanisms?

1. BCRs

2. Model Clauses

3. Codes of Conduct and Certification

IV. THE FATAL FLAWS OF THE PRIVACY SHIELD, MODEL CLAUSES, AND BCRS

A. Privacy Shield

B. Model Clauses

C. BCRs

V. SO, WHAT OPTIONS DO COMPANIES HAVE?

A. Consent

B. Prepare for the GDPR

INTRODUCTION

United States government surveillance has reached a point where the government “c[an] construct a complete electronic narrative of an individual’s life: their friends, lovers, joys, sorrows.”[1] In June 2013, Edward Snowden released thousands of confidential documents from the National Security Agency (“NSA”) regarding classified government surveillance programs.[2] The documents brought to light the fact that that the NSA was spying on individuals, including foreign citizens, and deliberately misleading Congress about these activities.[3] According to Snowden, the spying was so extensive that the spying measures, including a program known as “PRISM,” involved the improper mass collection of data from citizens worldwide through NSA interactions with telecom giants like Google, Microsoft, and Facebook, and by tapping into global fiber optic cables.[4]

These revelations sent shockwaves around the globe, and the backlash was swift and unforgiving. One thing became clear to Americans and the rest of the world: the NSA and the U.S. government had prioritized the massive collection of private information over and above the personal privacy rights of the global population.[5] The concept of throwing civil liberties to the wayside through grossly intrusive surveillance pushed Snowden to step forward and reveal what he had seen all too closely.[6] He no longer wanted to “live in a world ‘where everything that I say, everything that I do, everyone I talk to, every expression of love or friendship is recorded.’”[7]

Across the Atlantic, the priorities of European Union member nations stand in stark contrast to those of the United States. The EU takes a much stronger stance on privacy and data protection and restricts how companies transfer data to non-EU nations. In the EU’s Data Protection Directive (the “Directive”), the right to privacy is described as a “fundamental right[] and freedom[].”[8] This sentiment is echoed in other landmark EU documents such as the Convention for the Protection of Human Rights and Fundamental Freedoms.[9]

Despite the very different treatment of the right to privacy in the U.S. and EU, we live in an era of lightning–quick information transfers and an interconnected global economy in which the sharing of private data (including names, IP addresses, health care information, and so forth) across borders is essential to companies conducting business worldwide.[10] The current state of the world necessitates that data flow seamlessly from country to country.[11] This reality led to the EU’s Safe Harbor Decision (“Safe Harbor”), allowing American companies to self-certify their compliance with certain heightened privacy restrictions when handling the private information of EU citizens and thus facilitating the transfer of information from the EU to the U.S.[12] However, the Safe Harbor was invalidated in Schrems v. Data Protection Commissioner (“Schrems I”).[13] This left American companies to rely on other EU–approved data transfer mechanisms—namely, Model Clauses,[14] Binding Corporate Rules (“BCRs”), or specific statutory derogations. In need of a replacement for the Safe Harbor, the EU and the United States agreed on a new deal known as the “Privacy Shield,” despite heavy criticism.[15] An additional layer of complexity exists due to the fact that the Directive, which long governed the handling of private information in the EU, is now being replaced with the significantly stronger General Data Protection Regulation (“GDPR”).

This Note will argue that in light of the pending commencement of the GDPR, American companies relying on the Privacy Shield are exposed to potential risk, as it fails to satisfy the “essentially equivalent protection” standard set forth in Schrems I, and that alternative data protection mechanisms, such as Model Clauses or BCRs, have serious drawbacks and face similar questions regarding their validity.[16] Subsequently, I will discuss some of the potential alternative mechanisms that companies can use to best mitigate exposure to the risks inherent in transatlantic data transfers.

Part I of this Note will describe the background that has led to the current uncertainty in the validity of the various data protection mechanisms. This Part will discuss the key principles behind data privacy protections, the Schrems I case and the subsequent invalidation of the Safe Harbor, the buildup to the Privacy Shield, and the other possible transfer mechanisms. Part II will discuss the fundamental differences between the United States’ and the European Union’s approaches to protecting individuals’ private information. This section will highlight the irreconcilable differences between U.S. surveillance policies and the EU’s view of the fundamental right to privacy. Part III will discuss the pending implementation of the GDPR and the relevant changes this directive will have to the current transatlantic data transfer legal regime. Part IV will outline the shortcomings inherent in the Privacy Shield, Model Clauses, and BCRs individually. Part V will conclude this Note by briefly discussing potential alternatives that companies can use to attempt to weather the shaky data privacy landscape that exists today. The proposed alternatives include obtaining consent, using codes of conduct and certification, and layering transfer mechanisms.

I. Background

A. Key Principles of Privacy Regulations

With the ability of companies to transfer swaths of consumers’ personal data globally at the click of a button, the United States and the European Union have been forced to adapt privacy regulations to meet this rapidly changing reality. In doing so, certain fundamental principles have arisen and been used to shape modern data privacy laws. In 1973, the U.S. Department of Health, Education, and Welfare developed a committee to review the use of automated data systems that maintained personal information.[17] This committee laid out five principles for data protection, known as the “Fair Information Practices” (“FIPs”).[18] These principles were incorporated, though not by name, in the Privacy Act of 1974.[19] The Privacy Act of 1974 also established the Privacy Protection Study Commission, which in 1977 refined the FIPs into eight clear principles.[20] The principles are: Openness, Individual Access, Individual Participation, Collection Limitation, Use Limitation, Disclosure Limitation, Information Management, and Accountability.[21] These principles, however, apply only to the public sector and were not formally referenced by Congress until 2002.[22]

In the EU in the 1970s, many laws were already consistent with the principles described in the FIPs.[23] In 1980, the Organization for Economic Co–operation and Development (“OECD”) developed a set of privacy guidelines with its own eight principles for data protection.[24] These principles include: Collection Limitation, Data Quality, Purpose Specification, Use Limitation, Security Safeguards, Openness, Individual Participation, and Accountability.[25] These principles clearly bear a strong resemblance to the FIPs with one major difference—they are broadly intended to apply across both the public and private sectors. In 1995, the EU took the principles a step further and adopted the Directive to protect individuals and their private data.[26] These principles were also included in the GDPR, along with a few additional principles.[27] All in all, the principles created in 1973 and revised over time often serve as the foundation for data privacy regulations today.

B. Schrems I and the Invalidation of the Safe Harbor

While transferring data around the world is a practical necessity for large companies, governments in the EU and the United States recognize that due to how quickly and easily personal data is being transferred, this data must be protected. Acknowledging these two conflicting important interests, the EU and the United States struck a deal. In 2000, the European Commission passed a decision known as the Safe Harbor, determining that the United States, in conjunction with the terms of the agreement, provided adequate privacy protection.[28] The Safe Harbor decision allowed U.S. companies to self-certify that they will abide by EU data protection standards when transferring data across the Atlantic.[29] This option was attractive to companies because it was relatively easy to institute and it efficiently lowered transaction costs compared to Model Clauses or BCRs—so much so that over five thousand companies chose to self-certify.[30] Self-certification involved companies (1) outlining specific information about the company and the company’s use of personal data obtained from EU citizens on an online form and (2) paying a processing fee of $200.[31] This option was considered to fall into the category of an “adequacy decision” by the Commission in accordance with Article 25 of the Directive.[32] It is important to note, though, that this decision did not allow free rein for all U.S. companies to freely exchange information across the Atlantic. Instead, this method of achieving adequate protections only applied to the companies that self-certified and complied with the requisite standards.

While this solution worked for over a decade, the revelations published by Edward Snowden served as evidence that the Safe Harbor was built on false assurances. The Safe Harbor met its ultimate demise in Schrems I, in which Maximillian Schrems, an Austrian privacy activist, complained to the Data Protection Commissioner that Facebook, a Safe Harbor–certified company incorporated in Ireland, was transferring personal data into the United States where “the law and practice in force in that country did not ensure adequate protection of the personal data held in its territory against the surveillance activities that were engaged in there by the public authorities.”[33] In his original case, Schrems cited Facebook’s voluntary participation in the aforementioned NSA PRISM program, which gave the U.S. government access to substantial amounts of private personal information.[34] The claim was that “there was ‘no meaningful protection in US law or practice’ regarding data transferred that was subject to US state surveillance.”[35]

The Irish High Court agreed with Schrems, stating that “[t]here is, perhaps, much to be said” for the Snowden revelations exposing “gaping holes in contemporary US data protection.”[36] Accordingly, the Irish High Court, in line with EU law, referred the matter to the Court of Justice of the European Union (“CJEU”) to adjudicate the validity of the adequacy decision regarding the United States.[37]

The CJEU agreed with the Irish High Court and took a large step by fully invalidating the Safe Harbor.[38] The standard as stated by the court vastly elevated the requirements for all future transfer mechanisms by stating that privacy protection measures in non-EU member nations need to be “essentially equivalent to that guaranteed in the EU legal order.”[39] Thus, the CJEU found that U.S. privacy law was incompatible with the EU charter.[40]

C. The Road to the Privacy Shield

With roughly five thousand companies relying on an invalidated measure, uncertainty as to what steps to take was apparent and widespread. But just as economic necessity drove the United States and the EU into the eventually invalidated Safe Harbor, it likewise drove them to craft a new, seemingly more robust agreement.[41] In coming to this agreement, the two parties faced incredible time constraints and deadlines from the Article 29 Working Party, the group designated to represent the EU member nations’ data protection authorities. The agreement that was developed, known as the Privacy Shield, was fully approved and placed into effect in July 2016, despite facing some bumps in the road,[42] and was intended to guarantee that the United States will provide the necessary “essentially equivalent” protections to individuals as those individuals would receive under the Directive.[43] The goal was that the Privacy Shield would fix the weaknesses inherent in the Safe Harbor as identified by the CJEU while providing a useful means to maintain the free flow of information.[44]

The dilemma faced by both the EU and the United States was that data necessarily needs to flow between them to maintain everyday business functions, while at the same time there must be protections in place to ensure the proper handling of the data being transferred.[45] The Privacy Shield was agreed upon because of this dilemma, and it has been described by some as a much stronger version of the invalidated Safe Harbor.[46] The Privacy Shield now includes stronger obligations regarding how companies handle data, increases transparency regarding how data is used, safeguards against U.S. government access, and provides new protections and remedies for individuals and a joint review mechanism.[47]

The agreement, though, was created in line with the Directive (and the Schrems I decision, which was made based on the Directive). Come 2018, the Directive will be replaced by the GDPR.[48] The GDPR was developed to modernize the protections given by the EU to individuals while greatly strengthening individual’s rights.[49] The GDPR is intended to protect personal data in a manner significantly stronger than under the Directive.[50] Further, the new, stronger protections of the GDPR may lead to the invalidation or revision of the Privacy Shield, which was hurriedly designed to comply with the CJEU court decision and the Directive. Even today, there are already complaints about the adequacy of the Privacy Shield’s ability to adequately protect EU citizens’ data, similar to those raised against the Safe Harbor.[51] These complaints have been exacerbated by an executive order issued by President Trump, excluding non-U.S. citizens from the protections of the Privacy Act of 1974.[52]

D. Other Available Transfer Mechanisms

So, what options does a U.S. company have for transferring personal data? The Directive outlines acceptable methods for such transfers, including an adequacy decision by the Commission, a Commission–approved transfer mechanism, or a statutory derogation.[53] A brief overview of these transfer mechanisms follows here, but they are discussed in more depth in Parts II, III, and IV.

An “adequacy decision” is a determination by the Commission that a non-EU member country “ensures an adequate level of protection.”[54] The Safe Harbor and the Privacy Shield were considered adequacy decisions in the sense that they developed certain rules and regulations that would strengthen the United States’ privacy protections to an “adequate” level. The Privacy Shield remains approved, meaning that a company can legally rely on it to transfer data. However, this mechanism could place a company in a position where if the Privacy Shield is invalidated or undergoes substantial revision, the company will need to undertake costly measures to ensure that its data transfers comply with the applicable laws and regulations in order to avoid hefty fines for non-compliance.[55]

A second option is either of the two European Commission-approved transfer mechanisms: Model Clauses or BCRs.[56] BCRs are company-developed rules governing the protection of private data that must undergo a rigorous, multi-step approval process by EU data authorities; they may be used to ensure that all transfers within a single group or company provide adequate protection as described in Article 26(2) of the Directive.[57] It is worth noting, though, that BCRs only legitimize data transfers made within a single overarching group.[58] A major benefit of BCRs is that unlike Model Clauses, there is no need to sign new contracts with each transaction.[59] This allows a company to have a clear internal procedure for handling private data and can lead to particular efficiencies.[60] Any company that is sharing or transferring data outside of its broader corporate entity structure, however, will still need to use a different method to validate those transfers, making this option less attractive to companies that exchange information externally.

This leads some companies to turn to Model Clauses, sets of contract clauses that, as determined by the European Commission, provide adequate safeguards to data privacy.[61] These have become an option oft–recommended by privacy experts and lawyers [62] due to the relative ease of implementation and their long-standing legal validity in the EU.[63] In order to receive the immunity given to companies using Model Clauses, the Clauses must be included in agreements verbatim, leading to the benefit of needing no prior authorization from country-specific data authorities.[64] Model Clauses also have the distinct advantage of covering a wide range of data transfers. Specifically, Model Clauses, like BCRs, can be used for intra-company transfers; they can be used for U.S.-EU transfers, like the Privacy Shield; and they have the additional benefit of being available for transfers between the EU and entities in any other jurisdiction, unlike the other two options.[65] This added flexibility, combined with the lower transactions costs associated with implementing these clauses, can be especially appealing to large, multinational companies that transfer data to different jurisdictions and between different entities. Model Clauses, though, are not without flaws, many of which will be discussed in Part IV.

Lastly, the data transfer itself may qualify for a statutory derogation.[66] Derogations may include a data transfer necessary to protect the vital interests of the data subject or a data transfer after the subject has given unambiguous consent, amongst other options.[67] Due to the highly specific and less common nature of many of the derogations, only consent will be discussed in this Note.

II. The Fundamental Differences Between U.S. and EU Data Privacy Policies

Data protection as a concept is itself a novel and rapidly changing field, due in large part to the fact that commercialized Internet is only a few decades old.[68] Despite the relative infancy of this field, developments in how data is used and managed electronically evolve rapidly, and legislators fight a constant battle to keep pace with these changes. In light of the practical realities that attach to this field, the EU and the United States have taken substantially different views on what measures should be taken to protect the data filling the technological universe. The EU has widely confirmed the belief that citizens have a “fundamental right[]” to data protection.[69] The United States, however, does not explicitly share the view that data privacy protection is a fundamental right of all persons.[70]

A. EU Privacy Policies

The notion that “[e]veryone has the right to the protection of personal data concerning him or her” is stated plainly in the Charter of Fundamental Rights of the European Union, a document designed to lay out the basic rights of European citizens and provide guidelines relating to these rights.[71] As mentioned earlier, this EU-recognized right is reiterated in the Directive with its specifically stated purpose “to ensure that ‘member states [] protect the fundamental rights and freedoms of natural persons, and in particular their right to privacy with respect to the processing of personal data.’”[72]

One explanation put forward by some commentators regarding the EU stance that data protection is a fundamental right stems from the 1940s.[73] During the Second World War, the Nazis appropriated European census records, using these records to expedite deportations to concentration camps and to strengthen Germany’s hold over Europe.[74] I argue that this experience, in part, prompted the EU to take a stronger stance on privacy protections, whereas the United States, a country that has not experienced such a scarring example of what can happen when private information falls into the wrong hands, is less inclined to push for stronger protections.

Another explanation can be seen by the early adoption of the FIPs by many EU nations and the EU as a whole.[75] By adopting these principles and incorporating them into early data privacy rules and regulations, the EU set a precedential course that influenced all future privacy–related decisions. This created a multi-generational awareness of, and belief in, the importance of protecting individuals’ privacy.

The focal point of the EU privacy regime has historically been the Directive. The Directive is an omnibus legislation protecting personal data, as opposed to a fragmented, country-by-country approach. The Directive has been hailed by commentators as “the most influential national data protection law.”[76] Additionally, the drafters of the Directive took an important step in Article 28, making the Directive applicable in countries outside of the EU.[77] Specifically, transfers of data outside of the EU require contracts or other legal acts explicitly governed by EU or member-nation law.[78]

Internationally, the trend has been to follow the EU in creating legislation that applies to all data processing inside and outside of the country, largely mirroring the strict protections laid out in the Directive.[79] The thought is that if foreign countries cannot process information about EU residents, private interests will lose out on a major global market, and thus, countries will have an overwhelming incentive to come into compliance. However, despite a global trend of compliance, two powerful nations have remained defiant in the face of such measures—China and the United States.[80]

Although at first glance it may appear that the EU has come up with a comprehensive and invaluable solution to the data privacy issue, it remains, like most legislation, imperfect. One flaw is apparent simply from the name of the document: it is a directive. As such, member nations maintain some control in dictating their own privacy laws, which has led to fragmentation in the interpretations of the principles laid out in the Directive.[81] This materially limits one of the major strengths of the Directive: its being a single document utilized by all member nations.

This, however, will change with the commencement of the GDPR.[82] The key again comes in the name of the document: here it is “regulation.” As a regulation, member nations no longer have the ability to interpret the document to create their individual data policies.[83] Regulations, therefore, carry with them an increased level of strength that does not exist in the Directive. All things considered, the general idea is to centralize power regarding data privacy and eliminate the sometimes patchwork effects of the Directive. This will be discussed in more detail in Part III.

B. U.S. Privacy Policies

In describing the United States’ approach to data privacy policy, it may be useful to imagine a scheme opposite to that of the EU. The United States government does not recognize a fundamental right to privacy.[84] Additionally, the United States “uses a sectoral approach that relies on a mix of legislation, regulation, and self-regulation.”[85] U.S. privacy laws are often responses to particular events and are tailored to particular industries and types of data, similar to a firefighter running around putting out individual fires one at a time.[86] This has led to not only inefficiently overlapping polices but also notable gaps in the U.S. privacy framework.[87] These gaps in protection have been used as an explanation as to why the United States failed to satisfy an adequacy decision by the EU before the initiation of the Safe Harbor.[88]

As discussed in Part I, the United States produced the FIPs in 1973 as an early step in privacy protection. Here, however, the United States went in a different direction than the EU, which is one possible explanation for the very different positions that each holds today. The United States did not explicitly create broad legislation with the FIPs in mind;[89] instead, it opted for various acts and statutes determined by the needs of certain industries and agencies which interpreted and revised the FIPs in various ways.[90] Further, early laws incorporating the FIPs were applicable only to public sector entities, applying only in specific circumstances to the private sector.[91] I argue that because of the lack of a longstanding and broad commitment to the protection of individuals’ private information, U.S. citizens do not have their EU peers’ deep-rooted, multi-generational awareness of and belief in the importance of protecting individuals’ privacy. This leads to less political pressure on the U.S. government to enact strong privacy policies, perpetuating a cycle of citizens accustomed to weaker protections.

Another explanation for why the United States would take an approach to privacy substantially different from that of the vast majority of developed nations is similar to one rationale behind the EU policy—namely, a massive tragedy. As one commentator described, “[t]he attacks of September 11, 2001, ‘have further weakened Washington’s will to protect data. [In fact, t]hrough new laws and new offices, Washington now has more unfettered access to citizens’ data than ever before.’”[92] Another author, in 2002, went so far as to predict that “[c]ommunications technology is necessarily intrusive and, spurred on by international efforts to ferret out terrorism as a result of the September 11, 2001, attacks on the United States, will become even more so.”[93] In summation, the September 11 tragedy planted an unshakable image in the minds of U.S. citizens as a whole, leading to an increase in concern and vigilance regarding terror threats. Whether this sentiment remains as vibrant today is beyond the scope of this Note, but terror threats are ever–present,[94] suggesting this rationale is unlikely to fade. Evidence of an ongoing desire to manage the danger includes the U.S. government’s covert surveillance tactics, as exposed by the documents leaked by Edward Snowden.[95]

An additional rationale for the U.S. stance on privacy regulation results from a desire to maintain a free market economy with limited government regulation. The idea is that the government should limit regulations on businesses and allow the market to police itself. For instance, the Clinton administration advocated for industry-specific self-regulation, as opposed to government regulation.[96] That is not to say that the Clinton administration was opposed to privacy regulations, but this advocacy was a clear endorsement of a fragmented system of dealing with privacy issues. Additionally, one commentator described the Safe Harbor as being a “minimalist solution” in order to avoid a trade war “that was supposed to evolve into something stronger. It transpired, however, that the United States never intended to follow through on commitments to strengthen it.”[97] While these anecdotes are far from dispositive, they do point to the endurance of an American philosophy holding that the government should not over-regulate markets.

This rationale, though, is at least debatable. For instance, President Obama released a report in January 2017 calling for increased privacy regulations and re-emphasizing the right to be protected from governmental intrusion.[98] The Obama administration itself, though, was heavily criticized upon the exposure of the PRISM program undertaken by the NSA.[99] Furthermore, the views expressed in this report may not be shared by the new administration, which removed the report from the White House website the day after President Trump’s inauguration and issued an executive order cutting back privacy protections for non-citizens just days after his inauguration.[100]

It would be remiss to paint a picture of the United States as being completely indifferent to individuals’ privacy rights. For instance, the First, Third, Fourth, Fifth and Fourteenth Amendments collectively provide the implicit foundation for many of the laws and regulations regarding privacy in the United States.[101] There are also numerous federal laws, including the Health Insurance Portability and Accountability Act of 1996, the Fair Credit Reporting Act, the Gramm-Leach-Bliley Act, and many others, that address the protection of private information.[102] Additionally, the Federal Trade Commission has broad powers to take enforcement actions regarding “unfair or deceptive acts or practices in or affecting commerce.”[103] On top of this, individual states have passed their own regulations, with California’s regarded as amongst the most comprehensive.[104] These different protective measures are likely in place because the U.S. government places at least some value on protecting individuals’ privacy.

The issue, however, is that a system like this is inherently flawed. Using a patchwork structure necessarily leaves gaps.[105] In addition to gaps, individual state and federal laws are often inconsistent with one another.[106] Unfortunately, the United States has consistently rejected both omnibus legislation and the fundamental–rights approach to data protection.[107] There is no more clear depiction of this than the egregious surveillance tactics used by the U.S. government and revealed in the Snowden leak. Just as September 11 dramatically changed the landscape of data privacy protection in the United States, the Snowden documents dramatically altered the state of EU-U.S. privacy relations.

III. How the GDPR Affects the Current and Future Data Protection Landscape

The Directive has stood as the basis for EU data privacy law since 1995. The Directive provides the structure and legal guidelines with which the Safe Harbor, the Privacy Shield, the Model Clauses, and other transfer mechanisms seek to comply. The Directive, however, is nearing extinction. On April 14, 2016, the European Parliament approved the GDPR; it takes effect on May 25, 2018, at which point companies will need to be in compliance with the new, stronger regulation.[108] This section of this Note will focus on how the GDPR differs from the Directive and what that means in terms of compliance and the potential transfer mechanisms.

A. What’s New in the GDPR?

The GDPR sets out to tackle the same goal as the Directive—protecting the fundamental rights and freedoms of the EU citizenry with regard to the handling of personal data.[109] The goal is to do this while also facilitating efficiencies within the European economy and helping to promote economic and social progress.[110] These goals, however, are pursued slightly differently in the GDPR than in the Directive.

First, as mentioned earlier, a relevant distinction between the GDPR and the Directive is identifiable by looking at the titles of the two enactments. The GDPR is a “regulation,” whereas the Directive is a “directive.” This matters because a directive gives only guidance to member nations, allowing each member nation to interpret the directive and achieve its purposes in whatever way they deem appropriate.[111] A regulation, however, is applicable to each member nation and does not have to be enacted into each individual country’s legal framework.[112]

The impact of this should not be understated. A major issue with the current system is that companies must deal with greatly differing regulations in each nation in which they maintain data. This, in large part, will be eliminated. The EU stated in a press release that the estimated savings from creating a “one-stop-shop” will be in the neighborhood of €2.3 billion per year.[113] Nevertheless, while the GDPR will remove a substantial amount of the difficulty that has arisen from potentially having to comply with twenty-eight different member-state data protection laws, companies must be aware that there are still some areas in which member nations have discretion.[114] An example can be seen in Article 6(1)(e), regarding one way in which a company can legally process personal data.[115] This provision allows processing when “processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.”[116] All in all, though, one of the most consequential differences of the GDPR will be the decrease in administrative costs faced by companies who no longer have to negotiate, communicate, and work with data protection authorities from many different nations.

A second difference between the GDPR and the Directive is the strengthened focus on individuals’ rights vis-à-vis the way the world transfers, accesses, and uses data. In 2017, personal data is being transferred at speeds and in volumes that were unthinkable not long ago, and consumers recognize a need for strong protection. As stated by the EU, “[n]ine out of ten Europeans have expressed concern about mobile apps collecting their data without their consent.”[117]

The specific individual rights highlighted in the GDPR are the right to be informed, the right of access, the right of rectification, the right to erasure, the right to restrict processing, the right to data portability, the right to object, and rights related to automated decision-making and profiling.[118] These rights focus on two overarching goals of the GDPR. First, the GDPR increases the availability and clarity of the information provided to individuals whose data is being processed. Second, it grants citizens more control over the data they provide and also gives the citizens easier access to legal remedies for breaches. While not all of these rights are completely new or different than rights discussed in the Directive, in general they are written in a way that strengthens the rights of the citizen.[119]

Third, the definition and application of “consent” have been adjusted to further protect individuals. Consent needs to be clear, unambiguous, specific, informed, and freely given.[120] Further, the language in the GDPR seems to have noticeably narrowed the possibility of a type of implied consent arguably possible under the Directive.[121] The GDPR also has another important new feature regarding consent. Individuals are now allowed to withdraw consent at any time, and this withdrawal must be as easy to execute as the original consent.[122] This further emphasizes the strong weight the EU has placed on strengthening the role of the individual in the handling of one’s private information.

Fourth, the enforceability of the GDPR and the accountability of companies have been enhanced by new procedures, which companies must follow in order to ensure that data is appropriately protected and processed. The accountability principle accompanies transparency in an attempt to strengthen citizens’ trust in how their data is handled.[123] One way of accomplishing corporate accountability is by mandating “[d]ata protection by design” and “[d]ata protection by default.”[124] These concepts, in short, mean that projects being designed or undertaken by companies must consider appropriate data protection mechanisms from inception and throughout their duration.[125] This includes safeguards such as minimizing the processing of personal data, anonymizing data as soon as possible, and building services and applications with “state–of–the–art” data protection.[126] Accountability is also addressed in a few other ways. First, there are stricter regulations governing how companies record what data they are processing and for what purpose.[127] Second, extensive privacy impact assessments are necessary to comply with the requirement that companies maintain effective procedures to protect personal data.[128] These assessments analyze the risks to individuals, determine the necessity and proportionality of the processing in relation to the purpose, and give a description of the processing operations and the legitimate interests pursued by the data controller.[129] Lastly, data protection authorities will be able to fine companies up to 4 percent of their global annual revenue for violations of the rules.[130]

Certainly there are other differences between the two enactments, but I have highlighted the most relevant to the issue at hand. Altogether, the key differences between the GDPR and the Directive are that the GDPR (1) takes a stronger stance on the accountability and enforcement of the principles that underlie the regulation and (2) gives individuals access to more information and a larger role to play in the data processing process. Each of these goals is championed by the EU and appears to have played an important role in the creation of the GDPR.[131] The GDPR balanced pro-economic benefits by achieving a “one-stop-shop” concept to dramatically reduce transaction costs for companies—especially those operating in more than one EU nation—and secured pro-individual rights through greater transparency and accountability from companies processing personal data.

B. How Does This Affect Data Transfer Mechanisms?

As alluded to in the previous section, there are more than a few new and unique challenges that companies will face in trying to transfer data across the Atlantic. The GDPR, however, does quite a bit to clarify the transfer mechanisms available to companies, while also introducing a few new ones. I will focus on BCRs, Model Clauses, and Codes of Conduct and Certification Mechanisms.

1. BCRs

The GDPR provides a very important upgrade to the BCRs that were developed based on the Directive. In an attempt to increase consistency of the enforcement of the data protection laws, indirectly reducing transaction costs and thus appeasing businesses, the GDPR formally recognizes the use of BCRs and lays out a mechanism for utilizing and monitoring BCRs in Article 47.[132] Prior to this change, companies would need separate approvals from each country in which they handled personal data, and only two-thirds of EU member nations recognized BCRs as appropriate protective measures.[133] These upgrades will certainly help to make BCRs much more efficient for companies with entities in various countries.[134] However, as will be discussed in Part IV, BCRs are still far from a perfect option for the vast majority of companies.

2. Model Clauses

As stated in Article 46, Model Clauses will remain an appropriate safeguard for transferring data so long as the clauses are approved as described in Article 93(2).[135] As with BCRs, the provisions of the GDPR substantially reduce the administrative burden of Model Clauses. There are a few relevant changes that facilitate this increase in efficiency. First, the EU commission will create a new set of Model Clauses pursuant to the GDPR, which will not require the prior authorization of the nation from which the data is being processed.[136] While the Model Clauses have long been intended to need little–to–no approval from individual nations under the Directive, nation-specific issues still existed regarding appropriate filings, monitoring, and additional objections.[137] Another relevant change involves ad hoc contractual clauses. These can include independently drafted clauses or some variations to the terms of the Model Clauses. The GDPR makes it so that these clauses will need to be approved only by an appropriate supervisory authority in order to apply to all EU nations.[138] In contrast, the Directive’s clauses required approval by each and every nation’s data protection authority before they could be considered adequate.[139] Here, the important differences are that these clauses are intended to increase efficiency—accomplished by the overarching “one-stop-shop” notion—and to provide flexibility for companies to create adequate provisions that better fit their businesses.

3. Codes of Conduct and Certification

Two of the unique transfer mechanisms detailed in the GDPR are the Codes of Conduct and Certification. Article 40 of the GDPR explains that a notable goal of EU privacy officials is to encourage the creation of Codes of Conduct.[140] The Codes of Conduct in large part work like a non-member state seeking to acquire an adequacy decision under the Directive or a single entity seeking approval of BCRs, except that the codes apply to associations or representative bodies.[141] This option is targeted at small– and medium-size companies within certain sectors of the economy that frequently do business with one another.[142] The codes—if certified by an appropriate supervisory authority and combined with binding and enforceable commitments of the controller/processer to use adequate safeguards—qualify as an appropriate transfer mechanism for data leaving the EU.[143] The codes, however, must be reviewed by multiple levels of the EU data privacy hierarchy in order to be deemed to have “general validity within the Union,” which places an administrative hurdle on the use of this option.[144]

Certification, as described in Article 42, is a transfer mechanism that remains in its infancy, but it is very similar to the Codes of Conduct.[145] Certification mirrors the Codes of Conduct in the sense that it is intended to benefit small– and medium-size companies, it has a similar registration and approval process, and it legitimizes data transfers when combined with appropriate commitments of the controller/processer.[146] It also bears similarity in that it is has the effect of a non-member state’s receiving an adequacy decision, but the key difference between the two is that Certification can be obtained by a single company.

IV. The Fatal Flaws of the Privacy ShiEld, Model Clauses, and BCRs

A. Privacy Shield

It is worth stating at the outset that the Privacy Shield agreement is between the United States and the EU. This is an important starting point, because this transfer mechanism is unique: companies relying on it are relying not just on their own compliance with EU data regulations, but also on the assumption that actions of the U.S. government (such as the illegal surveillance actions that led to Schrems I and the Safe Harbor invalidation) will not jeopardize privacy relations with Europe. This is a risky position for a corporation to place itself in, as the relationship between the EU and the United States is sewn with distrust and remains incredibly fragile due to the Snowden revelations. Additionally, the necessity for a better understanding of the shortcomings of the Privacy Shield is underscored by the fact that over 2,400 companies have signed up for it as of late 2017.[147] This Note will now address some of the risks associated with choosing this method.

First, the Privacy Shield is an unsatisfactory solution for companies aware of the GDPR’s imminence. The Privacy Shield was created in line with the no–longer–applicable provisions of the Directive, instead of with the stronger privacy protections contained in the GDPR. Because of this, it will likely fail to meet the heightened requirements of the GDPR, and it will thus have to undergo serious revision.[148] As seen with the struggle to agree on the Privacy Shield in a quick and efficient manner following the invalidation of the Safe Harbor,[149] revisions to the Privacy Shield or the drafting of a new agreement altogether may create substantial delays and unwanted uncertainty.

Second, as laid out in Part II of this Note, the United States and EU have vastly different views on privacy rights. Granted, they each have a strong incentive to bridge the gap, given the undeniable economic benefits for doing so. But this may be especially hard to do in light of President Trump’s strong stance regarding the utilization of surveillance to combat terrorism. Before taking office, Trump had already encouraged a boycott of Apple products due to its refusal to create a “back door” entry into the cell phone of one of the San Bernardino shooters,[150] and said that he believed that the NSA “should be given as much leeway as possible. However . . . . [t]here must be a balance between those Constitutional protections and the role of the government in protecting its citizens.”[151]

Once in the White House, Trump further strained EU-U.S. privacy relations by issuing an executive order excluding non-U.S. citizens from the protections of the Privacy Act of 1974.[152] In reply, Jan Philipp Albrecht, the rapporteur for the EU’s data protection regulation, tweeted that the EU should immediately suspend the Privacy Shield and sanction the United States.[153] The European Commission issued a statement noting that the Privacy Shield “does not rely on the protections under the U.S. Privacy Act.”[154] Nonetheless, this has added to the tension between the EU and United States and further brought the validity of the Privacy Shield into question. While it is unclear how President Trump and Congress will handle impending issues related to privacy protections, like the expiration of Section 702 of the U.S. Foreign Intelligence Surveillance Act,[155] companies should be aware of the potential for the White House and Congress—each with an eye toward increasing government surveillance—to drastically increase U.S.-EU tensions and put the Privacy Shield at risk.

Third, there are fundamental aspects of the Privacy Shield that are inconsistent with the GDPR and are subject to the same criticisms that led to the Safe Harbor’s invalidation. First, the EU hails U.S. “assurances” that it will limit mass surveillance.[156] Not only did these assurances come from the potentially more privacy–friendly Obama administration, but they also seem weaker than is acceptable under the GDPR standards. For instance, the NSA maintains the ability to utilize “bulk” collection tactics, so long as they are consistent with various opaque limitations subject to a good deal of interpretation.[157] Second, the Privacy Shield’s lauded redress mechanisms, which utilize an independent ombudsperson,[158] are vastly overstated, as well as undermined by a clear conflict of interest: the ombudsperson is appointed by, and reports to, the U.S. Secretary of State.[159] Certainly, the Privacy Shield attempts to lay out provisions to ensure the independence of the ombudsperson, but these provisions are speculative at best. Most importantly, it is difficult to imagine their being considered protections “essentially equivalent” to those afforded by EU member nations.

Fourth, the Privacy Shield is already facing legal challenges, largely in line with the above points,[160] and the initial version received harsh criticism from the Article 29 Working Party regarding the precise issues that led to the Safe Harbor invalidation.[161] Are these legal challenges likely to succeed? It is unclear. Was the Privacy Shield revised to try and appease the Article 29 Working Party? Yes.[162] Regardless, it is concerning that the Privacy Shield is facing such hurdles so early on, especially considering the panicked state in which the Safe Harbor invalidation left so many companies, as well as the already tenuous relationship between the U.S. and EU.[163]

In summation, the Privacy Shield agreement is a potentially dangerous option for U.S. companies. While it certainly has some benefits in terms of relative ease of implementation and flexibility,[164] it is shrouded in uncertainty and question marks. The question marks remain the same as those that led to the invalidation of the Safe Harbor, and with a surveillance-friendly administration in the White House, the relationship between the EU and U.S. will likely remain uneasy going forward. A potential invalidation would leave thousands of companies scrambling for an alternative method of compliance while risking steep fines. Therefore, the decision to certify under the Privacy Shield is the decision to place faith in a hastily prepared band-aid fix for the bursting dam that followed the invalidation of the Safe Harbor. It requires not only trust in one’s own ability to comply with the more complex EU regulations but also trust that U.S.-EU privacy relations will not slip from the shaky ground on which they already reside. That is a scary decision to make, and one that I would not advise.

B. Model Clauses

While the forecast for the Privacy Shield is decidedly gloomy, the outlook for Model Clauses seems at least somewhat brighter. However, there are a few definitive practical flaws that make Model Clauses an insufficient option for long-term GDPR compliance. I will briefly discuss some of the basic practical issues with using Model Clauses, including their rigidity and the cumbersome aspect of having to include them in every data–transfer–related contract, before focusing on the more concerning, potentially fatal flaws regarding the legal validity of this compliance mechanism.

First, the GDPR has not expressly accepted the current Model Clauses. Instead, as described in Part III above, the GDPR outlines a process through which the EU Commission will create a new set of Model Clauses.[165] Utilizing one of the three current sets of Model Clauses is therefore a temporary solution at best. One additional general criticism of Model Clauses is that companies must be sure to include them in every single contract they have in order to validly transfer data. Thus, if the current Model Clauses are not valid under the GDPR, companies will be forced to amend every single contract relating to data transfers. While it is certainly possible that the current Model Clauses may be determined to provide adequate safeguards, it seems unlikely that the GDPR would make no mention of them if this were more assuredly the case, particularly since BCRs were explicitly included and described.

Second, and to go even further with the point above, the current Model Clauses’ validity is hotly contested. One of the strongest examples of pushback came in a position paper from the Independent Center for Privacy Protection in Schleswig-Holstein (“ULD”).[166] In this paper, the ULD took a powerful stance, stating that “a data transfer on the basis of Standard Contractual Clauses to the US is no longer permitted.”[167] Soon after, a conference of Germany’s data protection commissioners largely agreed.[168] Model Clauses also face legal challenges via Maximilian Schrems’s class–action lawsuit against Facebook.[169] The case is progressing slowly due to procedural issues, but it highlights the volatility surrounding the Model Clauses.[170] However, the views of those objecting to the validity of the Model Clauses are not unanimously held. For instance, the Article 29 Working Party and the EU Commission have continued to back the Model Clauses in spite of Schrems I.[171] Even so, it is difficult to ignore the uncertainty surrounding these clauses—and the potential expense their invalidation or amendment would incur.

Third, the current challenges described above have legitimacy. As the ULD stated, American companies using Model Clauses are subject to American surveillance laws—the same ones that led to the invalidation of the Safe Harbor and which make it impossible to provide the necessary protections for citizens.[172] The notion is simple: having Model Clauses in a contract will do nothing to stop the United States from conducting the types of surveillance that led to the invalidation of the Safe Harbor. Because of this, U.S. companies will not be able to comply with the section of the clauses stating that U.S. companies are not subject to laws that make it impossible to follow the instructions of the data exporter.[173] This contention has not yet led to the invalidation of the Model Clauses, but it remains a cloud hanging over their legitimacy.

In summation, Model Clauses are a risky option for companies for multiple reasons. First, using the current Model Clauses will lead to companies having to amend every one of their contracts when the GDPR begins to be enforced. This will be both costly and time–consuming. Also, the Model Clauses already face scrutiny from certain nations’ data protection authorities and could very well be invalidated even before the GDPR comes into play. Again, this would leave companies scrambling to find a new, legally valid mechanism. All this being said, of course, once the EU Commission approves GDPR–compliant Model Clauses, it may well be smart to utilize them, and they should be analyzed at that time. The issue is that these clauses do not yet exist, and the current Model Clauses are riddled with issues.

C. BCRs

BCRs are a long-standing mechanism available by which U.S. companies comply with EU privacy laws. Despite having a history of valid and adequate protection, however, BCRs today are practically useless for most companies. The fatal flaws of BCRs generally stem from the practical impediments to their use as well as their now-questionable legal validity.

First, BCRs only apply to a very specific type of data transfer, making them unavailable to many companies. They apply when data is transferred amongst entities that are part of the same corporate group.[174] Because of this, BCRs are useless for companies that transfer data externally. This excludes a wide variety of industries, including those which transfer human resources data to third parties and which transfer third-party market research data. Thus, many companies cannot use BCRs based upon a basic limiting factor.

Second, practical impediments to BCR approval eliminate this option for the vast majority of remaining companies. Companies must receive approvals from each separate data protection authority, which can take between eighteen and twenty-four months.[175] To further illustrate the difficulty and limited usefulness of BCRs, in more than ten years of their validity as a transfer mechanism, only around one hundred companies have actually obtained approval.[176] The enormous costs of compiling the BCRs make them viable only for massive multinational corporations like General Electric or Shell.[177] Entities with both the resources to pursue the BCR process and strictly (or mainly) intra-company data transfer requirements comprise a decidedly limited category, and many within it will still choose to pursue less burdensome and more practical mechanisms.

Third, BCRs currently face the same legal challenges as Model Clauses. To summarize, some data protection authorities have stopped considering BCRs as an acceptable transfer mechanism.[178] Currently, BCRs are only recognized by about two-thirds of member nations.[179] Ultimately, companies must recognize that the validity of BCRs, like Model Clauses, is necessarily clouded following Schrems I, and that countries have already begun to show distaste for them.

However, BCRs were significantly strengthened via the GDPR, and their future legal validity seems to stand on much firmer ground than the Model Clauses. The GDPR will also allow BCRs to apply to transfers outside the corporate group.[180] These transfers must be accompanied by commitments and agreements of the external parties to provide adequate protections,[181] a requirement that essentially replicates the Model Clauses. Companies will now have to take the time and effort to include contractual protections in every contract they make, thus removing one of the benefits of BCRs—not having the burden of exacting privacy commitments in every contract. Additionally, if a company is going to pursue this option, it is important to guarantee that its BCRs are GDPR–compliant. Companies currently using BCRs may see them invalidated or in need of revision in the future.

Nonetheless, BCRs remain an untenable option for most companies. While the GDPR appears to streamline the process of BCR adoption through the “one-stop-shop” concept that is inherent in the regulation,[182] it is still a complex process demanding substantial resources. Further, there is no evidence that approvals will indeed be streamlined using the GDPR. At this point, any increase in efficiency promised by the GDPR’s passage is speculative at best.

Ultimately, BCRs may be better suited to overcome legal concerns than the other mechanisms and may serve as a relatively stable transfer mechanism under the GDPR. However, BCRs still face the limitations mentioned in the first two points above: they are only viable for large, multinational corporations that are primarily transferring data amongst their own corporate groups. Because of this, BCRs are a solution in only very limited circumstances.

V. So, What Options Do Companies Have?

All hope is not lost. Data is still going to flow across the Atlantic. Many of the above mechanisms will continue to be used, and companies will, at least for the time being, be able to get away without updating and adjusting their privacy policies to conform with the upcoming implementation of the GDPR. For instance, a survey from July 2017 found that 89% of U.S. organizations impacted by the GDPR are unprepared for the upcoming changes.[183] Companies that choose not to address this matter risk facing massive expenses if and when their privacy policies become inadequate.

There are a few potential options that companies can begin to adopt in order to best prepare themselves for privacy regulations going forward. However, there simply is no right answer, no magic solution to insulate companies from all risk. The suggestions below have their flaws, but in my estimation, they provide additional security for companies facing an uncertain privacy landscape. Finally, though it almost goes without saying, companies must strongly consider layering their privacy measures. Having multiple levels of transfer mechanisms enables companies to continue operations if one mechanism faces legal troubles, and they can save companies from the substantial costs of having to rapidly institute new compliance measures. It would be foolish for cautious firms not to diversify their privacy measures, just as it would be foolish for cautious investors not to diversify their investments.

That said, I will discuss how obtaining consent and utilizing the GDPR Codes of Conduct and Certification are useful privacy protections to layer on top of other transfer mechanisms.

A. Consent

As discussed above, a major goal of the GDPR is to increase transparency and give individuals more of a role in how their data is handled.[184] Because of this, consent is discussed at great length in the GDPR.[185] The notion of consent necessarily depends on providing information to the individual whose data will be transferred. Thus, obtaining consent is a valuable tool for acting in accordance with the spirit of the GDPR and thus (potentially) appeasing privacy officials. Consent, however, is not a perfect solution. Consent must be free and specific.[186] This standard can be difficult to achieve in some situations and may not be in a company’s best interest in other situations. For instance, consent to the transfer of human resource data is problematic in an employer-employee relationship in which there is a clear bargaining advantage for the side receiving the data.[187] For example, if a job offer is conditioned on consent to data transfers, the consent that is received is unlikely to be considered “free.” Also, the GDPR mandates that individuals need to consent to the specific use of their data.[188] Some companies may be using data in ways that may be dissatisfying to its users or customers, which could cause bad publicity. Consent is also limited by the age of the individual whose data is being processed. The GDPR states that the processing of data of individuals younger than sixteen will require parental permission, and it gives member nations the choice to lower this age to thirteen.[189] Because of this, companies—like Facebook—with younger users face real difficulties in obtaining adequate consent.

Nonetheless, this is a very good starting point for many firms. Companies are already required to process data in a manner consistent with a clear purpose.[190] This purpose should be articulable to the individuals whose data is being processed, and so consent should be at least theoretically possible. Finally, the cost and additional burden associated with obtaining consent may be minimal for companies, depending on their specific situations, and proper attempts to obtain that consent will likely be viewed positively by the data protection authorities, who have clearly placed an emphasis on this transfer mechanism.

B. Prepare for the GDPR

During this notably volatile time for data privacy compliance, a company should utilize multiple transfer mechanisms, and beyond this, organizations would be wise to begin preparing to meet the stricter regulations of the GDPR. Updating transfer mechanisms in line with the GDPR is a time–consuming and expensive venture,[191] but it is the single best way to minimize risk during this volatile time. To do this, companies will want to work with data protection authorities and/or hire a data protection officer to revise their current Model Clauses or BCRs in line with what the GDPR expects. Further, companies should consider pursuing Codes of Conduct and Certification. These options allow for a certain level of flexibility and insulation from regulatory charges in the country.[192] Additionally, the EU Commission specifically emphasized using these mechanisms.[193] Using the mechanism may thus show an intention to act in line with the goals of the Commission and engender some goodwill. It is not to say that these must be pursued, but at minimum, they should be considered and evaluated. Moreover, despite the criticisms of Model Clauses and BCRs, they can be viable options when drafted in compliance with the GDPR. What is most important here is that companies take the time to work with data protection officers or agencies to ensure that the mechanisms they plan to utilize are GDPR compliant.

In conclusion, depending on the company’s data processing activities, Model Clauses, BCRs, Informed Consent, and/or Codes of Conduct/Certification may be utilized as viable transfer mechanisms if managed and developed in line with the stricter language of the GDPR. On the other hand, companies relying solely on the Privacy Shield, despite its questionable validity and the fragile state of EU–U.S. affairs, expose themselves to substantial risk, which could prove costly to the greater of €20,000,000 or 4% of annual revenue. That being said, determining the best way to insulate any given company from the risks associated with volatile data privacy laws is incredibly difficult. The best thing a company can do to combat this difficulty is to understand what exactly the GDPR will demand and to prepare accordingly. In the meantime, companies can weather the storm, using their understanding of the GDPR to revise current policies to align with the stricter realities of the future. Ultimately, developing an understanding of the variety of options that can be used, employing different transfer mechanisms based on particular data transfer needs and data types, and being proactive will save a company substantial costs and significantly reduce its risk exposure.

[*] J.D. candidate, University of Southern California Gould School of Law, 2018. I am forever grateful to my best friend and fiancée, Venessa Simpson, for the endless love and support she has provided me throughout college and law school, and to my mom and dad, the most loving, caring, and supportive parents there are; you three are my inspiration and make me want me to be a better person each and every day. Many thanks also to Professor Valerie Barreiro for your guidance and feedback during the note-writing process and to Jonathan Frimpong, Emily Arndt, and James Salzmann for your invaluable and much-needed feedback and editing expertise.

[1]. Luke Harding, How Edward Snowden Went from Loyal NSA Contractor to Whistleblower, Guardian (Feb. 1, 2014, 6:00 A.M.), https://www.theguardian.com/world/2014/feb/01/edward-snowden-intelligence-leak-nsa-contractor-extract.

[2]. Id.

[3]. Id.

[4]. Id.

[5]. See Schrems v. Data Protection Commissioner, Electronic Privacy Info. Ctr. [hereinafter Schrems], https://epic.org/privacy/intl/schrems (last visited Nov. 15, 2017).

[6]. See Harding, supra note 1.

[7]. Id.

[8]. Directive 95/46, of the European Parliament and of the Council of 24 October 1995 on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data, art. 1, 1995 O.J. (L 281) 31, 38 (EC) [hereinafter Directive 95/46/EC]. The Directive has since been replaced by the General Data Protection Regulation (“GDPR”). See Commission Regulation 2016/679, 2016 O.J. (L 119) 1 [hereinafter General Data Protection Regulation]. The GDPR will be addressed in depth in Part III of this Note.

[9]. See Convention for the Protection of Human Rights and Fundamental Freedoms, art. 8, Nov. 4, 1950, 213 U.N.T.S. 221, 230.

[10]. See McKay Cunningham, Complying with International Data Protection Law, 84 U. Cin. L. Rev. 421, 422 (2016).

[11]. See id.

[12]. See Commission Decision of 26 July 2000 Pursuant to Directive 95/46/EC of the European Parliament and of the Council on the Adequacy of the Protection Provided by the Safe Harbour Privacy Principles and Related Frequently Asked Questions Issued by the US Department of Commerce, art. 1, 2000 O.J. (L 215) 7, 8 [hereinafter Safe Harbor].

[13]. Case C-362/14, Schrems v. Data Prot. Comm’r, ECLI:EU:C:2015:650, http://curia.europa.eu/ juris/document/document.jsf?docid=169195&doclang=EN.

[14]. The EU Model Clauses are also referred to as Standard Contractual Clauses. For convenience, the term “Model Clauses” will be used throughout this Note.

[15]. See Article 29 Data Protection Working Party, Opinion 01/2016 on the EU-U.S. Privacy Shield Draft Adequacy Decision (2016) [hereinafter Opinion 01/2016], http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2016/wp238_en.pdf.

[16]. Schrems, ECLI:EU:C:2015:650, ¶¶ 73–74, 96.

[17]. U.S. Dep’t. of Health, Educ., & Welfare, No. (OS) 73–94, Records, Computers, and the Rights of Citizens: Report of the Secretary’s Advisory Committee on Automated Personal Data Systems 41 (1973).

[18]. See id.

[19]. Privacy Act of 1974, Pub. L. No. 93-579, 88 Stat. 1896 (codified as amended at 5 U.S.C. § 552a (2012)).

[20]. Robert Gellman, Fair Information Practices: A Basic History 5 (Apr. 10, 2017) (unpublished manuscript) (https://bobgellman.com/rg-docs/rg-FIPshistory.pdf).

[21]. Gellman, supra note 20, at 5.

[22]. Id. at 10. See also 6 U.S.C. § 142. For further discussion, see infra Part II.

[23]. Gellman, supra note 20, at 6.

[24]. Org. for Econ. Co-operation & Dev., Recommendation of the Council Concerning Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (Sept. 23, 1980), reprinted in OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data 11 (2002).

[25]. Id. at 14–16. As further proof of the enduring nature of these principles, the OECD reviewed the principles in 2013 in light of the changes over the past thirty years, choosing to maintain the eight principles in their original form. Org. for Econ. Co-operation & Dev., The OECD Privacy Framework 14–15 (2013), http://www.oecd.org/sti/ieconomy/oecd_privacy_framework.pdf.

[26]. See Directive 95/46/EC, supra note 8, art. 1, at 38 (“In accordance with this Directive, Member States shall protect the fundamental rights and freedoms of natural persons, and in particular their right to privacy with respect to the processing of personal data.”).

[27]. See General Data Protection Regulation, supra note 8, art. 5, at 35–36.

[28]. See Safe Harbor, supra note 12, art. 1, at 8 (describing how companies that self-certify can comply with the Safe Harbor requirements).

[29]. See Kelli Clark, The EU Safe Harbor Agreement Is Dead, Here’s What to Do About It, Forbes (Oct. 27, 2015, 3:30 P.M.), http://www.forbes.com/sites/riskmap/2015/10/27/the-eu-safe-harbor-agreement-is-dead-heres-what-to-do-about-it/#29a319fc7171.

[30]. See id.

[31]. See U.S. Dep’t of Commerce, U.S.-EU Safe Harbor Framework: Guide to Self-Certification 4–10 (2013), https://build.export.gov/build/groups/public/@eg_main/@safeharbor/ documents/webcontent/eg_main_061613.pdf. See also Safe Harbor Fees, Export.gov, https://2016.export.gov/safeharbor/eg_main_020436.asp (last visited Oct. 15, 2017) (“An organization that is self-certifying its compliance with the U.S.-EU Safe Harbor Framework and/or the U.S.-Swiss Safe Harbor Framework for the first time on or after March 1, 2009 must remit a one-time processing fee of $200.00.”)

[32]. See Directive 95/46/EC, supra note 8, art. 25, at 45–46.

[33]. Case C-362/14, Schrems v. Data Prot. Comm’r, ECLI:EU:C:2015:650, ¶ 28, http://curia.europa.eu/juris/document/document.jsf?docid=169195&doclang=EN. See also Schrems, supra note 5.

[34]. See Schrems v. Data Protection Comm’n [2014] IR 75, ¶ 29 (H. Ct.) (Ir.).

[35]. Nora Ni Loidean, The End of Safe Harbor: Implications for EU Digital Privacy and Data Protection Law, 19 No. 8 J. Internet L. 1, 1, 9 (2016) (quoting Schrems, IR 75, ¶ 29).

[36]. Schrems, IR 75, ¶ 69.

[37]. See id. ¶ 71.

[38]. See Case C-362/14, Schrems, ¶ 107.

[39]. Id. ¶ 96.

[40]. Id. ¶ 86.

[41]. See Clark, supra note 29.

[42]. See Opinion 01/2016, supra note 15.

[43]. See European Commission Press Release IP/16/2461, European Commission Launches EU-U.S. Privacy Shield: Stronger Protection for Transatlantic Data Flows (Jul. 12, 2016), http://europa.eu/rapid/press-release_IP-16-2461_en.htm.

[44]. Id.

[45]. Loidean, supra note 35, at 7–12.

[46]. See European Commission Press Release IP/16/2461, supra note 43.

[47]. Id.

[48]. European Commission Statement 16/1403, Joint Statement on the Final Adoption of the New EU Rules for Personal Data Protection (Apr. 14, 2016), http://europa.eu/rapid/press-release_STATEMENT-16-1403_en.htm.

[49]. European Commission Memorandum 15/6385, Questions and Answers—Data Protection Reform (Dec. 21, 2015), http://europa.eu/rapid/press-release_MEMO-15-6385_en.htm.

[50]. European Commission Press Release IP/16/2461, supra note 43.

[51]. See Schrems, supra note 5; Tomaso Falchetta, New ‘Shield’, Old Problems, Privacy Int’l (July 7, 2016), https://www.privacyinternational.org/node/889.

[52]. See Exec. Order No. 13,768, 82 Fed. Reg. 8799 (Jan. 25, 2017). See also infra Part IV.A.

[53]. Schrems, supra note 5.

[54]. Id.

[55]. See General Data Protection Regulation, supra note 8, art. 83, at 82–83. Fines can total up to €20,000,000 or up to 4 percent of the total worldwide annual turnover of the preceding financial year, whichever is higher. Id. at 83.

[56]. Francoise Gilbert, EU General Data Protection Regulation: What Impact for Businesses Established Outside the European Union, 19 No. 11 J. Internet L., May 2016, at 3, 4–6.

[57]. Overview on Binding Corporate Rules, Directorate General for Just. & Consumers, http://ec.europa.eu/justice/data-protection/international-transfers/binding-corporate-rules/index_en.htm (last visited Nov. 16, 2017).

[58]. Id.

[59]. Id.

[60]. Id.

[61]. Id.

[62]. See Melinda L. McLellan & William W. Hellmuth, Safe Harbor is Dead, Long Live Standard Contractual Clauses?, Data Privacy Monitor (Oct. 22, 2015), https://www.dataprivacymonitor.com/enforcement/safe-harbor-is-dead-long-live-standard-contractual-clauses (summarizing best practices for the usage of Model Clauses following the invalidation of the Safe Harbor Framework by the CJEU).

[63]. See id. See also Model Contracts for the Transfer of Personal Data to Third Countries, Directorate General for Just. & Consumers, http://ec.europa.eu/justice/data-protection/international-transfers/transfer/index_en.htm (last visited Nov. 16, 2017).

[64]. Data Prot. Unit, Directorate Gen. for Justice and Consumers, Frequently Asked Questions Relating to Transfers of Personal Data from the EU/EEA to Third Countries 26–28 (2009), http://ec.europa.eu/justice/data-protection/international-transfers/files/international_ transfers_faq.pdf.

[65]. McLellan & Hellmuth, supra note 62.

[66]. Practical Law Intellectual Prop. & Tech., Expert Q&A: EU-US Personal Information Data Transfers (2016), Westlaw W-000-8901.

[67]. Id.; Data Prot. Unit, supra note 64, at 48.

[68]. Cunningham, supra note 10, at 422.

[69]. Directive 95/46/EC, supra note 8, art. 1, at 38.

[70]. See generally Cunningham, supra note 10, at 422 (“Unlike in Europe, U.S. law does not recognize a fundamental right to privacy.”); Loidean, supra note 35, at 8 (stating that the United States has a framework that has “rejected the fundamental rights approach to information privacy”).

[71]. Charter of Fundamental Rights of the European Union, art. 8, 2012 O.J. (C 326) 391, 397. Cf. Bradyn Fairclough, Privacy Piracy: The Shortcomings of the United States’ Data Privacy Regime and How to Fix It, 42 J. Corp. L. 461, 466 (2016) (discussing how in the United States this right is never explicitly stated in the Constitution, and it is only implied to be relevant in certain specific areas).

[72]. Jörg Rehder & Erika C. Collins, The Legal Transfer of Employment-Related Data to Outside the European Union: Is It Even Still Possible?, 39 Int’l Law. 129, 130 (2005) (quoting Directive 95/46/EC, supra note 8, art. 1, at 38).

[73]. Cunningham, supra note 10, at 426–27.

[74]. Id.

[75]. See Gellman, supra note 20, at 6–10.

[76]. Cunningham, supra note 10, at 427.

[77]. Directive 95/46/EC, supra note 8, art. 28, at 47–48.

[78]. See id. art. 25, at 45–46.

[79]. Cunningham, supra note 10, at 426–27.

[80]. See id. at 426–27 (“The Directive set the international standard for data privacy and security regulation and facilitated a trend among technologically advanced countries toward adopting nationalized data privacy laws.”).

[81]. See generally Rehder & Collins, supra note 72, at 132.

[82]. Manu J. Sebastian, The European Union’s General Data Protection Regulation: How Will It Affect Non-EU Enterprises?, 31 Syracuse J. Sci & Tech. L. 216, 225–26 (2015).

[83]. See id.

[84]. See Cunningham, supra note 10, at 422; Fairclough, supra note 71, at 464–66; Loidean, supra note 35, at 8.

[85]. W. Gregory Voss, The Future of Transatlantic Data Flows: Privacy Shield or Bust?, 19 No. 11 J. Internet L. 1, 1, 9 (2016). See also Julie Brill, Commissioner, Fed. Trade Comm’n, Keynote Address at the Amsterdam Privacy Conference, Transatlantic Privacy After Schrems: Time for an Honest Conversation (Oct. 23, 2015), 2015 WL 9684096.

[86]. See Cunningham, supra note 10, at 422–26.

[87]. See id.

[88]. Martin A. Weiss & Kristin Archick, Cong. Research Serv., R44257, U.S.-EU Data Privacy: From Safe Harbor to Privacy Shield 3, 7 (2016).

[89]. Gellman, supra note 20, at 10.

[90]. Fairclough, supra note 71, at 463–66, 476.

[91]. Gellman, supra note 20, at 19–20.

[92]. See generally Rehder & Collins, supra note 72, at 131 (quoting David Scheer, Europe’s New High-Tech Role: Playing Privacy Cop to the World, Wall Street J., Oct. 10, 2003, at A1).

[93]. Marsha Cope Huie et al., The Right to Privacy in Personal Data: The EU Prods the U.S. and Controversy Continues, 9 Tulsa J. Comp. & Int’l L. 391, 392 (2002).

[94]. See generally Uri Friedman, Is Terrorism Getting Worse?, Atlantic (July 14, 2016), https://www.theatlantic.com/international/archive/2016/07/terrorism-isis-global-america/490352 (explaining the rise of terrorist attacks in the period from Operation Iraqi Freedom to the present).

[95]. Harding, supra note 6, at 4–6.

[96]. See Cunningham, supra note 10, at 423.

[97]. Voss, supra note 85, at 10 (quoting Simon Davies, Privacy Opportunities and Challenges with Europe’s New Data Protection Regime, in Privacy in the Modern Age 55, 57 (Marc Rotenberg et al. eds., 2015)).

[98]. White House, Privacy in our Digital Lives: Protecting Individuals and Promoting Innovation, 3–9, 12–14 (2017).

[99]. Kate Kaye, New Privacy Report Already Removed from White House Site, Ad Age (Jan. 20, 2017), http://adage.com/article/privacy-and-regulation/privacy-report-removed-white-house-site/307632.

[100]. See Exec. Order No. 13,768, 82 Fed. Reg. 8799 (Jan. 25, 2017).

[101]. Cunningham, supra note 10, at 422.

[102]. Id. at 423–24. See Gramm-Leach-Bliley Act, Pub. L. 106-102, 113 Stat. 1338 (1999) (codified as amended at scattered sections of 12 U.S.C. (2012)); Health Insurance Portability and Accountability Act of 1996, Pub. L. 104-191, 110 Stat. 1936 (codified as amended at scattered sections of 18 U.S.C., 26 U.S.C., 29 U.S.C., and 42 U.S.C.); Fair Credit Reporting Act, Pub. L. 91-508, 84 Stat. 1114-2 (1970) (codified at 15 U.S.C. 1681).

[103]. Brill, supra note 85, at 1 (quoting 15 U.S.C. § 45(a)).

[104]. Loidean, supra note 35, at 8.

[105]. Id.

[106]. See Cunningham, supra note 10, at 423.

[107]. Loidean, supra note 35, at 8.

[108]. EU GDPR Portal, http://www.eugdpr.org (last visited Nov. 16, 2017).

[109]. General Data Protection Regulation, supra note 8, at 1.

[110]. Id.

[111]. Gilbert, supra note 56, at 4.

[112]. Id.

[113]. European Commission Statement 16/1403, supra note 48.

[114]. Gilbert, supra note 56, at 4.

[115]. Lawful Processing, Info. Commissioner’s Off., https://ico.org.uk/for-organisations/data-protection-reform/overview-of-the-gdpr/key-areas-to-consider (last visited Nov. 16, 2017).

[116]. General Data Protection Regulation, supra note 8, at 9.

[117]. European Commission Memorandum 15/6385, supra note 49. There is a growing concern over data privacy associated with in-home connected devices and apps, such as Amazon’s Alexa, and health-tracking devices, like Fitbit. For further discussion, see Sarah Kellogg, Every Breath You Take: Data Privacy and Your Wearable Fitness Device, 72 J. Mo. B. 76, 78–81 (2016); Adam R. Pearlman & Erick S. Lee, National Security, Narcissism, Voyeurism, and Kyllo: How Intelligence Programs and Social Norms Are Affecting the Fourth Amendment, 2 Tex. A&M L. Rev. 719, 760–62 (2015).

[118]. Individuals’ Rights, Info. Commissioner’s Off., https://ico.org.uk/for-organisations/data-protection-reform/overview-of-the-gdpr/individuals-rights (last visited Nov. 16, 2017).

[119]. European Commission Memorandum 15/6385, supra note 49.

[120]. General Data Protection Regulation, supra note 8, arts. 4, 7, at 34, 37. Consent is further discussed throughout the GDPR. See id., passim.

[121]. See Gilbert, supra note 56, at 6–7. But see Cunningham, supra note 10, at 437–38.

[122]. Sebastian, supra note 82, at 233.

[123]. European Commission Memorandum 15/6385, supra note 49.

[124]. Id. See also Ann Cavoukian, Privacy by Design: The 7 Foundational Principles (2011), https://www.iab.org/wp-content/IAB-uploads/2011/03/fred_carter.pdf.

[125]. Sebastian, supra note 82, at 230.

[126]. General Data Protection Regulation, supra note 8, art. 25, at 48.

[127]. Accountability and Governance, Info. Commissioner’s Off., https://ico.org.uk/for-organisations/data-protection-reform/overview-of-the-gdpr/accountability-and-governance (last visited Nov. 16, 2017).

[128]. Sebastian, supra note 82, at 231.

[129]. Accountability and Governance, supra note 127.

[130]. European Commission Memorandum 15/6385, supra note 49. To understand the potentially massive scope of these penalties, the fines that could be levied against Amazon and Google, based on their 2016 reported revenues, would be approximately $5.4 and $3.6 billion, respectively. Richard Stiennon, Unintended Consequences of the European Union’s GDPR, Forbes (Nov. 27, 2017, 6:26 P.M.), https://www.forbes.com/sites/richardstiennon/2017/11/27/unintended-consequences-of-the-european-unions-gdpr/#46aae406243c,

[131]. Id.

[132]. General Data Protection Regulation, supra note 8, art. 47, at 62–64.

[133]. Gilbert, supra note 56, at 5 (stating that fewer than one hundred companies have sought to use BCRs, despite this option having been available for a decade).

[134]. See Practical Law Intellectual Prop. & Tech, supra note 66.

[135]. General Data Protection Regulation, supra note 8, arts. 46, 93, at 62, 86.

[136]. Gilbert, supra note 56, at 4–5.

[137]. See Directive 95/46/EC, supra note 8, arts. 21, 26, at 44, 46 (outlining the roles of member states in ensuring adequate protection for data transfers and the objections and limits that they may put in place). See also ULD Position Paper on the Judgment of the Court of Justice of the European Union of 6 October 2015, C-362/14 (Oct. 14, 2015), https://www.datenschutzzentrum.de/uploads/ internationales/20151014_ULD-PositionPapier-on-CJEU_EN.pdf (arguing that Model Clauses are an inappropriate transfer mechanism for transfers to the United States, due to direct conflicts between U.S. law and the provisions in the Model Clauses.).

[138]. General Data Protection Regulation, supra note 8, arts. 92–93, at 85–86.

[139]. Cunningham, supra note 10, at 438–40.

[140]. General Data Protection Regulation, supra note 8, art. 40, at 56.

[141]. See Directive 95/46/EC, supra note 8, arts. 25–26, 30, at 45–46, 48–49 (providing language regarding adequacy decisions).

[142]. General Data Protection Regulation, supra note 8, art. 40, at 56.

[143]. Gilbert, supra note 56, at 5.

[144]. General Data Protection Regulation, supra note 8, art. 40, at 57.

[145]. See generally id. art. 42, at 58–59.

[146]. Compare id. with id. art. 40, at 56.

[147]. Report from the Commission to the European Parliament and the Council on the First Annual Review of the Functioning of the EU–U.S. Privacy Shield, at 4, SWD (2017) 344 final (Oct. 18, 2017) [hereinafter Report on the First Annual Review]; Grant Gross, Tech Companies Like Privacy Shield but Worry About Legal Challenges, PCWorld (Dec. 21, 2016, 3:00 AM), http://www.pcworld.com/article/3152559/security/tech-companies-like-privacy-shield-but-worry-about-legal-challenges.html.

[148]. Doron S. Goldstein et al., Understanding the EU-US “Privacy Shield” Data Transfer Framework, 20 No. 5 J. Internet L. 1, 1, 21 (2016).

[149]. Privacy Shield Timeline, PrivacyTrust, https://www.privacytrust.com/privacyshield/ privacy-shield-timeline.html (last visited Nov. 16, 2017).

[150]. Reuters, Trump Election Ignites Fears over U.S. Encryption, Surveillance Policy, Fortune, (Nov. 9, 2016), http://fortune.com/2016/11/09/trump-encryption-surveillance-policy.

[151]. Yoni Heisler, A Comprehensive Look at All of Donald Trump’s Positions on Technology Issues, Boy Genius Rep. (Oct. 19, 2016, 10:53 A.M.), http://bgr.com/2016/10/19/donald-trump-politics-technology-opinions.

[152]. See Exec. Order No. 13,768, 82 Fed. Reg. 8799 (Jan. 25, 2017).

[153]. Jan Philipp Albrecht (@JanAlbrecht), Twitter (Jan. 26, 2017, 1:45 AM), https://twitter.com/ JanAlbrecht/status/824553962678390784.

[154]. Natasha Lomas, Trump Order Strips Privacy Rights from Non-U.S. Citizens, Could Nix EU-US Data Flows, TechCrunch (Jan. 26, 2017), https://techcrunch.com/2017/01/26/trump-order-strips-privacy-rights-from-non-u-s-citizens-could-nix-eu-us-data-flows.

[155]. See Report on the First Annual Review, supra note 147, at 4. For additional discussion, see Kaye, supra note 99.

[156]. European Commission Press Release IP/16/2461, supra note 43.

[157]. See Commission Implementing Decision 2016/1250, 2016 O.J (L 207) 1, 13–20 (EU).

[158]. See id. at 28–29 (explaining that the ombudsperson is supposed to be independent from the U.S. intelligence agencies and is in charge of following up on complaints and enquiries from individuals regarding potential privacy violations).

[159]. See id. at 27–29, 71.

[160]. See Loyens & Loeff, Digital Rights Ireland Challenges EU-US “Privacy Shield,” Lexology (Nov. 4, 2016), http://www.lexology.com/library/detail.aspx?g=5055de04-e2d7-4b0b-9bbe-789a4a97b318; Reuters, French Privacy Groups Challenge the EU’s Personal Data Pact with U.S., Fortune (Nov. 2, 2016), http://fortune.com/2016/11/02/privacy-shield-pact-challenge.

[161]. See Opinion 01/2016, supra note 15, at 9–14.

[162]. See generally Voss, supra note 85 (discussing how the Privacy Shield came about and what it is meant to do).

[163]. See Steven C. Bennett, EU Privacy Shield: Practical Implications for U.S. Litigation, 2 Prac. Law., Apr. 2016, at 60, 62–64.

[164]. Goldstein et al., supra note 148, at 20 (discussing the Privacy Shield requirements and implications for participating organizations).

[165]. See Cunningham, supra note 10, at 426–28; Gilbert, supra note 56, at 4–5.

[166]. See ULD Position Paper, supra note 137.

[167]. Id., at 4.

[168]. See DSK Position Paper (Oct. 21, 2015), https://www.datenschutz-hamburg.de/fileadmin/ user_upload/documents/DSK_position_paper_Safe-Harbor_2015-10-21.pdf.

[169]. Matt Burgess, Facebook Privacy Case Is Making Its Way to the European Court of Justice, Wired (Sept. 13, 2016), http://www.wired.co.uk/article/facebook-privacy-eu-case-cjeu.

[170]. Id.

[171]. Darren Isaacs, Practical Strategies for Maintaining HR Data Flows from Europe to the US and Beyond—After the Schrems Case, ‘Safe Harbor 2.0’ and the Incoming Data Protection Regulation, 1 Emp. & Indus. Rel. L. 33, 33, 35 (2016).

[172]. ULD Position Paper, supra note 137, at 4. See also Gross, supra note 147.

[173]. See Commission Decision 2001/497/EC, app. 2, 2001 O.J. (L 181) 19, 22, 30 (EC).

[174]. Overview on Binding Corporate Rules, supra note 57. See also Cunningham, supra note 10, at 439–40.

[175]. See Cunningham, supra note 10, at 440; Gilbert, supra note 56, at 5.

[176]. See Gilbert, supra note 56, at 5.

[177]. Sebastian, supra note 82, at 242.

[178]. DSK Position Paper, supra note 168, ¶ 2.

[179]. Gilbert, supra note 56, at 5.

[180]. See General Data Protection Regulation, supra note 8, art. 47, at 63.

[181]. See id.

[182]. European Commission Statement 16/1403, supra note 48.

[183]. Alex Hickey, 6 Months to GDPR: What’s Next, CIO Dive (Nov. 28, 2017), https://www.ciodive.com/news/6-months-to-gdpr-whats-next/511761.

[184]. See European Commission Statement 16/1403, supra note 48.

[185]. See General Data Protection Regulation, supra note 8, passim.

[186]. See id., arts. 4, 6–8, at 34, 36–38.

[187]. See Isaacs, supra note 171, at 35.

[188]. General Data Protection Regulation, supra note 8, art. 6, at 37.

[189]. Gilbert, supra note 56, at 4.

[190]. General Data Protection Regulation, supra note 8, at 6–7.

[191]. See Pulse Survey: GDPR Budgets Top $10 Million for 40% of Surveyed Companies, PwC, https://www.pwc.com/us/en/increasing-it-effectiveness/publications/general-data-protection-regulation-gdpr-budgets.html (last visited Nov. 29, 2017) (finding that 40% of companies that have completed their GDPR preparations have spent more than $10 million).

[192]. See General Data Protection Regulation, supra note 8, art. 40, at 56–58. See also Gilbert, supra note 56, at 3–5.

[193]. See Gilbert, supra note 56, at 3–5.

The Second Amendment and Private Law – Article by Cody Jacobs

July 2017February 2018Southern California Law Review Admin

From Volume 90, Number 5 (July 2017)
DOWNLOAD PDF

The Second Amendment, like other federal constitutional rights, is a restriction on government power. But what role does the Second Amendment have to play—if any—when a private party seeks to limit the exercise of Second Amendment rights by invoking private law causes of action? Private law—specifically, the law of torts, contracts, and property—has often been impacted by constitutional considerations, though in seemingly inconsistent ways. The First Amendment places limitations on defamation actions and other related torts, and also prevents courts from entering injunctions that could be classified as prior restraints. On the other hand, the First Amendment plays almost no role in contractual litigation, even when courts are called on to enforce contractual provisions that directly restrict speech. The Equal Protection Clause was famously interpreted to bar the enforcement of a racially restrictive covenant in Shelley v. Kraemer, but in the years since, courts have largely limited that case to its facts.

This Article reconciles these disparate outcomes to develop a coherent theory of the role constitutional rights play in private law. The Article argues that three guideposts inform whether constitutional rights are applied to limit private law: (1) whether the private law cause of action threatens the core of a constitutional right, (2) whether placing a constitutional limitation on private law would impair other constitutional rights, and (3) whether the private law imposition on constitutional rights was freely bargained for. The Article then applies this framework to the individual Second Amendment right recognized in District of Columbia v. Heller by examining several areas where the right to keep and bear arms could intersect with private law, including negligent entrustment, products liability, and trespass.

90_945

An Ocean Apart: The Transatlantic Data Privacy Divide and the Right to Erasure – Note by Paul J. Watanabe

July 2017February 2018Southern California Law Review Admin

From Volume 90, Number 5 (July 2017)
DOWNLOAD PDF

This Note argues that fragmented free expression laws across European member states and data controllers’ ability to select their reviewing supervisory authority give U.S. data controllers latitude to exploit the privacy-expression balance in favor of the U.S. prioritization of expression. Whereas the current literature revolving around the right to be forgotten and the GDPR focuses on reconciling and converging transatlantic values of privacy and free expression, this Note examines the mechanisms of the European Union’s assertion and imposition of privacy values across the Atlantic through the right to be forgotten and the right to erasure and describes weaknesses in the GDPR that may undermine those mechanisms.

Part I outlines the diverging paths that led to the rift in data protection policy. Part II details how the experimental implementation of the Google Spain right to be forgotten preliminarily exported the European privacy scheme across the Atlantic, previewing the potential impact of the GDPR’s right to erasure. Part III outlines the provisions of the GDPR that thwart the right to be forgotten as a tool of imposing EU privacy values on U.S. data controllers. The Conclusion prophesies the ultimate effects of the Regulation on American privacy values, given the Regulation’s flaws.

90_1111

Get a Warrant: A Bright-Line Rule for Digital Searches Under the Private-Search Doctrine – Note by Dylan Bonfigli

January 2017February 2018Colleen Bazak

From Volume 90, Number 2 (January 2017)
DOWNLOAD PDF

A girlfriend hacks her boyfriend’s computer and discovers evidence of tax evasion. She contacts a local law enforcement officer who arrives at her house and looks at the files she found. Without a warrant, the officer opens other files in the same folder the girlfriend had searched. The officer notices another folder labeled “xxx.” He opens the folder and discovers child pornography. The officer seizes the computer based on what he found. The boyfriend is indicted for possession of child pornography and tax evasion. Before trial, the boyfriend moves to suppress all evidence obtained pursuant to the officer’s warrantless search of the computer. What evidence should the judge suppress?

The answer turns on the Fourth Amendment’s private-search exception. Under this exception, a government agent may recreate a search conducted by a private individual so long as the agent does not “exceed the scope” of the prior private search. The question under the existing framework is: at what point did the officer exceed the scope of the prior search—if at all? Was it when he viewed files the girlfriend had not viewed, when he opened files in a different folder, or did he stay within the scope of the girlfriend’s search by only searching the computer’s hard drive? This is what I will refer to as the denominator problem, which asks what courts should use as the unit of analysis to measure the scope of a digital search.

There are at least four competing approaches to the denominator problem, discussed in Part II, and the Supreme Court has provided little guidance on how the private-search doctrine applies to digital searches, resulting in a circuit split. Until this issue is resolved, law enforcement has little guidance on when to obtain a warrant following a private search and can unknowingly subject individuals to unreasonable invasions of privacy, which may result in suppression of relevant evidence. One recent example is United States v. Lichtenberger.

90_307

Secrecy, Standing, and Executive Order 12,333 – Note by Charlotte J. Wen

July 2016February 2018Emma Tehrani

From Volume 89, Number 5 (July 2016)
DOWNLOAD PDF

In summer of 2013, the National Security Agency (“NSA”) rocketed into headlines when Glenn Greenwald, a reporter at the Guardian, broke a stunning, Orwellian story: pursuant to top-secret court orders, Verizon and other major telephone service providers had granted the NSA blanket access to their American customers’ call records. These companies, Greenwald claimed, were providing the NSA with telephony metadata—general information about each of their customers’ calls, such as phone numbers, call lengths, and call times. In the face of the ensuing public outcry, the American government acknowledged the existence of the telephony metadata program. In doing so, however, it was careful to assert that the program, while secret, was nonetheless constitutional, and that the court orders had been issued pursuant to the Foreign Intelligence Surveillance Act (“FISA”).

89_1203

INTRODUCTION

I. THE ARRIVAL OF KIDFLUENCERS

A. A Brief History of Stage Mothers

B. Reality Television Bridges the Gap from Film and Television to the Internet

II. REGULATING THE LABOR OF KIDFLUENCERS

A. Existing Labor Regulations for Child Entertainers

1. Federal Measures for Child Workers: The Fair Labor Standards Act

2. SAG-AFTRA, States’ Approaches & the Coogan Law

3. When Does the Home Become a Set?

B. New Efforts: Expanding Child Labor Regulations to Cover Kidfluencers

A. Privacy Regulations for Children as Users Online

Existing and Proposed Federal Regulations for Children Online

i. The Children’s Online Privacy Protection Act of 1998

ii. COPPA 2.0

2. Online Platforms’ User Age Restrictions

B. Relevance and Current Limitations of the Common Law Rights of Privacy and Publicity

C. Falling Through the Gaps: Protecting Kidfluencers’ Privacy

1. Kidfluencing’s Unique Threat to Privacy

2. Adapting COPPA 2.0 and the Necessity of a Right to Removal

IV. THE SOLUTION—FEDERAL LABOR AND PRIVACY PROTECTIONS AND REQUIRING SOCIAL-MEDIA PLATFORMS TO ENFORCE KIDFLUENCER RIGHTS

A. Section 230 and Techlash

B. Contributory Liability as a Basis for Platform Enforcement

CONCLUSION

99 S. Cal. L. Rev. 449

From Volume 91, Number 1 (November 2017) DOWNLOAD PDF

From Volume 90, Number 5 (July 2017) DOWNLOAD PDF

From Volume 90, Number 5 (July 2017) DOWNLOAD PDF

From Volume 90, Number 2 (January 2017) DOWNLOAD PDF

From Volume 89, Number 5 (July 2016) DOWNLOAD PDF

From Volume 91, Number 1 (November 2017)
DOWNLOAD PDF

From Volume 90, Number 5 (July 2017)
DOWNLOAD PDF

From Volume 90, Number 5 (July 2017)
DOWNLOAD PDF

From Volume 90, Number 2 (January 2017)
DOWNLOAD PDF

From Volume 89, Number 5 (July 2016)
DOWNLOAD PDF