Privacy Law Archives – Southern California Law Review

Regulating Robotaxis

April 2026April 2026Bryant Walker Smith* & Matthew T. Wansley†

In several sunbelt cities, commercial robotaxi service has arrived. The leading robotaxi company is providing over 400,000 trips per week. The industry claims that robotaxis will save lives and provide convenient and affordable mobility. Critics counter that they will increase congestion, undermine transit, and subject the public to ubiquitous surveillance. We argue that the social impact of robotaxis depends on how they are regulated. We emphasize two points missing from the debate. First, some of the benefits of robotaxis may be political rather than technological—some longstanding public policy goals may become viable in a robotaxi world. Second, letting one private company dominate the transportation system risks monopoly abuse—and regulators can act now to prevent it.

In this Article, we offer a plan to regulate robotaxis. Carefully crafted externality regulation can address pollution, congestion, wear-and-tear on infrastructure, and privacy risks while minimizing distortions in choices between travel modes. Regulators can promote competition by permitting open entry, banning lock-in contracts, and enabling one-stop access to competing networks. And they can protect riders even if competition fails by mandating that fares be transparent and rider-neutral and requiring that robotaxi companies maintain a fleet sufficient for emergencies. Policymakers should take advantage of robotaxi deployment to reimagine the transportation system—liberate land from the tyranny of parking, refocus mass transit investments on high-throughput routes, and expand mobility for people with low incomes and people with disabilities.

Introduction

This Article is about “robotaxis”—motor vehicles without human drivers that are available on demand to paying customers. For nearly a century, the personal motor vehicle has dominated the American conception of travel. Given this, it is easy to forget that we humans have always transported ourselves, our goods, and our messages using a mix of travel modes. Even motorists, after all, become pedestrians after they park. And since the average household vehicle has an occupancy of only 1.5 persons,¹ it is also easy to overlook that many of these other modes were and are shared services—carriages, steamboats, trains, streetcars, buses, and taxis—in which the user is not the operator.²

Today, however, “automated vehicle” has become nearly synonymous with “robotaxi.” This is largely because of automated driving’s market leader in the United States, Waymo, as well as its competitors in China. Waymo currently deploys its automated vehicles only in fleets. In Atlanta, Austin, San Francisco, Phoenix, Los Angeles, and Miami, anyone with a smartphone can hail a ride in a robotaxi—and the company promises more cities are coming soon.³ In parts of these cities, Waymo’s vehicles are ubiquitous: recently, the Waymo carrying one of us was unable to change lanes because the Waymo next to it refused to let it in—and there were even more Waymos ahead and behind.

Will the robotaxi come to supplant the personal motor vehicle as the twenty-first century’s defining local travel mode? Maybe.

Automated driving has potential advantages. Automated driving might be safer than conventional driving.⁴ People who are unable to drive may be able to ride. Passengers in automated vehicles could use their time more productively than drivers of conventional vehicles.⁵ But these potential advantages apply when comparing many kinds of automated vehicles with conventional vehicles. When comparing robotaxis with personal automated vehicles,⁶ they are less relevant. The case for robotaxis isn’t just that they are automated.

Should the robotaxi eclipse the personal car’s dominance? We answer this question with a qualified yes. There are compelling reasons to welcome robotaxis.

First, robotaxis could improve road safety even more than personal automated vehicles. This is because robotaxi fleets are likely to be and remain significantly newer than motor vehicles generally. The mean age of vehicles in the United States today is over twelve years—and growing.⁷ Simply shifting trips to newer conventional vehicles could have a significant safety benefit.⁸ Shifting them to automated vehicles that are carefully maintained and regularly replaced could have an even greater benefit.

Second, robotaxis could improve accessibility—at least in some senses of the term. They could compete on time and cost, for both riders and system operators, with suburban and rural mass transit that has low ridership and long headways. They could better serve some people who are unable to drive because of income⁹ or disability.¹⁰ They might be more reliable than an old car in frequent need of repair.

Third, careful integration of robotaxis might unlock smarter uses of streets and city centers. Robotaxis might obviate the demand for much on-street parking, and that space might in turn be used not only for the much greater queuing zones that pickup and drop-off would require but also for sidewalks, bicycle lanes, and parklets. Robotaxis might also reduce demand for much off-street parking, and that space might in turn be used not only for robotaxi queues and depots but also for more parks, homes, and businesses.

Nonetheless, there are also reasons for caution—and therefore for careful and proactive regulation.

First, robotaxis are likely to compete not only with personal automobiles but also with walking, biking, and communal transit. The history of Uber and Lyft—which are often called Transportation Network Companies (“TNCs”)—is illustrative. As we discuss below, one of the biggest policy challenges is approaching automated driving in a way that appropriately reflects both any advantages it ultimately offers vis-à-vis conventional driving and any disadvantages it presents vis-à-vis more active and communal modes of travel.

Second, reducing the costs of travel, in money and time, may encourage more sprawl and more automotive travel. These could, in turn, create even more local, regional, and global pollution. It is important to remember that there is no such thing as a “zero-emission vehicle.” Even electric vehicles need to get their power from somewhere. And, although it is true that electric vehicles with no tailpipe have no “tailpipe emissions,” they are sources of other pollution. Tires, for example, wear out through contact with the road surface, and this wear is a major source of microplastics.¹¹

Third, these and other externalities are likely to be borne by people other than robotaxi developers, operators, and users. A disabled person who needs assistance boarding a conventional vehicle could be harmed if private robotaxi service replaces mass transit that is subject to more stringent accessibility requirements. People around the world could see their food become more expensive if even greater sprawl further reduces arable land. People who are conducting their lives in public may be subject to greater public and private surveillance if automated driving companies use or share their sensor data for purposes other than driving.¹² Secluded door-to-door trips may also reduce the random social interactions that are important to individual and community vitality.

What we have said about robotaxis so far should be familiar. In this Article, we emphasize two points that are new—one an underappreciated reason to welcome robotaxis, the other an underappreciated reason for concern.

Robotaxis, at least at this moment, could be a political expedient for implementing policies that are otherwise viewed as politically challenging.¹³ The problems of America’s reliance on the personal motor vehicle are well-known: crash deaths and injuries, pollution, and sprawl, among others. Policy solutions are also well-known: consistent automated enforcement of safety-relevant traffic rules, insurance minimums that reflect the true cost of injury, taxes on fueling and charging that capture the externalities of energy consumption, parking rates that account for the value of the land used, and so forth. But implementing these policies for conventional vehicles, drivers, and driving may not sit well with the ninety-two percent of American households that have a motor vehicle.¹⁴

In contrast, automated driving is not yet politically entrenched.¹⁵ Automated vehicles have so far been deployed only in fleets, which facilitates regulation. Fleet owners are better able to comply with complex rules than individual vehicle owners, and regulators may face less (or at least a different kind of) political resistance when they impose burdens on fleet owners than when they impose similar burdens on tens of millions of individual vehicle owners. This partly explains why the U.S. Department of Transportation and states such as California have demanded much more from automated driving developers than they have from ordinary noncommercial vehicle owners and drivers, such as expanded incident reporting at the federal and state levels and higher insurance minimums at the state level.¹⁶

But this moment is fleeting: if robotaxis and automated driving features become more widespread and popular, imposing new requirements will become correspondingly more difficult. This is a lesson that many cities still remember from the early and ultimately successful efforts of Uber to change the facts on the ground before governments could enforce existing rules or devise new ones.¹⁷

And that observation brings us to our new reason for concern. If robotaxis take off, a small number of corporations may come to control large parts of the transportation system. Robotaxi companies benefit from economies of scale and network effects, so the robotaxi market may be highly concentrated. That’s what we’ve seen in the TNC market.¹⁸ In most U.S. cities, Uber and Lyft have formed a duopoly.¹⁹ They cannot abuse their market power too much because they face competition from other travel modes. If they jack up their fares, many travelers can take a taxi or transit or just drive their own vehicle. But if robotaxis put other modes of transportation out of business, the risk of monopoly abuse will rise. In the absence of regulation, these companies’ interests may not be aligned with the public good.

In this Article, we propose a plan to regulate robotaxis that takes advantage of the opportunity they present to redesign mobility while protecting the public from concentrated private power.

There is a robust literature on the law of automated driving, but most of it focuses on tort liability²⁰ and safety regulation.²¹ There has been little discussion of the other regulatory issues that policymakers must confront.²² But some states are already acting. California has developed and implemented robotaxi-specific regulations, and Arizona has applied its pre-existing ridehailing regulations to robotaxis.²³ We consider both of these approaches to illuminate the choices these states have made and to propose reforms relevant to our analysis.

Our argument proceeds in four Parts.

In Part I, we explain what we know about robotaxis so far—the technologies, the economics, the prospects for wider adoption, and some of the layers of regulation that already apply to robotaxi service.

In Part II, we discuss externality regulation. The deployment of robotaxis could contribute to emissions, wear-and-tear on infrastructure, congestion, and privacy loss. But robotaxis could also reduce the social costs of transportation relative to personal motor vehicles. And it may be easier—both practically and politically—to regulate a few robotaxi companies than to regulate many drivers. Policymakers should take advantage of the ease of regulating robotaxis but take care not to create distortions that push riders to other modes of travel. We consider an electric vehicle mandate, a vehicle miles traveled (“VMT”) tax, congestion pricing, and restrictions on the use of robotaxi sensor data.

In Part III, we turn to rider protection. We start with the premise that the best way to protect riders is to encourage competition. If robotaxi companies compete in a carefully regulated market, riders could get lower fares, better service, and the fruits of more innovation. We also emphasize a less widely appreciated benefit of competition in robotaxis: more independent development of automated driving technologies could ultimately lead to the integration of redundant systems that are safer than systems developed by just one company. We argue that policymakers should promote competition by permitting open entry, banning lock-in contracts, and enabling one-stop access to competing networks.

We recognize, though, that even these policies may not prevent one company from dominating the market because the economies of scale and network effects favor concentration. And that dominance will take on additional social importance if robotaxis start to replace other modes of travel. We therefore propose a different set of policies to preserve rider autonomy even in a concentrated market. Regulators should mandate that robotaxi fares be transparent and rider-neutral. They should also require that, at some point, robotaxi companies individually or collectively are able to serve transportation demand in an emergency. We hope that by ensuring the public will be protected even in a concentrated robotaxi market policymakers can reduce the need for—and the attendant individual and social costs of—personal motor vehicle ownership.

Wide adoption of robotaxis could create the opportunity to redesign the transportation system. In Part IV, we offer some tentative suggestions on what this might look like. We envision a world where cities can reclaim space currently used for parking, giving more space to cyclists and pedestrians and liberating land for housing or other development. Cities can also refocus their investments in mass transit, replacing low-throughput routes and spending scarce dollars on high-throughput routes. The deployment of robotaxis should also create the opportunity to expand access. We think that carefully crafted subsidies can improve mobility for people with low incomes. And we explain how the National Highway Traffic Safety Administration (“NHTSA”) can use its authority over vehicle safety standards to encourage the development of automated vehicles that are accessible for people with disabilities. But we take a more skeptical approach to place-based subsidies. We don’t want robotaxis to usher in a new era of sprawl.

I. Robotaxis Today

Robotaxis are moving from R&D projects to commercial service. In this Part, we explain what is currently known about robotaxis. First, we introduce some of the technologies that make robotaxis possible. Second, we describe

the structure of the robotaxi market and the economics of operating a robotaxi service. Third, we consider the prospects for wider adoption. Fourth, we explain some of the layers of regulation that already apply to robotaxis.

A. Technologies

Robotaxis are automated vehicles deployed for commercial passenger service.²⁴ A robotaxi is equipped with an automated driving system (“ADS”)—a combination of sensors, computers, and software that can together perform the dynamic driving task.²⁵ To oversimplify: every robotaxi in a company’s fleet is equipped with a copy of the same ADS—the same kind of sensors, the same kind of computers, and the same software.²⁶ So in a sense, every robotaxi deployed by one company has the same driver.²⁷

Each ADS has a unique operational design domain (“ODD”)—a set of specific environmental, geographic, and roadway conditions in which it is intended to operate.²⁸ Most ADSs on the road in the United States today function only in geofenced regions in a small number of warm-weather cities, though Chinese cities such as Beijing have both snow and robotaxis.²⁹ Even within those geofenced regions, ADSs may be restricted from driving

on specific roads. Waymo’s robotaxis, for example, aren’t taking many paying passengers on freeways.³⁰

Unusual traffic situations—referred to as edge or corner cases—continue to challenge ADSs.³¹ Robotaxis have fallen into a construction pit,³² gotten stuck in a flooded road,³³ parked in prohibited areas,³⁴ and made an illegal U-turn at a sobriety checkpoint.³⁵

The companies developing automated driving technologies are designing their systems in different ways. Some companies use a suite of sensors that includes lidar, radar, and cameras.³⁶ Others purport to rely on cameras alone.³⁷ Some companies create high-definition digital maps to help their systems understand the data they receive from the vehicle’s sensors.³⁸ Others have designed their system to learn about their environment largely from the data they receive in real time with only a comparatively basic map.³⁹

Companies also differ in how they structure their software. Some ADSs are modular, with different subsystems performing discrete tasks. For example, a modular ADS might include subsystems for localization, perception, behavior prediction, planning, and actuation.⁴⁰ Each of these subsystems may or may not incorporate machine learning. Other ADSs, by contrast, have a “pure end-to-end” architecture. In these systems, a machine learning model takes in sensor data and puts out actuation commands.⁴¹ Some companies are combining these approaches.⁴² Many deployments are likely to involve bounded flexibility—like putting a soft duffle bag inside a hardshell suitcase.

An ADS can create a digital record of its driving.⁴³ This record can show the people, animals, and objects detected by the ADS’s sensors and the commands sent by its software, and the movement of nearby people and objects.⁴⁴ Most robotaxis are also equipped with interior and exterior video cameras, which can record both passengers and the vehicle’s surroundings.⁴⁵ An ADS generates and processes an immense amount of data, and retaining all these data in their raw form may be impractical. Companies generally decide which data to collect, transmit, and retain. In the absence of a legal requirement, they may make pragmatic or strategic decisions about data retention, especially as they scale their operations.

The data that an ADS collects can feed back into development. When a robotaxi encounters a scenario of concern, the ADS can be tweaked to handle it better next time.⁴⁶ The developer can test this update in computer simulations, on closed-course tracks, and then on public roads.⁴⁷ Progress isn’t always linear.⁴⁸ Tweaks can introduce new errors.⁴⁹ But over time, a system’s performance should improve, and its ODD should expand.

In the 2010s, the industry was focused on R&D.⁵⁰ When companies tested automated vehicles on public roads, they kept a “safety driver” behind the wheel.⁵¹ Near the end of the decade, some companies moved to testing without these safety drivers.⁵² And in the past few years, some companies have started to operate commercial services.⁵³

These deployments generally rely on support from human agents located in remote centers.⁵⁴ Developers take a variety of approaches to remote facilitation, ranging from mere remote assistance to actual remote driving.⁵⁵ Remote agents might communicate with passengers, suggest a path for the ADS when the robotaxi gets stuck, call for assistance in an emergency, or interact with first responders.⁵⁶ In practice, remote facilitation is frequent. For example, in late 2023, one company’s robotaxis required assistance every four to five miles.⁵⁷

Automated driving has the potential to improve road safety. Waymo’s researchers published a study in a peer-reviewed journal finding that its vehicles are involved in significantly fewer crashes that involve an injury or an airbag deployment than conventional vehicles in comparable ODDs.⁵⁸ The study is based on publicly available crash reports that Waymo submitted to NHTSA.⁵⁹ Although the data are self-reported and the conventional vehicle crash rate baselines are contestable, we don’t doubt the direction of the results with respect to routine driving.

An earlier study by independent researchers found that Waymo’s crash rate in San Francisco was comparable to the reported crash rates of TNC drivers in the city.⁶⁰ This is also an encouraging result because the crashes involving automated vehicles had to be reported by law while crashes involving only conventional vehicles are often not reported.⁶¹ It is too early to draw conclusions about fatal crashes, though. In the United States, there are about 1.33 fatal collisions for about every 100 million vehicle miles traveled.⁶² Waymo has only traveled about 200 million miles.⁶³

B. Economics

We are beginning to see the structure of the nascent automated driving market generally and the nascent robotaxi market specifically. And we can make educated guesses about the basic economics of a robotaxi service.

Market Structure

There are companies developing automated driving technologies in many parts of the world. These companies include automakers such as Mercedes, Tesla, and Volkswagen; automotive suppliers such as Bosch, Mobileye, and Qualcomm; informational technology companies such as Alphabet, Amazon, Baidu, and Huawei; and a variety of automated-driving-specific firms such as May Mobility, Pony.AI, Wayve, and WeRide. It is important not to discount efforts abroad, particularly from companies in

China that are active at home and could soon be competing with U.S. companies in other parts of the world.⁶⁴

“[A]utomated driving encompasses a wide range of technologies, applications of those technologies, business models for those applications, and participants in those business models.”⁶⁵ Robotaxis are just one application. Some companies are developing ADSs for personal motor vehicles or for use in low-speed shuttles. Other companies are aiming to automate trucking, delivery, mining, farming, and military vehicles.

We focus on three U.S.-based companies—Waymo, Zoox, and Tesla—that are developing robotaxis and are backed by three of the most valuable corporations in the world. Waymo is a subsidiary of Alphabet, the parent company of Google. Zoox is a subsidiary of Amazon. Tesla we expect you’ve heard of.

For now, Waymo dominates the robotaxi industry. It is providing commercial robotaxi service in Atlanta, Austin, Los Angeles, Phoenix, San Francisco, and Miami (as of February 2026).⁶⁶ And it is planning to provide commercial service in other major U.S. metropolitan areas.⁶⁷ Waymo’s robotaxis are already competing with Uber and Lyft. In late 2025, Waymo had a twenty-two percent share of the TNC market for trips with an origin and destination within the city limits of San Francisco.⁶⁸

Zoox is testing robotaxis in San Francisco, Las Vegas, and Miami.⁶⁹ The company recently started a commercial service in Las Vegas.⁷⁰

Tesla claims it is developing robotaxis.⁷¹ But all Tesla has produced is a system that it dizzyingly calls “Full Self-Driving (Supervised),”⁷² which needs a driver to keep their hands on the wheel and their eyes on the road at all times.⁷³ It is an ADS in aspiration but not in function.⁷⁴ In communications with regulators, Tesla continues to take the position that “Full Self-Driving” is just a driver assistance system.⁷⁵ In May 2025, Tesla announced the “launch” of a “robotaxi” service in Austin, Texas.⁷⁶ But each of the vehicles generally has a Tesla employee who is seated in the driver’s seat or passenger seat, monitoring the roadway and able to intervene.⁷⁷

It is important to recognize that, although each of these companies has primarily emphasized robotaxi services, their underlying technologies could be adapted for a variety of other applications, including motor vehicles that are exclusively used by their owners.

The robotaxi companies are taking different approaches to vertical integration. Each company is developing its own ADS software. But they aren’t all building vehicles. Waymo has purchased its base vehicles from third parties—Chrysler minivans, Jaguar SUVs, Zeekr minivans, and Hyundai SUVs—and then modified them extensively in its own facilities.⁷⁸ Zoox built its own distinctive, bidirectional vehicle in which passengers face each other.⁷⁹ Tesla has unveiled a more conventionally designed prototype called the Cybercab, but in Austin it uses slightly modified versions of its production vehicles.⁸⁰

The companies are also experimenting with different models for service delivery.⁸¹ In Los Angeles, San Francisco, and Miami, Waymo’s robotaxis can be hailed only on the Waymo app.⁸² In Phoenix, they can be hailed on the Waymo app or the Uber app.⁸³ And in Atlanta and Austin, they can be hailed only on the Uber app.⁸⁴ In those cities, Uber manages “vehicle cleaning, repair, and other general depot operations” while Waymo manages roadside assistance.⁸⁵ Waymo has also suggested it might license its ADS to third parties.⁸⁶

Tesla has floated the idea of selling automated vehicles to individuals who would then make them available as robotaxis on a network managed by Tesla.⁸⁷ (If those vehicles were as automated as Tesla has promised, then those individuals could presumably make them available on other networks as well.) This business model has some precedent. Uber lets personal motor vehicle owners use their vehicles to provide rides to passengers.⁸⁸ Turo lets personal motor vehicle owners rent their vehicles to drivers.⁸⁹ And Zipcar lets members have short-term use of fleet vehicles.⁹⁰

A startup recently announced that it would sell automated vehicles to individuals⁹¹—though of course it is not the first company to make this claim.⁹²

Cost Structure

The most important cost of operating a robotaxi service is the fixed, upfront cost of developing a safe and functional ADS. Each of the major robotaxi companies has already spent billions on engineering and testing over the last decade.⁹³ As an ADS stabilizes, engineering costs may decline. But a mature ADS will still need to be updated and refined.⁹⁴ The built environment and road user behavior will continue to change, and robotaxis will continue to encounter novel edge cases.

The variable costs of a robotaxi service can be divided into market, vehicle, and mile costs. For each new market a company enters, it must map the new territory, ensure sufficient remote assistance capacity, and arrange facilities for storing, charging, cleaning, and maintaining its vehicles.⁹⁵ For each new vehicle it assembles, it needs to buy the vehicle platform, the sensors, and the computers. For each new mile its robotaxis drive, it spends more on remote labor, fuel or electricity, cleaning, maintenance, and (indirectly) insurance.

Compared to traditional TNCs, one potential cost advantage of a robotaxi is labor. Much of the cost of an Uber ride is driver pay.⁹⁶ Taking the driver out of a taxi could make transportation radically cheaper. But robotaxis will compete against Uber and Lyft drivers who, at least in the United States, might earn less than minimum wage to drive and maintain rather ordinary vehicles (and, notably, to load and unload luggage that their customers may not want or be able to lift).⁹⁷

So, for now, this labor cost saving is hypothetical.⁹⁸ The robotaxi companies need humans to help with charging, cleaning, and maintenance. And they rely critically on humans who provide remote assistance to their vehicles, to their passengers, or to law enforcement—and, occasionally, to physically retrieve vehicles when they get stuck.⁹⁹ As of November 2023, one robotaxi company was employing 1.5 operations workers per vehicle.¹⁰⁰

One cost disadvantage of a robotaxi is the robotaxi itself: the vehicle platform, its sensors, and its computers. Waymo’s co-CEO has said that the equipment on its robotaxis can cost as much as $100,000.¹⁰¹ But Baidu, one of Waymo’s Chinese competitors has said that its robotaxis cost less than

$30,000 to manufacture—including both the vehicle platform and the ADS.¹⁰²

Another cost disadvantage is real estate. A robotaxi company internalizes the cost of its vehicles driving to and from its depots and service facilities, so it may want to locate them close to the center of travel demand. That’s usually a place where land isn’t cheap. In contrast, a traditional TNC’s drivers or vehicle owners bear these costs—including when they involve significant commutes at the beginning and end of a workday.

In theory, robotaxis can benefit from powerful economies of scale. Once an ADS is acceptably safe and functional, it can be deployed in similar ODDs in metropolitan areas around the country with some adaptations for local driving conditions. However, the significant costs of standing up a new market—the depots, service facilities, and local coordination—may limit early deployments to metropolitan areas with large populations.¹⁰³

The path to profitability will require changes to the cost structure. The cost of components—sensors, computers, and vehicle hardware—needs to fall. Waymo already is moving to replace its Jaguars with Zeekrs.¹⁰⁴ The ratio of operations staff to revenue-generating vehicles needs to fall too. That will mean improving the ADS’s performance to reduce the frequency of incidents where remote assistants need to intervene. And it will likely mean automating parts of robotaxi servicing—charging, cleaning, and maintenance.¹⁰⁵ How much costs can fall is an open question.

Deployment

A profit-maximizing robotaxi company will follow two principles for deployment. First, maximize revenue-generating opportunities (for which miles is an imperfect proxy). Second, minimize non-revenue-generating—or “deadheading”—miles. All else equal, a robotaxi company makes more money when a robotaxi is carrying passengers than when it is parked in a depot. And the company probably loses less money when a robotaxi is parked in a depot than when it is deadheading. A parked robotaxi takes up space in the depot. But a deadheading robotaxi increases charging, cleaning, maintenance, and insurance costs.¹⁰⁶

These two principles explain why robotaxis (and taxis and TNCs) are deployed in areas with high travel demand. In a high demand area, when one trip ends, the next rider is nearby. There is less deadheading between rides. Robotaxis benefit from network effects. A network with a higher volume of trip requests means fewer deadheading miles between rides. Network effects explain why robotaxis are deployed in large metropolitan areas.¹⁰⁷ And they explain why downtowns are generally more appealing markets than outlying areas.¹⁰⁸ Even in San Francisco—one of the densest cities in the country—Waymo’s robotaxis are still deadheading over 40% of the time.¹⁰⁹

There are other factors beyond travel demand that affect where robotaxis will be deployed. Robotaxis are limited by their ADS’s ODD. If an ADS isn’t capable of functioning at higher speeds, the robotaxis that use it might not serve neighborhoods where many trips require highway driving. Robotaxi companies may also prefer to deploy in wealthy neighborhoods simply because their wealthy residents have a higher willingness to pay. But again, the analysis is complicated. If wealthy residents are more likely to own a car, they may be less interested in a robotaxi ride. Families with young children (or simply with a lot to carry or store in a vehicle) present another potential challenge to—or possibly opportunity for—robotaxis.

The same principles that explain where robotaxis will be deployed also explain when they will be deployed. In most cities, travel demand peaks on weekdays in the morning and evening rush hours. A fleet of vehicles that can serve peak rush hour demand will leave some vehicles sitting idle in the midday hours and most vehicles sitting idle overnight. Robotaxi companies will likely try to smooth out travel demand by charging more in rush hour, as Uber and Lyft do with surge pricing.¹¹⁰ They might also use their vehicles for package delivery or other tasks in periods of low demand.¹¹¹ But a profit-maximizing company’s optimal fleet size is likely lower than a fleet that would completely serve peak demand—a point that influences our analysis below.¹¹²

Robotaxis might be able to serve more of a city’s transportation demand with a smaller fleet than traditional taxis or TNCs can.¹¹³ The effect will be amplified if some of the city’s residents decide to give up their personal motor vehicles for robotaxis. Personal motor vehicles have a very low utilization rate—they sit in driveways, on streets, or in parking facilities for most of the day. A profit-maximizing robotaxi company will aim for high utilization.¹¹⁴ A smaller fleet serving the same travel demand could mean a lower environmental impact.¹¹⁵

One open question in robotaxi deployment is how often riders will be interested in being matched with strangers to share rides.¹¹⁶ In principle, sharing all or part of a trip is a win-win. Riders pay a lower fare. Robotaxi companies serve two revenue-generating riders at the same cost. The challenge of ridesharing is it requires very high travel demand. The routing algorithm needs to find two riders traveling along similar routes at roughly the same time. TNCs have experimented with ridesharing programs such as UberPool and LyftLine. But the results have been disappointing. In 2023, Lyft—not coincidentally the company with the smaller network—mostly gave up on shared rides.¹¹⁷

Robotaxi companies may have more success with sharing rides if they push fares low enough to grow the robotaxi market beyond the size of the TNC market. Today most commuters cannot afford to use TNCs for their daily trips to and from work. But the combination of automation and sharing could change these economics. And during peak periods, there are many potential riders coming from similar origin points heading to the same destination at the same time.¹¹⁸

Companies could also encourage shared rides by introducing new vehicle forms. As we mentioned above, in Zoox’s robotaxis, passengers face each other.¹¹⁹ Another possibility is compartmentalized vehicles, which might appeal to riders looking for safety and privacy.

Unfortunately, there’s a tradeoff between market concentration and shared rides. The more robotaxi companies competing for riders, the less likely that any two riders will be on the same network requesting a ride along the same route at roughly the same time. But it might be possible for multiple companies’ robotaxis to be deployed on the same network—or so we will argue in Part III.

C. Potential for Wider Adoption

The common vision for robotaxis is that they will not merely replace human-driven taxis, but that they will dramatically expand the market for

taxi-like services in large part by replacing trips in personal motor vehicles.¹²⁰ But some companies are still committed to the traditional automotive business model.

The demise of Cruise, a robotaxi startup acquired by General Motors, is instructive. As we explain more below, after a 2023 incident in which the company misled the public by misleading reporters and regulators,¹²¹ Cruise suspended its US robotaxi service. A year later, GM folded Cruise into its internal efforts to develop driver assistance features for the conventional vehicles it produces. In other words, GM has reverted to its traditional model of principally selling cars rather than rides.

GM is hardly alone in embracing this traditional approach. Mercedes already offers an automated driving feature—for certain freeways in certain conditions—on two of its premium models.¹²² Many others are pursuing similar features. This traditional business model is understandable, especially if automakers ultimately decide to sell not only the vehicles but also subscriptions to use the automated driving features.¹²³ After all, like today’s robotaxis, these features might also depend on substantial digital and human infrastructure behind the curtain.

For the robotaxi business model to compete, automated driving technologies need to mature. As we discussed above, robotaxis need to become cheaper. And there are other obstacles.

First, vehicle ownership generally entails significant fixed costs (to purchase or lease the vehicle and to insure it) and either objectively or subjectively smaller variable costs to then operate that vehicle (to fill it or charge it).¹²⁴ Given this, those who own a car that they are unable or unwilling to part with are likely to compare the purchase price of a robotaxi trip with the marginal cost of a trip in their individually owned vehicle.

Second, for the reasons we described above, robotaxis will face competition not only from personal motor vehicles but also from personal automated vehicles. Automated driving will not be limited to robotaxis.

Third, many American car owners—and particularly families with children—use their cars as an extension of their homes. Some people literally live in their cars.¹²⁵ Many rely on them as mobile storage lockers for themselves and their families—for sports equipment, booster seats, diapers, mobility aids, and stuff that they want on hand or simply cannot keep elsewhere.¹²⁶ Many also treat their vehicles as public displays or private retreats that are decorated and provisioned for their personal functional and aesthetic sensibilities.¹²⁷

Fourth, many Americans see their personal motor vehicle as giving them autonomy. What happens if you give up your car and the robotaxi company jacks up its prices? Or what if there’s an earthquake, and you need to evacuate? We will explore these questions in Part III. For now, it suffices to say that how widely robotaxis will be adopted is an open question.

D. Regulation

There are many layers of regulation that apply to robotaxis. We consider two—automated driving safety regulation and robotaxi service regulation.

Safety Regulation

The fundamental challenge of automated driving safety regulation is that it is hard to assess the safety of an ADS without observing its long-term performance on the road.¹²⁸ An ADS that can safely navigate routine driving might still not be acceptably safe. The critical question is how it handles unanticipated edge cases. Over time, both NHTSA and state agencies have developed regulatory strategies that rely on monitoring and responding to safety incidents. We start with federal regulation.

In the absence of federal legislation specific to automated driving,¹²⁹ NHTSA is using its longstanding statutory authority to regulate vehicle safety generally. The National Traffic and Motor Vehicle Safety Act of 1966 (“the Safety Act”) authorizes NHTSA to (1) conduct investigations, (2) seek recalls of defective vehicles or equipment, and (3) set safety performance standards.¹³⁰ NHTSA has used each of these authorities to address automated driving.

NHTSA has used its investigative power to mandate crash reporting.¹³¹ In 2021, NHTSA issued a standing general order that requires companies testing automated vehicles on public roads to report crashes.¹³² Serious crashes had to be reported within twenty-four hours, and all crashes, no matter how minor, had to be reported each month.¹³³ In 2025, the agency narrowed the reporting requirement to exclude some crashes with less than $1,000 of property damage, but most other reporting requirements remain in place.¹³⁴ NHTSA has received reports of hundreds of crashes and made redacted reports available on its website, although it doesn’t provide the context that would make the reports easier to understand.¹³⁵

NHTSA has used its recall power to remedy defective technologies.¹³⁶ Unless a company immediately initiates a recall on its own, these recalls often follow a pattern. NHTSA starts by opening an investigation into the company’s technologies. The company and the agency exchange data. They negotiate over potential remedies. Then the company resolves the investigation by declaring a defect and issuing a recall, which takes the form of change to the company’s software. In some cases, a recall can be carried out through over-the-air software updates.¹³⁷ In the last few years, Tesla, Waymo, Zoox, and several other companies have each issued recalls.¹³⁸ For example, Waymo initiated a recall after one of its automated vehicles crashed into a pickup truck hanging off a tow truck and another crashed into a telephone pole.¹³⁹

NHTSA has not used its rulemaking power to affirmatively regulate automated driving.¹⁴⁰ The agency stated years ago that, given the rapid pace of technological change, it planned to regulate primarily through recalls.¹⁴¹ But NHTSA has used its power to exempt vehicles and equipment from existing Federal Motor Vehicle Safety Standards (“FMVSSs”). In general, companies that integrate their ADS into FMVSS-compliant vehicles don’t need an exemption. They can just “self-certify” that their automated vehicles are compliant.¹⁴² But companies that build vehicles with certain kinds of unconventional designs may need an exemption. For years, NHTSA was slow in considering ADS-related exemption requests.¹⁴³ But starting in 2025,

NHTSA announced that it would expedite requests.¹⁴⁴ And shortly thereafter, it granted an exemption to Zoox.¹⁴⁵

It is important to recognize that, under the Safety Act, FMVSS exemptions are limited either by purpose or by number of vehicles. But because NHTSA itself promulgates these standards, it can obviate the need for exemptions by changing the underlying standards—as it has already done in the case of certain occupant-protection standards.¹⁴⁶

There is another layer of automated driving safety regulation at the state level.¹⁴⁷ We focus on the first two states where commercial robotaxi service became available, Arizona and California. They nicely illustrate the range of options.

Arizona’s policy is relatively laissez-faire—although still arguably more stringent than the rules that apply to conventional driving. An Arizona statute expressly authorizes companies to operate automated vehicles on two conditions.¹⁴⁸ First, the company must provide the state’s Department of Public Safety with a plan for how law enforcement can effectively interact with the vehicles.¹⁴⁹ Second, the company must provide the state’s Department of Transportation (“DOT”) with a written statement “acknowledging” that its vehicles comply with federal safety standards and Arizona’s registration, licensing, and insurance requirements.¹⁵⁰ The company must also “acknowledg[e]” that its ADS can comply with the traffic law and achieve a “minimal risk condition”—which generally though

not necessarily involves pulling over to side of the road¹⁵¹—when it encounters a situation it cannot handle safely.¹⁵²

Arizona does not specifically empower regulators to set independent safety standards. But it does authorize the DOT to suspend the registration of an automated vehicle after determining it “is not in safe mechanical condition and endangers persons on the highway.”¹⁵³ And the statute makes it clear that the company that is testing or deploys the automated vehicle “may be issued a traffic citation or other applicable penalty if the vehicle fails to comply with traffic or motor vehicle laws.”¹⁵⁴

Arizona has succeeded at attracting testing to the state. But its approach may have also contributed to a fatal crash. In the late 2010s, before the enactment of Arizona’s current automated driving statute,¹⁵⁵ Uber was attempting to develop an ADS with the goal of operating a robotaxi service. It was testing automated vehicles in Arizona with safety drivers.¹⁵⁶ In March 2018, one of Uber’s vehicles struck and killed Elaine Herzberg in Tempe, Arizona.¹⁵⁷ Herzberg was walking her bike across a multi-lane boulevard in the evening.¹⁵⁸ The Uber ADS sensors detected Herzberg, but the software did not slow the vehicle until it was too late.¹⁵⁹ The safety driver didn’t react in time because she was distracted by her smartphone.¹⁶⁰

The National Transportation Safety Board (“NTSB”) investigated the crash and issued a report that criticized both the safety driver and Uber’s safety practices.¹⁶¹ Regulators might have been able to prevent the crash if they had asked Uber more questions about how it was monitoring safety drivers and preventing them from becoming complacent. After the crash, Arizona’s governor ostensibly suspended Uber’s right to operate automated vehicles in the state.¹⁶² But Arizona didn’t change its general approach to safety regulation.¹⁶³

California’s policy is more hands-on.¹⁶⁴ A California statute directs the state’s Department of Motor Vehicles (DMV) to develop an application process for the testing and deployment of automated vehicles.¹⁶⁵ The statute requires all automated vehicles to comply with federal vehicle safety standards (unless exempted).¹⁶⁶ It also provides, however, that the DMV’s application process “shall include any testing, equipment, and performance standards [that it] concludes are necessary” for safety.¹⁶⁷ This language suggests that the DMV may directly regulate ADS safety. (More generally, states already exercise broad authority over the operational safety of vehicles, including through driver regulation, rules of the road, and vehicle roadworthiness.)¹⁶⁸

California’s DMV issues three kinds of automated driving permits: testing (with a safety driver), driverless testing (without a safety driver in the vehicle), and deployment.¹⁶⁹ A company engaging in activities for which a permit is required is subject to specific reporting requirements.¹⁷⁰ The company must disclose, among other information, the number of miles its automated vehicles drove on California roads and any crashes in which they were involved.¹⁷¹ Unlike NHTSA, California doesn’t let companies redact their narrative description of the crash. The combination of miles reporting and crash reporting gives the DMV a rough sense of a company’s crash rate, though this must be understood in the context of the ADS’s ODD.

To receive a deployment permit, a company must certify, among other things, that its vehicles have a two-way communication link with a remote agent and that they meet industry standards for cybersecurity.¹⁷² It must also provide information about its testing on public roads in California and elsewhere, including the number of miles driven and any crashes during testing.¹⁷³ The DMV can use the company’s track record in driverless testing to assess the risk of deployment. If the track record raises concerns, the DMV may decline to issue the deployment permit.

California currently doesn’t require a company with a deployment permit to report miles or crashes. This is unfortunate, because although companies are still reporting crashes to NHTSA, the public is deprived of access to the crash narratives that NHTSA redacts. The DMV does, however, require a company with a deployment permit to report any recalls it issues.¹⁷⁴ And the DMV also has the power to suspend or revoke permits on several grounds, including if it determines that the company’s “vehicles are not safe for the public’s operation.”¹⁷⁵

The strengths and weaknesses of California’s permitting system are illustrated by its experience with Cruise, the now defunct robotaxi subsidiary of General Motors. Cruise jumped through all the hoops—obtaining a testing permit, a driverless testing permit, and a deployment permit.¹⁷⁶ And in 2022, Cruise started to deploy a robotaxi fleet in San Francisco.¹⁷⁷ By the summer of 2023, Cruise’s robotaxis were involved in some crashes that raised doubts about its technologies. After a crash between a Cruise robotaxi and a firetruck, the California DMV made Cruise cut its fleet in half.¹⁷⁸ Then in October 2023, a conventional vehicle (whose driver fled the scene) hit a pedestrian walking across the street, and the force of that collision propelled her into a Cruise robotaxi in an adjacent lane.¹⁷⁹ The robotaxi ran her over, stopped, and then started moving again, dragging her while she was pinned beneath the vehicle.¹⁸⁰

Cruise then misled regulators and the public about the crash by focusing on the initial collisions and failing to mention the subsequent dragging.¹⁸¹ When the California DMV learned the full story, it suspended Cruise’s deployment permit.¹⁸² The DMV said it was suspending Cruise’s permits both because it had concluded that Cruise’s ADS was not safe and because Cruise had misrepresented information related to safety.¹⁸³ The company paid a $1.5 million federal fine.¹⁸⁴ In December 2024, GM shut Cruise down while claiming that its work would be folded into GM’s efforts to develop more advanced features on its production vehicles.¹⁸⁵

Until recently, California’s automated driving law didn’t explicitly provide a way for police to enforce the traffic law when a company was operating automated vehicles with no safety driver behind the wheel. This loophole deeply concerned local officials. The City of San Francisco explained that its police and fire departments don’t know what to do when a robotaxi blocked traffic or emergency vehicles.¹⁸⁶ In 2024, California enacted a statute that authorizes police to issue a “notice of autonomous vehicle noncompliance” against a company when one of its automated vehicles violates the traffic law.¹⁸⁷

Service Regulation

Robotaxi companies may also be subject to another layer of regulation—regulation of the provision of transportation service. In Arizona and California, robotaxi regulation grew out of TNC regulation, which in a sense grew out of (or was imposed over) taxi regulation.

Taxi companies are often regulated as or akin to common carriers.¹⁸⁸ Many large municipalities restrict entry into the formal taxi market.¹⁸⁹ In some cities, taxi drivers own or lease a medallion that authorizes them to operate.¹⁹⁰ Fares are fixed by regulation, usually at a constant rate per mile.¹⁹¹ And taxi companies are required to provide universal service—they cannot discriminate among riders.¹⁹²

Municipalities justify each element of taxi regulation with different policy rationales. Entry restrictions are thought to reduce congestion, limit pollution, protect driver pay, and prevent taxi drivers from competing for riders in dangerous ways.¹⁹³ Fare regulation is seen as a remedy for imperfect information. Riders hailing taxis on the street cannot easily compare fares, so regulation ensures the fares are always the same.¹⁹⁴ The universal service requirement has distributive goals—providing mobility for all residents regardless of their race, sex, class, or neighborhood.¹⁹⁵

The combination of entry restrictions, fare regulation, and a universal service requirement is also intended to create a system of implicit cross-subsidies.¹⁹⁶ The profits that taxis make in places and times with high travel demand (and thus less deadheading) subsidize the service they provide in places and times with low travel demand.¹⁹⁷ Without these regulations, new entrants might be able to “creamskim”—serve only the high value trips and thereby erode the profits that cross-subsidize other trips.¹⁹⁸ This was an early complaint about Uber and Lyft.

It is hard to assess whether the benefits of traditional taxi regulations outweigh the costs. With entry restricted, the taxi industry had little incentive for innovation. It was startups, not incumbents, that introduced hailing by app. The system of cross-subsidies didn’t always work. Many Brooklynites have hailed a cab in Manhattan only to watch the driver pull away after they gave their destination. But as defenders of taxi regulation have pointed out, many American cities experimented with deregulating taxis in the 1960s, 70s, and 80s only to find that fares rose and service quality declined.¹⁹⁹ In fact, most large cities that deregulated ultimately decided to bring back regulation.²⁰⁰

In the 2010s, taxi regulation faced a new challenge—the rise of app-based ridehailing. Uber and Lyft offered lower fares, often shorter wait times, seamless payment, a driver rating system, and a more convenient way to hail a ride.²⁰¹ They rapidly took market share away from taxis.²⁰² Uber and Lyft were also “regulatory entrepreneurs.”²⁰³ In many jurisdictions, their service was illegal or in a legal gray area. For example, while Uber initially focused on professional drivers that might be regulated by something like NYC’s Taxi and Limousine Commission, it soon expanded to ordinary drivers who were freelancing. In some jurisdictions, legislators and regulators cracked down.²⁰⁴ Uber and Lyft fought back by encouraging their customers to lobby their state representatives to legalize—and often preempt local regulation of—the transportation service they had come to prefer.²⁰⁵

In recent years, the TNC market has stabilized. Uber and Lyft have formed a duopoly, splitting the market about three-to-one.²⁰⁶ They have both steadily raised their fares.²⁰⁷ After their respective IPOs, they could no longer rely on venture capitalists to subsidize their rides and faced investor pressure to turn a profit. In hindsight, the low fares and high driver pay of ridehailing’s early days were an unsustainable illusion—and arguably a predatory pricing scheme.²⁰⁸ But despite the increased fares, TNCs are offering a better service than taxis did, at least if you measure by consumers’ willingness to pay.

Municipalities and taxi companies should have taken the opportunity presented by app-based ridehailing to rethink taxi regulation. They should have been allowed to craft a new set of rules that apply equally to all vehicles-for-hire.²⁰⁹ But that didn’t happen. In many states, Uber and Lyft bypassed cities and went directly to state legislatures in their pursuit of a new legal category—TNCs—with a new set of rules different than the local rules that continue to apply to taxis.

Although often associated with their apps, the key feature of TNCs is their reliance on drivers using their own private vehicles.²¹⁰ TNCs are not subject to entry restrictions or to fare regulation that many municipalities still apply to taxis.²¹¹ The imperfect information rationale for fare regulation is arguably obsolete because riders can compare fares by toggling between apps.²¹² To the extent that certain rides are subsidized, it is because of strategic considerations by the companies or the drivers.

The content of TNC regulation varies by state. Arizona’s rules focus on rider and driver safety. Arizona’s TNC statute provides that the state Department of Transportation shall issue permits to TNCs that comply with the statute’s requirements.²¹³ Before each ride, TNCs must disclose to riders the identity of the driver, the vehicle’s license plate, and the fare.²¹⁴ After each ride, they must provide riders with an electronic receipt and preserve a digital record of the trip.²¹⁵ TNCs must disclose to drivers when the company’s insurance policies apply to them.²¹⁶ And they must screen drivers by conducting criminal background and driving record checks and enforcing a zero tolerance policy for drugs and alcohol.²¹⁷

California’s TNC statute goes further. It allocates regulatory authority to the state’s public utilities regulator, the California Public Utilities Commission (“CPUC”).²¹⁸ Like Arizona, California requires that TNCs disclose to riders information about the driver and vehicle, disclose to drivers when the company’s insurance policies apply, and conduct a criminal background check on drivers.²¹⁹ But California also mandates that TNCs meet specific minimum levels for insurance coverage that are higher than those that would otherwise apply to personal motor vehicles.²²⁰ And it prohibits TNCs from disclosing a rider’s personally identifiable information to third parties without consent.²²¹

California takes modest steps to address the externalities that TNCs create. TNCs must develop a “greenhouse gas emissions reduction plan” with targets for increasing the proportion of drivers using electric vehicles.²²² And the California legislature granted San Francisco the authority to tax riders of traditional TNCs and robotaxis to fund the city’s transportation operations and infrastructure.²²³ California has also tried to encourage TNCs to expand mobility. They are required to charge their riders five cents per trip to contribute to the “TNC Access for All Fund,” which supports accessible transportation.²²⁴

The development of robotaxis has long been connected with the rise of ridehailing. The leaders of the Google self-driving car program decided to pursue the robotaxi business model as they watched ridehailing take off.²²⁵ Both Uber and Lyft tried to develop their own ADS. Uber founder Travis Kalanick once called robotaxis “existential” for his company.²²⁶ But the reputation of Uber’s automated driving program was damaged by revelations following its fatal crash in Arizona in 2018. And after their IPOs, neither Uber nor Lyft had the cash to sustain their programs, so they sold them.²²⁷

The first robotaxi regulations have been strongly influenced by TNC regulations. Arizona applies its TNC regulations to robotaxis through incorporation by reference. An Arizona statute provides that: “An on-demand autonomous vehicle network may operate pursuant to [the state’s TNC statute] except that any provision of [that statute] that by its nature reasonably applies only to a human driver does not apply to a fully autonomous vehicle operating with the [ADS] engaged . . . .”²²⁸

California’s legislature has not enacted a statute specific to robotaxis (as opposed to TNCs, vehicles for hire, or automated driving more generally). Instead, the CPUC created its robotaxi regulations using its existing statutory authority over vehicles for hire.²²⁹ In 2018, the CPUC created two pilot programs for robotaxis. The first pilot let companies with a vehicle-for-hire permit and a DMV testing permit offer rides in their robotaxis with a safety driver present.²³⁰ The second pilot let companies with a vehicle-for-hire permit and a DMV driverless testing permit offer rides without a safety driver.²³¹ Companies participating in the pilots were prohibited from accepting payment from riders. And they were required to submit aggregate data on their operations.²³² Cruise, Waymo, Zoox, and three other companies obtained permits for at least one of the pilots.²³³

In 2020, the CPUC issued regulations for robotaxi deployment. Companies with a vehicle-for-hire permit and a DMV deployment permit were allowed to apply to the CPUC for a robotaxi deployment permit.²³⁴ Companies that were approved were allowed to start charging riders.²³⁵ The CPUC imposed two new obligations on applicants. First, they have to submit a “Passenger Safety Plan” that explains how they (1) minimize safety risks from other riders; (2) minimize safety risks from outside the vehicle; (3) ensure riders can safely identify the vehicle, enter, and exit; (4) enable riders to communicate with remote operators; and (5) collect and respond to rider complaints.²³⁶ Second, after a company is approved to deploy, it has to submit detailed, trip-level data on each ride request and each ride.²³⁷

Two companies—Cruise and Waymo—applied to deploy a commercial robotaxi service in San Francisco.²³⁸ In August 2023, the CPUC approved both requests.²³⁹ But as we have seen, Cruise’s robotaxi service did not last long. The CPUC suspended Cruise’s robotaxi deployment permit after the DMV suspended Cruise’s ADS deployment permit in the aftermath of its serious pedestrian crash in October 2023.²⁴⁰ Waymo’s robotaxi operations, however, have continued to grow. In March 2024, the CPUC approved Waymo’s request to expand its service area in San Francisco down to Silicon Valley and to add a new service area in Los Angeles.²⁴¹

So today, at least two states have considerable experience regulating an active commercial robotaxi service.²⁴² In the rest of this Article, we ask, how should they regulate?

II. Curbing Externalities

We start with regulating externalities. Robotaxis will emit pollutants into the environment. They will contribute to wear and tear on physical infrastructure. They will cause congestion. They will passively surveil their surroundings, which could erode privacy. But so too will many other technologies and travel modes. In this Part, we consider how policymakers should respond to the externalities of robotaxis in a way that accounts for this broader context.

A. Externalities and Mode Choice

One might think there’s an easy answer to the externalities robotaxis create: impose Pigouvian taxes, so the robotaxi companies internalize the costs. But personal motor vehicles, taxis, TNCs, and other modes of travel—whether automated or not—also create externalities. So policymakers must consider how externality regulation will affect choices among modes.

Burdening automated driving in ways that do not burden conventional driving will push people toward conventional driving. Burdening robotaxis in ways that do not burden personal automated vehicles will push people toward personal automated vehicles. If robotaxis offer net social benefits relative to those modes, these are not desirable outcomes.

But externality regulation that applies to all travel modes might not always be attainable.²⁴³ The practicality and political feasibility of regulation can vary by mode. In some cases, robotaxis might be easier to regulate, and to at least some degree policymakers should take advantage of the opportunity.

We suggest a hierarchy of action:

Internalize costs across all travel modes.
Where this is not possible, internalize costs across motor vehicle modes.
Where this is not possible, internalize costs across fleet-deployed motor vehicles.
Where this is not possible, internalize costs across automated vehicles.
Where this is not possible, internalize costs across robotaxis.

Costs can be internalized through taxation, market caps, performance requirements, or other regulatory mechanisms. If applied proportionately, the regulatory mechanisms should be automatically indexed so that the extent of a mode’s internalization of its external costs rises along with its share of the market. In addition, when choosing what and how to regulate, we suggest prioritizing action on what are likely to be significant inflection

points that could lock the public, policymakers, and companies into one long-term path or another.

Take the example of motor vehicle emissions that we discuss below. Ideally, in our view, regulators would require that all new motor vehicles²⁴⁴ achieve increasingly aggressive fuel efficiency standards. If that’s not politically realistic, then it may be appropriate to begin with fleets—government vehicles, other vehicle pools, rental cars, and the like.²⁴⁵ But imposing significant initial burdens on these fleets could significantly disadvantage them vis-à-vis private ownership models. And so, it may be appropriate to require fleet vehicles to meet a fuel efficiency standard that is somewhere between the standard for regular vehicles and the standard that would be ideal.

Or take the example of the third-party liability insurance required for motor vehicles. Countries in the European Union generally require vehicle owners and operators to have liability insurance that covers anywhere from millions of dollars of exposure to literally unlimited exposure.²⁴⁶ Even the low end of this range is a hundred to a thousand times greater than minimum insurance requirements in most U.S. states. Ideally, in our view, states would dramatically increase insurance minimums across the board and index them to inflation.²⁴⁷ States have not done so.²⁴⁸ Some states, however, have required the companies testing or deploying automated vehicles to show financial responsibility in the millions of dollars.²⁴⁹ Under our approach, the difference between the two requirements might not be so great, but this is at least useful precedent—and, in fairness, does not seem to have dampened enthusiasm for automated driving.²⁵⁰

Finally, we recognize that even when internalizing externalities provides benefits to those with less money, it can also impose disproportionate costs on them. An increase of $1,000 in the price of a new car to include an important safety feature is negligible for someone who can afford a $150,000 car but significant for someone who can afford only a $15,000 car. So too is increasing the per-mile cost of a trip (whether by private automobile or robotaxi) by fifty cents.

Fortunately, internalizing costs is only half of the policy question. The other half is how to channel the societal gains. In the easiest case of governmental revenue, a government can return to households any additional funds it receives from, say, taxing carbon or setting a floor for the price of energy. If designed carefully, these rebates can ultimately enhance rather than diminish individual choice: Someone who chooses to travel an average amount by personal automobile might well break even if their rebate covers the additional costs of fuel, tolls, and parking. Meanwhile, someone who chooses to live closer to work or bicycle may well come out ahead. Even where the benefits are societal rather than governmental and abstract rather than fiscal, smart policies can equitably capture and return some of this gain.²⁵¹

In this section, we address just some of the external costs of motor vehicle travel: pollution, wear-and-tear, congestion, and privacy. Of course, traffic injury is a national crisis, but it is beyond the scope of our present analysis.²⁵²

B. Pollution

A critical externality of motor vehicle use is air pollution. Tailpipe emissions from traditional gasoline and diesel vehicles account for about one-fifth of greenhouse gas emissions in the United States.²⁵³ And tailpipes also emit other gases and particulates harmful to human health.²⁵⁴

The gradual electrification of the vehicle fleet is reducing its per-mile carbon footprint.²⁵⁵ In the most recent quarter, almost nine percent of new vehicles sold in the United States were battery electric.²⁵⁶ And the United States lags many countries in the developed world in electric vehicle adoption. In Norway, about eighty-nine percent of new vehicles sold in 2024 were electric.²⁵⁷

The Biden administration prioritized electrification of the vehicle fleet. The Inflation Reduction Act provided tax credits for electric vehicles and charging stations.²⁵⁸ The U.S. Environmental Protection Agency issued a new tailpipe emission rule that would effectively require half the new cars sold in 2032 to be electric (or use an alternative fuel).²⁵⁹ And the U.S. Department of Transportation has set a fuel economy standard that would require the cars that each automaker sells to average sixty-five miles per

gallon.²⁶⁰ Since 2025, The Trump administration or Congress has reversed many of these steps.²⁶¹

Some states have gone further—or at least have tried to.²⁶² California law requires that all new passenger vehicles sold in the state in or after 2035 be powered by something other than gasoline or diesel.²⁶³

The robotaxi business model is well-suited to electric vehicles. Robotaxis are being deployed in dense, urban areas. They are never too far from a charging station. A robotaxi company can monitor when its vehicles need to be recharged, and its routing algorithms can plan its trips accordingly. Robotaxi riders being shuttled around a city don’t suffer “range anxiety” the way that a human driver might on a long-distance trip. Charging does currently require taking a robotaxi out of operation for potentially longer than a stop at a gas station, but this may eventually be addressed with better batteries, faster charging, charging-in-motion, and even battery swapping (which is likely more manageable within a fleet than between private vehicles).

Policymakers should mandate that all robotaxis be electric or alternative-fuel vehicles.²⁶⁴ California has already enacted a statute that requires any automated vehicle in model year 2031 or later to be electric.²⁶⁵ There’s no reason to wait that long. The large U.S. companies that are deploying or developing robotaxis are using electric vehicles today—Waymo’s Jaguar I-Pace, Zeekr minivan, and Hyundai Ioniq; Zoox’s bespoke electric vehicle; and all of Tesla’s models.²⁶⁶ And none have announced plans to use gasoline-powered vehicles in the future. An electric vehicle mandate for robotaxis would likely not face the opposition that a broader requirement could. And it would have the effect of setting a market floor that others could not subsequently undercut.

An electric vehicle mandate will not eliminate robotaxis’ contribution to air pollution. Increasing demand for electricity can increase emissions if that electricity is generated by burning fossil fuels. Tires, brake pads, and other vehicle parts exposed to heat or friction generate particles that can harm the environment and human health.²⁶⁷ Supply chains for vehicles and data centers for automated driving also have significant environmental impacts. But here mode-neutral environmental regulation is likely the best solution.

C. Wear-and-Tear

Motor vehicles also cause wear-and-tear on the roads. State and federal governments address this externality by charging excise taxes on gasoline.²⁶⁸ Revenue from gas taxes can—and in some states, must—be spent on transportation infrastructure.²⁶⁹ The rationale for a gas tax is that gas consumption roughly tracks miles driven, so the tax functions as a user fee.

As motor vehicles have become more fuel-efficient and as electric vehicles have increased in popularity, though, the connection between the gas tax and VMT is becoming attenuated. To make matters worse, the federal gas tax and some state gas taxes are not indexed to inflation.²⁷⁰ Although the gas tax today still generates revenue with the salutary effect of promoting electric vehicles, at some point it will be necessary to find other ways to finance surface transportation.

The simplest alternative to a gas tax is a VMT tax—a per mile charge to use the public roads. Four states are already implementing VMT taxes for electric vehicles.²⁷¹ These states offer electric vehicle owners the choice of paying a fixed annual fee or paying a VMT tax capped at the level of the annual fee.²⁷² Hawaii plans to take away the choice and require all electric vehicle owners to pay its VMT tax in 2028.²⁷³

A shift to electric vehicles may increase wear-and-tear on the roads because batteries make electric vehicles heavier than similar internal combustion engine vehicles.²⁷⁴ In a world where all motor vehicles were electric and an upstream carbon tax addressed the broader environmental burden of energy production, a weight-adjusted VMT tax might be the optimal solution. Short of that, tweaking traditional fuel taxes by properly indexing them to inflation, adjusting them for fleetwide fuel efficiency, and using them to provide a floor for the price of fuel could address wear-and-tear while capturing some of the larger externalities of internal combustion engines.

D. Congestion

Congestion is an externality that all motor vehicles can create. But robotaxis may exacerbate congestion by satisfying latent travel demand or creating new travel demand.²⁷⁵ Riders might find travel in a robotaxi less costly. The cost reduction could be financial: a robotaxi company might charge fewer cents per mile than a traditional TNC would. It could be about opportunity cost: a passenger in an automated vehicle might be able to sleep or do work that a driver could (and should) not. Or it could be psychological: riding may be less stressful than driving, especially during congested periods. The cost reduction might also encourage people to make different

decisions about where they live or work. In each case, the benefits could lead people to take more trips and longer trips.

How much congestion robotaxis create will depend not only on how many people take rides and how long those trips take, but also how efficient the networks are. As we mentioned in Part I, Waymo’s robotaxis in San Francisco are deadheading over 40% of the time.²⁷⁶ The robotaxi companies’ private incentives to reduce deadheading don’t capture all the social costs of congestion, so regulation can and should supplement that incentive. But it is important to remember that personal cars have their own form of deadheading: the miles they drive while cruising in search of parking.

Some U.S. cities have VMT taxes that apply only to certain modes, which function in some ways like a congestion tax. As we mentioned in Part I, the California legislature gave the City of San Francisco the authority to tax TNCs and robotaxis.²⁷⁷ In 2019, San Francisco voters approved a tax, now called the Traffic Congestion Mitigation Tax, at the ballot box.²⁷⁸ Riders in a gasoline vehicle who request to ride solo are taxed up to 3.25%.²⁷⁹ Riders in an electric vehicle and riders who request to share their ride are taxed 1.5%.²⁸⁰ In some respects, the tax is well-designed. The tax is a fixed percentage of the fare, so it should scale with VMT and travel demand. But because it only applies to TNCs and robotaxis, it distorts the market in favor of personal motor vehicles.

We are less sure of the politics of more ambitious visions of VMT taxation in which continuous monitoring facilitates dynamic—that is, demand-variable—pricing. As a general matter, Americans seem skeptical of devices that are attached to their cars for the purpose of updating “the government” on their travel. This is understandable.

Instead, we favor a mix of mechanisms that, in combination, generate revenue above an excise tax on gas or carbon, serve as a proxy for the use of valuable road space, and accordingly help to manage travel demand. These include congestion prices in urban centers, other forms of variable tolling on major roadways and bottlenecks, and market-rate parking rates. As famous photos comparing the road space used by people on foot, in a bus, on bikes,

and in cars suggest,²⁸¹ the key is to charge for road space in a way that optimizes that use.²⁸²

Congestion pricing has been implemented in London, Milan, Singapore, and Stockholm.²⁸³ In January 2025, after much drama, New York City implemented the first general purpose congestion tax in the United States.²⁸⁴ The initial results are promising. Travel times on the bridges and tunnels leading to lower Manhattan have fallen.²⁸⁵ But it is too early to predict the long-term equilibrium.

An important point here is that there is no definitive solution to congestion: like popular restaurants, popular places and routes at popular times will be crowded. But there are still important policy choices about what that crowd looks like—and who can get through. If single- or zero-occupancy motor vehicles are queued, can people in communal and active modes still move? Do emergency vehicles have a path? If automated driving increases both demand and capacity, the result could be even more vehicles but no greater mobility.²⁸⁶ Given this, it is essential to start answering these questions before automated vehicles start eclipsing conventional vehicles.

E. Privacy

Loss of privacy is a hidden externality—and one with which automated driving has a complicated relationship.²⁸⁷ We see privacy as playing a nuanced but ultimately important role in advancing the important societal values of freedom and community. Safety can preserve a person’s privacy.²⁸⁸ Surveillance can impede a person’s ability to act on their own and to form relationships with others.

An ADS aims to generate a three-dimensional, 360-degree view of its surroundings.²⁸⁹ That is why automated vehicles are outfitted with a suite of sensors. Those sensors are constantly receiving data about the objects in the vehicle’s vicinity. As a consequence, any person who passes within the range of the sensors will likely (and indeed should) be perceived by these sensors.

A high-fidelity perception system is critical to ADS safety. An ADS can choose a safe path only if it knows where people, animals, and objects are moving in real time. Indeed, one of the ways that ADSs might improve on human drivers is by detecting and tracking objects that a driver might miss.²⁹⁰ If stored, ADS perception data are also valuable for crash investigations, though more data does not necessarily mean more certainty. In addition, insights from these data might be useful to important research that has little to do with automated driving.

It might seem as though the privacy interests affected are insignificant. ADS sensors will only pick up what can be seen from a public roadway. Many of these places will also be surveilled by business or home monitoring systems. In a conventional sense, there is little reasonable expectation of privacy on a sidewalk or a front porch.²⁹¹

But we think the privacy risks are substantial. If automated driving succeeds commercially—and here we are talking not only about robotaxis—then surveillance will become pervasive.²⁹² Automated vehicles will frequently pass by your home, your workplace, and every third place you visit. Their powerful sensors in combination with onboard and offboard computing power will add considerably to existing and growing surveillance by private and public actors.

Automated driving companies might also, among others, quietly become agents of law enforcement.²⁹³ Increased monitoring could have real benefits for deterring crime or apprehending suspects. But if a city councilor proposed to have the police department build a system of pervasive surveillance, at a minimum we would have a debate about whether the public safety benefits outweighed the privacy harms.²⁹⁴ The deployment of robotaxis might bring about the same privacy loss without any public debate. Courts have already issued warrants to robotaxi companies for sensor data.²⁹⁵ And police may not always need to get a warrant. After a deliberate explosion in a Cybertruck in Las Vegas, for example, Tesla quickly made information from that vehicle and from its network available to law enforcement.²⁹⁶

Waymo and its erstwhile rival Cruise both disclosed that they have provided ADS video data to the police. Waymo claimed that it generally only shares data under a warrant or court order.²⁹⁷ The company has stated that, if the police make a request that is overbroad, “we try to narrow it, and in some cases we object to producing any information at all.”²⁹⁸ Cruise likewise stated that it “disclose[s] relevant data only in response to legal processes or exigent circumstances, where we can help a person who is in imminent danger.”²⁹⁹ Both of these statements are carefully hedged, and they have not been independently verified beyond some open records requests. These dynamics evoke past (and indeed current) debates about the relationship between telecommunications companies and federal investigators.

Companies have strong incentives to stay in the good graces of law enforcement because policing requires discretion. Every time an automated vehicle is involved in a crash or at least arguably violates a traffic law is an opportunity for the police to use their discretion to benefit the automated driving company. So companies may decide to curry favor with police by voluntarily sharing videos and other data that will be useful for their investigations.

So how can regulation reduce privacy risks while not inhibiting the development and deployment of safe automated vehicles?

We would prefer to see these risks addressed as part of a much broader privacy framework. These challenges are not limited to robotaxis or automated vehicles more generally or advanced motor vehicles even more generally. They also exist for aerial drones, sidewalk robots, smartphones, doorbell cameras, a wide range of other consumer-facing connected devices, and an even wider range of more obscure applications.³⁰⁰

In the absence of such an approach, policymakers should use their existing authority to scrutinize the data practices of companies within that authority. Unfortunately, this is likely to result in different rules for similar actors. If, for example, an agency has authority over robotaxis but not automated driving companies more generally, then rules for robotaxis might look different than rules for automated driving more generally. But these discrepancies might be useful in experimenting and ultimately incentivizing efforts to harmonize.

What might this scrutiny look like? It could focus on an admittedly nebulous category of “privacy-sensitive data” that could reveal personally identifiable information. And it could specify processes by which companies may seek to use those data for purposes other than operating and improving their automated vehicles—including sharing those data with affiliated companies (like Google or Amazon) or with law enforcement.

To be sure, these rules will impose a compliance burden. Affected companies will need to keep track of who has access to privacy-sensitive ADS data and monitor them. And like many privacy regulations that apply to a company’s internal operations, these rules will not be easy to enforce. Regulators may need to rely on whistleblowers. But if we do not take action to protect privacy before automated vehicles are widely deployed, we may be sleepwalking into a regime of pervasive surveillance.

III. Protecting Riders

The easiest way to protect riders is to give them choices—provided that those choices are not skewed. Competition can force firms to lower fares, improve service, and invest in innovation. Today, robotaxis are providing healthy intermodal competition by offering an alternative to TNCs, taxis, and personal cars. But there might not be much intramodal competition among robotaxi companies. As we explained in Part I, robotaxis create economies of scale and network effects that favor concentration. In many U.S. cities today, the TNC market is an Uber-Lyft duopoly.³⁰¹ The robotaxi market could easily become a Waymo monopoly. And if robotaxis start to replace other modes, a robotaxi monopoly could be more dangerous.

To be sure, market concentration is a possibility but not a certainty. Robotaxis may involve a variety of technologies and business cases. As technologies improve and their costs decline, automated vehicles or even ADSs that can be added to existing vehicles may become surprisingly cheap to make, buy, and even operate. This seems especially likely if the ADSs of the future are less reliant on numerous sensors, highly detailed maps, and remote human assistants. Some may even be open source. This could create competition among vehicle owners, among providers of automated driving services, and among automated travel modes. Concentrations, if they exist at all, might turn up in surprising places. If would-be passengers can simply rely on their own personal AI agent to automatically find—and even negotiate for—a ride, then public-facing platforms such as Uber or Amazon may lose some of their brand and market power.

But we think the risk of market concentration is real enough that it is worth anticipating. So in this Part, we recommend a two-step approach to rider protection. First, policymakers should put a thumb on the scale for new competitors. Second, they should take steps now to preserve rider autonomy in a concentrated market.³⁰² We hope that preventing monopoly abuse or neglect long before a monopoly arises will not just protect riders—it will give them the peace of mind to use robotaxis instead of personal motor vehicles.

A. Promoting Competition

How can robotaxi regulators promote competition and encourage innovation among robotaxi companies? We argue that they should permit open entry, ban contracts that lock in riders, and enable one-stop access to competing networks. But before we turn to these proposals, we want to emphasize a subtle reason why competition is especially important in the robotaxi market: it may create redundancy that will prove valuable for safety.

Competition and Safety

The development of a safe ADS would create tremendous social value. In 2023, there were 40,901 people killed in motor vehicle crashes in the United States and approximately 2.4 million people injured.³⁰³ NHTSA estimates that the annual social cost of crashes—including both the direct economic costs and the implied costs of death and injuries using the value of a statistical life—is about $1.37 trillion.³⁰⁴ Therefore, an ADS only needs to modestly improve on the safety performance of human drivers to be worth tens of billions in social benefits each year. If automated driving can achieve the safety gains that its developers are hoping for, the tens of billions of dollars of capital that have been invested to date may be below the socially optimal level.

If more companies invest in developing an ADS, more ideas will be pursued. Any particular corporate research lab is limited by the idiosyncrasies of its leadership and the path dependence of its development approach. But as long as competing labs exist, engineers who cannot get their managers to greenlight their ideas can take them elsewhere. And the more ideas that get pursued, the greater likelihood that they will make a real difference for safety—individually or in combination.

There is a special reason to care about independent development in this context. In safety engineering, redundancy is a virtue. Many safety-critical systems, like commercial airplanes, are designed to be redundant.³⁰⁵ If one subsystem fails, a backup system not vulnerable to the same failure mode can step in. This may be why some companies are developing ADSs that combine modular and pure end-to-end approaches.³⁰⁶ It is possible that an even more robust system could be developed by combining two systems developed by independent companies into one redundant system—if competition is not cut off prematurely.

Similarly, different companies might develop different—and ultimately complementary—approaches not only to design but also to safety validation and verification. Multiple approaches to simulation, for example, could help to increase both the accuracy of and confidence in methods for demonstrating and monitoring the safety of automated vehicles.

We recognize the irony in advocating for competition on the ground that it could produce an outcome where two competitors eventually merge their technologies. But that is largely the path that the aviation industry followed—a period of competition on safety followed by cooperation on safety. And even if robotaxi companies ultimately converge on ADS design, they can still compete on service quality, wait times, and price.

Competition in the robotaxi industry may also improve the transportation system’s resilience to cyberattack. If one robotaxi company’s system is hacked and has to ground its fleet, a competitor could serve the riders who might otherwise have been stranded. If competing robotaxi companies use different cybersecurity strategies, it may be more difficult for hackers to disrupt them both simultaneously.

Open Entry

Now we turn to our proposals for promoting competition—starting with open entry. The term “open entry” has three meanings in this context. It means that any company can enter the market. It means that any company can deploy as many vehicles as it chooses. And it means that companies can, through APIs and common data specifications, market the services of their competitors.³⁰⁷

All three senses of open entry are relevant to competition. As we have seen, the robotaxi business model relies on economies of scale. Robotaxi companies will need to deploy large fleets in many cities to overcome the fixed costs of developing an ADS. A company raising capital to challenge Waymo needs to be able to reassure its investors that it will be permitted to fight for the whole market and try to grow it. Restricting entry could entrench a Waymo monopoly and reduce socially valuable safety innovation.

Open entry in service regulation is compatible with pre-deployment scrutiny in safety regulation. California illustrates this possibility. As we explained in Part I, the California DMV requires companies testing or deploying automated vehicles to apply for permits.³⁰⁸ When a company applies for a deployment permit, the DMV can consider whether the applicant’s track record during testing in California or testing or deployment elsewhere supports deployment in California. The CPUC then conditions entry to the robotaxi market on the DMV issuing a deployment permit.³⁰⁹ The combination of pre-deployment safety scrutiny and otherwise open entry protects the public without reducing competition from responsible entrants.

Open entry will create externalities—more pollution, wear-and-tear, congestion, and surveillance. It could also enable an entrenched competitor to flood a market as a defensive mechanism. But restricting entry is an overly crude tool to curb them. The proposals we provided in Part II are more targeted means to regulate externalities.

Open entry also does not mean tying the hands of government when it acts as a market participant rather than a regulator. Transit operators, for example, should be able to exclusively partner with robotaxi companies to extend the reach of their networks. In fact, Waymo has already announced plans to operate a transit service for Chandler, Arizona.³¹⁰ And certain roadways owned by government agencies—such as airport access roads—might merit special rules. San Francisco is experimenting with a pilot program that allows Waymo robotaxis to use an otherwise car-free stretch of Market Street.³¹¹

Lock-in Contracts

Policymakers should also prevent robotaxi incumbents from locking in riders. A new entrant will likely need to heavily subsidize their rides until they can get enough riders on the network to bring deadheading down to a tolerable level. This is part of why Uber and Lyft burned through billions while they were building up their networks.³¹² On the other hand, this is also how cell companies initially funded their expensive networks—and yet pay-as-you-go plans are now thriving.

A robotaxi monopolist could entrench its position by offering its service as a subscription contract. Waymo is already offering subscriptions for teenage riders.³¹³ Subscriptions would make it hard for a new entrant to get riders to switch networks. Even if the new entrant offered a better service or a lower fare, subscribers would have no reason to consider switching until it came time to renew their subscriptions. So, the new entrant would need more time and money to build up network effects.

Consider how competition would play out if an incumbent monopolist had a more extensive ODD than a new entrant. If riders buy individual rides rather than a subscription, the new entrant has a fighting chance. It could gain a foothold in the market by serving some smaller segment of travel demand. Riders could choose the new entrant for individual trips in its limited service area and the incumbent for individual trips to places the new entrant doesn’t serve. If, however, riders buy one subscription to serve all of their travel needs, a new entrant cannot compete until it can serve a comparably extensive area.

There is nothing inherently anticompetitive about subscription contracts. They can help businesses and riders plan their budgets more easily and hedge against risk that demand or fares will change. And—as we discuss more below—people might be more willing to give up their personal motor vehicles if they knew the price would be predictable.³¹⁴ But the combination of incumbents with market power, network effects, new entrants with limited ability to serve the whole market, and rider lock-in could create a formidable barrier to entry.

So, here is our proposal: instead of banning subscription contracts, policymakers can simply require that riders be allowed to cancel their subscriptions and receive a pro rata refund at any time. That approach would allow riders to gain greater certainty about fares while making it easier for new entrants to get them to switch. The competitors would not have to buy riders out of their existing contracts. A light thumb on the scale for new entrants would make it harder to maintain a monopoly.

One-Stop Access to Competing Networks

Policymakers, transit agencies, and even some companies have long recognized the potential for the integrated provision of what is often called “mobility as a service” (“MaaS”). To find the best—or the cheapest—way to get from one point to another, a traveler should not need to consult and compare multiple apps or engage in multiple transactions.

Public transit agencies have long recognized the value of a single rider interface (even if their implementation has been limited). To cite just two examples of many, New York’s Omny cards and London’s Oyster cards each work on a set of transit services that have a variety of operators. And both the New York Metropolitan Transportation Authority and Transport for London provide API access to their real-time transit data to allow independent developers to create apps and other tools for riders.³¹⁵

Others have an even broader vision for transport data. The Mobility Data Specification developed by the City of Los Angeles offers a “common language” for transport data.³¹⁶ GTFS and GTBS offer similar common frameworks for transit and bikeshare, respectively.³¹⁷ Finland mandates that both public and private providers of transportation and parking services facilitate third-party access to their schedules and prices.³¹⁸ The “multimodal digital mobility services” regulation originally envisioned—though now largely abandoned—by the European Commission would have expanded aspects of Finland’s approach to the entire European Union.³¹⁹

Many internet platform companies show offers from different providers for identical, equivalent, or comparable products and services—think Google Shopping or Amazon’s third-party sellers or, in the case of transportation, Rome2Rio and (in China) Baidu Maps.

As we noted earlier, AI agents could obviate the need for or power of some of these platforms; users could simply direct their personalized agents to find and book whatever ride suits them the best. But integrated apps, backend platforms, public APIs, and common data standards could still increase the effectiveness of—and reduce the transactions costs for—these searches.

Regulators can build on this important MaaS foundation by enabling one-stop access to competing networks of vehicular rides of all kinds. Smaller providers should have the option but not the obligation to offer their services through third-party platforms. In contrast, it may be prudent to require dominant providers to facilitate this kind of third-party access.

B. Preserving Autonomy

Even if policymakers permit open entry, limit lock-in, and enable one-stop access to competing networks, the robotaxi market may still be highly concentrated. Even with integration, the economies of scale may still tilt the market against competition. So, policymakers need to prepare for a world where one company dominates the robotaxi market. The benefits of preventing monopoly abuse are twofold. First, it protects riders should a monopoly arise. Second, it might provide people the peace of mind they need to give up their personal motor vehicles and switch to robotaxis today.

The appeal of personal motor vehicle ownership is autonomy. If you have the keys to the car in your driveway, you can at least in theory travel where you want and when you want at a price that you can anticipate. For many Americans, it is difficult to imagine living without access to their own car or truck. Yet in New York and other transit-rich cities around the world, many residents with the means to buy a personal motor vehicle choose not to own one. They have confidence that the transportation system will give them at least as much autonomy as a personal motor vehicle.

Suppose you were a New Yorker whose Texan friend was about to move to Manhattan. She has always lived in a household with a personal motor vehicle. How could you persuade her that she doesn’t need a car in her new city? You could say that the subway will take her almost everywhere she would want to go in the city, that it runs twenty-four hours a day and seven days a week, that the fare is always $3.00, and that the wait for a train is usually not long. You could say all this with confidence in part because the subway is run, and its fares and service are set, by a public agency.

This is the kind of argument that cities and robotaxi developers will need to make. Residents will need to be confident that robotaxis will take them almost everywhere they would want to go in the region, that they run twenty-four hours a day and seven days a week, that the fare is low and varies predictably with demand, and that the wait for a ride is usually not long.

But the critical difference is that robotaxis will not necessarily be run by a government. If they are profitable, then they will attract corporations—or even just one monopolist—aiming to maximize profits. How could these companies be trusted not to take advantage of riders?

One solution to this problem is to bring robotaxis under public ownership. Another solution is to regulate robotaxi companies as utilities. Either solution would provide reassurance about service coverage, fares, and wait times. But they would do so at the cost of reducing competition and innovation.

We think it is possible for regulation to protect the public from monopoly abuse while still promoting competition. We propose transparent and rider-neutral fares and proactive planning for emergencies and other contingencies.

Transparent and Rider-Neutral Fares

In a competitive market, robotaxi companies will be price takers. They will charge the fare that other robotaxi companies are charging or lose market share. But in a concentrated market, robotaxi companies may engage in price discrimination. They may offer each rider an individually tailored fare just below their willingness-to-pay, so they can extract more surplus from riders who are willing to pay higher fares. And robotaxi companies may be able to make informed predictions about what each rider would be willing to pay based on data about their past choices or the choices of similarly situated riders.

This is what has happened in the TNC market. Uber’s increasing profitability has been fueled by increasing algorithmic price discrimination—sometimes called “personalized” or “surveillance” pricing.³²⁰

Price discrimination is not necessarily undesirable. In fact, if consumers are perfectly informed and perfectly rational, it can be economically beneficial.³²¹ A company that tailors its prices to individual customers will serve more customers than a company that charges every customer the same price. In economic terms, the price discriminating company expands output. These gains, though, come with complicated distributive effects.³²² Price discrimination transfers surplus from consumers to producers (and their shareholders), which can be a regressive transfer of wealth. But if low-income riders are more price-sensitive than high-income riders, price discrimination might benefit them by providing them with an individually-tailored fare that is lower than an untailored fare might be. From a social welfare perspective, it is hard to know whether the costs of price discrimination outweigh the benefits.

In general, the law does not ban price discrimination. Companies are free to tailor their prices, and customers can accept or reject them. But there’s always been one important exception to the general tolerance of price discrimination: the monopolization of a necessary good or service. The classic example is from the transportation industry: railroads.³²³ Suppose that a farmer needs to transport perishable crops to market and that the only feasible means to transport them is a railroad controlled by one company. If the railroad knows this and can discriminate on price, it will extract almost all the value of the crop, even if it results in the farmer suffering a net loss. In the moment, the farmer will still take the deal because the losses would otherwise be greater. But a farmer who anticipates the temporary monopoly trap will not grow the crop in the first place.

Now come back to robotaxis. A robotaxi company’s pricing algorithms may be able to infer which riders have given up their personal motor vehicles. A rider with access to a personal motor vehicle will have a relatively elastic demand for robotaxi rides. When the fare rises too high, they will drive instead. A rider without access to a personal motor vehicle will have an inelastic demand. When the fare rises, they will grudgingly pay it. An individual rider’s behavior—how often they see a fare and decide not to request a ride—will indicate whether they have alternative means of travel. And a robotaxi company with market power will charge the riders with no alternatives a higher fare. Riders who anticipate this trap will not want to give up their personal motor vehicle.

Common carrier regulation responds to the problem of temporary monopolization. As we saw in Part I, taxi regulation combined universal service, fare regulation, and restricted entry.³²⁴ The idea behind universal service was that every rider should receive the same service for the same per mile fare. Transportation companies could not engage in price discrimination. The problem with common carrier regulation, however, was that companies could not compete by offering lower fares. So they had little incentive to cut costs or innovate.

Policymakers should protect riders by requiring robotaxi companies to have transparent and rider-neutral fares. By “transparent fares,” we mean that robotaxi companies must submit the fare they charge for each ride to a public regulator. In California, the CPUC is already requiring robotaxi companies to submit basic information about each ride request and each ride, including the origin and destination points, the VMT during the ride, and the deadheading VMT before the ride.³²⁵ We would have companies submit one more data point: the fare charged.

By “rider-neutral fares,” we mean that robotaxi companies may not use data about an individual rider’s past choices in setting fares. They must charge the same fare to every rider requesting a ride from the same origin to the same destination under the same demand conditions. A company’s pricing algorithms may include the distance to be traveled and the expected deadheading miles to be traveled as a result of providing the ride. But pricing algorithms should not include information about the individual rider’s willingness to pay or any information that could be used as a proxy for the individual rider’s willingness to pay.

Transparent and rider-neutral fares would prevent robotaxi companies from engaging in price discrimination. A rider who gave up their personal motor vehicle would pay the same fare as a rider who kept theirs. And regulators would be able to track compliance easily. They could analyze the fare data to verify that rides with similar origin and destination points at similar times had similar fares. Rider-neutral fares would not mean that every rider pays the same per mile fare. Fares could still vary with travel demand, so regulation wouldn’t subsidize sprawl.

Unlike common carrier regulation, transparent and rider-neutral fares wouldn’t foreclose price competition. A new entrant would be free to enter the market and undercut the incumbent’s fares. In fact, transparent pricing might facilitate entry by letting a prospective entrant know what kind of fares

it would need to offer to be viable. The possibility of entry would preserve incentives to cut costs and innovate.

We anticipate three objections. First, it might be argued that transparent fares will facilitate tacit collusion. Robotaxi companies might find it easier to coordinate on an oligopoly fare if they knew exactly what their competitors were charging for every ride. We think that is right, but we doubt it will make much of a difference. Without transparent fares, robotaxi companies could simply collude, intentionally or unintentionally, through forms of direct or indirect algorithmic coordination.

Second, what if robotaxi companies replace individualized price discrimination with microtargeted group price discrimination? A robotaxi company could, for example, take into account historical demand in small geographic areas when setting fares. Your fares might not rise because you give up your car, but because your neighbors gave up their cars. We acknowledge that there’s a difficult tradeoff between the benefits of demand-variable pricing and the psychic costs of microtargeted price discrimination. It might make sense to limit the granularity of demand-variable pricing to census tracts or neighborhoods.

Third, what if one robotaxi company monopolizes the industry and just raises its fares across the board? The simple answer is that the high fares will attract other companies to enter the market—especially since those fares will be transparent and lock-in contracts will be banned. But this is not a complete answer because the combination of network effects and the high, fixed costs to enter the market may still slow entry, and high fares could cause hardship unless and until another company enters the market.

We would have policymakers use the credible threat of utility regulation to prevent abuse. Legislators could give regulators statutory authority to set fares if they deem it necessary to ensure affordable mobility. If a robotaxi monopolist raises its fares under a system of transparent and rider-neutral fares, everyone would be able to see that fares are rising, and a large portion of the population would have a stake. Regulators could then propose fixing fares. If the robotaxi monopolist took the hint and reduced its fares, problem solved. If it didn’t take the hint, regulators could impose more aggressive utility regulation. But we think utility regulation should be a last resort if competition does not lead to adequate service at acceptable fares.

Emergency Planning

One emotionally salient advantage of personal motor vehicle ownership is the perception of mobility during emergencies. If the forecast says you are in the path of a hurricane, you can board up the windows, pack your bags and pets, and drive to safety before the storm hits (assuming you can find a place to fuel or charge your car). Even if the chance of an emergency that would require evacuation is slim, knowing that you could escape might give you peace of mind. Robotaxi regulation needs to provide the same peace of mind as personal motor vehicle ownership.

San Franciscans now have good reason to worry that robotaxis will not be available in emergencies. On December 20, 2025, a fire at a Pacific Gas & Electric substation caused a widespread blackout.³²⁶ In large parts of the city, traffic lights went dark.³²⁷ Many of Waymo robotaxis stopped in the middle of the street, and some got stranded in intersections, blocking traffic.³²⁸ Waymo suspended its service and didn’t resume operation until the following day.³²⁹

Emergencies—including ones far greater than a blackout—could create many challenges: drastic changes to road environments, loss of communications, overwhelmed remote assistants and retrieval crews, mass dependency on robotaxis, and stopped automated vehicles becoming obstructions.

In the absence of regulation, robotaxi companies will have insufficient incentives to prepare for emergencies. As we saw above, they will likely maintain fleets with fewer vehicles than would be socially desirable in an emergency.³³⁰ A profit-maximizing robotaxi company will set the number of vehicles in its fleet by calculating when the marginal revenue gained by adding another vehicle would surpass the marginal cost. A fleet large enough to serve peak demand may include many vehicles that would sit idle during periods of average demand. The cost of storing, maintaining, and cleaning the vehicles that would be used only during peak demand could outweigh the revenue that they would generate.

Demand-variable pricing partially mitigates this problem. If a company can charge a higher per mile fare in peak demand, a larger number of vehicles will generate enough peak demand revenue to offset the losses in periods of average demand. But peak demand in non-emergency situations—the Tuesday morning rush hour—may still be a fraction of peak demand in an emergency.

More importantly, robotaxi companies will not be able to set fares at market prices in some emergencies because of “price-gouging” laws. Price-gouging is a special case of demand-variable pricing. In an emergency, demand for certain goods—water, food, gasoline—can spike. Sellers can temporarily raise their prices—sometimes exponentially—and profit from the increased demand.

Most states have enacted statutes that ban price-gouging. For example, a California statute provides that, if the government declares a state of emergency, a business may not raise the price of certain essential goods and services more than ten percent above the price it was charging before the emergency.³³¹ The statute contains an exception that lets a business increase its price above that level if it can “prove that the increase in price was directly attributable to additional costs” it had to pay as a result of the emergency and the price is not more than ten percent “greater than the total of the cost to the seller plus the markup customarily applied by that seller for that good or service.”³³²

The basic intuitions behind price-gouging laws are about fairness.³³³ Sellers should not be able to take advantage of buyers in temporary monopoly situations: the gas station should not be able to charge you $100 a gallon as you are fleeing the storm. Fairness also suggests that the rich should not be able to hoard scarce necessities: in a pandemic, ventilators should be available to more than just billionaires.

Although price-gouging laws are popular with legislators, they are unpopular with economists. There are three standard criticisms. First, they reduce sellers’ incentives to stockpile inventory to prepare for emergencies and to increase production during emergencies.³³⁴ Second, they encourage consumers to hoard rather than just buying what they need.³³⁵ Third, they allocate goods and services to buyers who show up first instead of buyers with a higher willingness to pay (plus, of course, the actual ability to pay).³³⁶

Repealing price-gouging laws—or exempting robotaxi companies from those laws—would create an incentive to maintain larger fleets for emergencies. But this salutary incentive must be weighed against the cost to peace of mind: people who fear that they will be price-gouged in an emergency will be less likely to give up their personal motor vehicles.

Policymakers can instead solve the problem of robotaxi service in emergencies by ensuring that the industry as a whole maintains a fleet that is sufficient to serve the state’s emergency plans.³³⁷ Emergency management officials could determine the overall size of the fleet. Then robotaxi regulators could periodically apportion responsibility to individual companies according to their market share. The fleet would need to be “available”—ready to deploy on demand. The state could provide a subsidy to each company equivalent to the loss they incur from maintaining these additional vehicles. Alternatively, regulators could create incentives that reward dynamic expansion capacity. This extra capacity might simply include more robotaxis. But it could also include ready and reliable access to buses and, if those buses are conventional, human drivers.

In some emergencies, public authorities need to mandate evacuation. If a significant portion of the population relies on robotaxis, robotaxis need to be part of the evacuation plan. Emergency management officials should be given the authority to temporarily control how robotaxis are deployed in an evacuation. Robotaxi companies should be required to prioritize ride requests within an evacuation zone and to offer evacuation rides for free. Public authorities can reimburse the companies for the cost of providing the service.

Emergency management officials and robotaxi regulators should not wait until an emergency arises to verify if robotaxi companies can meet their obligations. They should require that robotaxi companies—as well as providers of automated driving for personal motor vehicles—participate in simulations in which they test how companies would respond to different types of emergencies. These simulations would serve as an audit to confirm that robotaxi companies maintain a sufficiently large available fleet and have robust break-the-glass operational plans that account for abnormal roadway conditions, disrupted connectivity, staffing shortages, and other logistical impediments.

These simulations should highlight details that might otherwise be overlooked. Will the kind of all-electric fleet that we encourage in this Article suffice in an evacuation? Will robotaxis still function if roadways become unidirectional, if thousands of officers are manually directing drivers at hundreds of intersections, if debris or water is covering roads, and if communications are down (or if remote assistants are overwhelmed)? If not, will these vehicles block roads in a way that further stymies evacuation and emergency response? Careful emergency planning will help build confidence that it is safe to live without owning a personal motor vehicle.

IV. Redesigning Mobility

It is easy to envision how robotaxis might fail as a business.³³⁸ They might not achieve an acceptable level of safety or a sufficiently lucrative ODD. They might not become cheap enough to compete with traditional taxis and TNCs. They might successfully compete with these modes in high demand areas but not provide a service that is convenient or reliable enough to replace personal motor vehicles. Indeed, as personal motor vehicles have generally proven more popular than taxis in many parts of the country, automated personal motor vehicles may prove to be more popular than robotaxis.

But what if robotaxis succeed as a business? What if they become sufficiently safe, convenient, reliable, and affordable that they serve the mobility needs of most of the residents of some metropolitan areas? That would create the opportunity to redesign our transportation system. This topic merits its own article. Here we just touch briefly on three issues: liberating land, refocusing transit, and expanding access.

A. Liberating Land

Most U.S. cities are oriented around the automobile. Even in the densest neighborhoods, some of the most valuable land is used for parking lots and garages. Most streets are designed to prioritize automobile use—more lanes for motor vehicles and curbside parking, less space for the cyclists and pedestrians who are relegated to both the literal and the metaphoric margins of the transportation system. And only a few U.S. cities have mass transit that serves enough of the travel demand with enough frequency, speed, and reliability to compete with personal motor vehicles.

Urban planners have long argued that cities do not have to be like this. Tokyo’s transit is so fast, frequent, extensive, and reliable that the city has about 0.32 motor vehicles per household. Copenhagen’s streets are so safe and convenient for cyclists and pedestrians that 49% of commuters travel by bike. And in New York City, despite decades of neglect, the subway is still useful enough that 56.7% of households do not own a car.³³⁹ It is important to recognize that space is a limiting factor: if cars had more space, there would be more cars.

Some urban planners are skeptical about the deployment of automated vehicles (including personal motor vehicles as well as robotaxis) precisely because they think automated driving will entrench the automobile, set back fragile gains for cyclists and pedestrians, and undermine support for transit. And some of their fears are grounded in facts. For over a decade now, pundits have been invoking a self-driving future to oppose investments in other modes of transportation.³⁴⁰

We think that robotaxis have the potential to preserve what people like about the automobile without requiring cities to revolve around the automobile.

Cities could start by changing the economics of parking. As many have explained, free parking is at the root of many urban problems, from the high cost of urban construction to suburban sprawl.³⁴¹ In recent years, some states and cities have repealed laws that mandated a minimum number of parking spaces for certain land uses. But in most cities, politicians are reluctant to abolish parking requirements or charge a market price because many of their constituents rely on personal motor vehicles. And those vehicles spend most of the day in parking.

Robotaxis will spend most of their days moving, so the companies that own them can maximize their revenue. Even overnight, robotaxis can be used to transport goods. When robotaxis stop for charging, cleaning, and maintenance, they can be compactly stored on private property.³⁴² If robotaxis succeed, much of the urban land we currently devote to parking lots and garages can be converted to apartments, stores, and parks.

If people have access to a wide range of robotaxis, they will no longer need to own a single vehicle that does everything and goes everywhere. If you need (or believe that you might at some point want to use) a pickup truck, then you might buy a pickup truck. And once you own it, especially if you own no other motor vehicles, you will expect to be able to drive it and park it everywhere. But if you have access to a robotaxi truck or can take a reliable robotaxi to reach a conventional truck located outside the city, then it may not be necessary to drive your own truck everywhere. This may give communities much more flexibility in reimagining themselves.

Redesigning streets is key.³⁴³ Robotaxis will not need to park at the curbside—though they will need space to pull over to pick up and drop off riders. Robotaxis may also be able to serve the same travel demand with a smaller fleet—especially if they become as familiar as an elevator. This could give cities an opportunity to reclaim street space for protected bike lanes or wider sidewalks. And robotaxis are likely to be friendlier to cyclists and pedestrians in a way that could facilitate living streets with mixed modes.

B. Refocusing Transit

Cities could also rethink how they invest in transit. An important advantage of transit is throughput. More people can fit on a subway car or a bus than in a set of cars that occupy the same space.³⁴⁴ Far more commuters in New York can travel from Harlem to Midtown at rush hour on the subway under Lexington Avenue than in traffic on the street above it.

Robotaxis might not change the logic of throughput. It is possible that robotaxis could increase vehicle capacity (if the vehicles have closer lateral and longitudinal spacing, smoother flows, or fewer crashes) and otherwise increase person capacity (if people share rides). They likely will not, however, compete with the Lexington Avenue subway in the foreseeable future.

But most transit in the United States is not like the Lexington Avenue subway, which runs with two-minute headways at rush hour. Some transit agencies operate buses or trains that run every half hour or less. Some run buses that are mostly empty—and that may be stuck in congestion caused primarily by single-occupant vehicles. Some of these low-throughput transit lines may be justified given the realistic alternatives, but it is possible we can do better.

If robotaxis are cheap enough to replace personal motor vehicles, they may be able to replace low-throughput transit lines—provided that policymakers continue to subsidize low-income riders who relied on those lines.

C. Expanding Access

Mobility creates positive externalities. We benefit not just when it is easier for us to travel, but when it is easier for our friends, family, and coworkers to travel—provided that the negative externalities are managed. Current transportation policy is full of subsidies, both obvious and hidden. Many of those hidden subsidies perversely encourage personal motor vehicle ownership,³⁴⁵ but some are worth keeping. If robotaxis start to replace other modes of travel, to what extent should governments subsidize robotaxi rides for those whose mobility needs would not be adequately served by the market? We consider three issues: people with low incomes, people with disabilities, and sparsely populated areas.

People with Low Incomes

The case for subsidizing the mobility of people with low incomes is straightforward. Mobility enables economic opportunity, educational advancement, and civic participation. Targeted mobility subsidies can reduce economic inequality and increase social mobility.

Existing policy subsidizes the mobility of low-income people with both implicit and explicit subsidies (while, in other ways, increasing the price of that mobility). The implicit subsidy is providing transit to the general public at fares below the cost of providing the service.³⁴⁶ Everyone can benefit from the low fares, but riders with modest incomes may benefit the most. The explicit subsidy is providing discounted fares for low-income riders.³⁴⁷ (The price increase comes in part from the land use policies, discussed above, that push low-income people far away from city centers.)

A subsidy designed to improve the living standards of low-income people raises the question: is a targeted subsidy superior to an unrestricted cash transfer? An unrestricted cash transfer respects autonomy by letting recipients decide for themselves how they want to allocate their budget. They might want to spend less on transportation than their share of a mobility subsidy would provide. A targeted subsidy would distort spending away from what some recipients would prefer.

We acknowledge the force of the critique, but we think targeted mobility subsidies to low-income people are smart politics. Unrestricted cash transfer programs are hampered by the (likely false³⁴⁸) perception that the recipients will squander the money. One critical advantage of transportation subsidies is that voters understand that transportation is a necessity, so they can trust that the money will be put to good use.³⁴⁹

Legislators should enact a means-tested subsidy for robotaxi service. The right time to adopt this subsidy is when robotaxis start to replace low-throughput transit. Low-income people who relied on those routes will need a substitute, and robotaxi fares may be higher than transit fares. A similar argument can be made for low-income people who rely on personal motor vehicle ownership at the time that on-street parking becomes less available or more expensive. They may not be able to afford the increased cost of private parking, so subsidized robotaxi service may be the only realistic replacement. Even a modest subsidy could be consequential for the mobility of people with limited means.

People with Disabilities

For people with disabilities, subsidies need to take a different form. At the outset, it is important to recognize the incredible diversity among people with disabilities. A person who is blind may have very different mobility challenges than a person who uses a wheelchair. People who use wheelchairs may also have very different mobility challenges depending on their other abilities (such as significant upper-body strength and agility) or disabilities (such as deafness or mental impairment).

So, we might start—but cannot end—this discussion with people who use electric mobility scooters or other devices that cannot easily get or fit into conventional vehicles. They need access to spacious vehicles with a ramp or a lift, sometimes called Wheelchair Accessible Vehicles (“WAVs”).

As we mentioned in Part I, California has attempted to expand mobility by requiring TNC riders to contribute five cents per trip to the TNC Access for All Fund.³⁵⁰ The CPUC is directed to distribute those funds to businesses or nonprofits that provide transportation to people with disabilities, especially people who require a WAV.³⁵¹ A TNC can avoid charging the fee if the CPUC determines that it is providing a sufficient level of WAV service.³⁵² And the CPUC can also offset the amount due by the amount a TNC invests in improving its WAV service.³⁵³

The introduction of robotaxis creates an opportunity to redesign vehicles to make them more accessible. It may be feasible to require that all robotaxis be WAVs. Then regulators would not have to monitor the level of service provided to people with disabilities, as the CPUC is doing now. They would receive the same service as everyone else—that is, unless they need the assistance that bus, paratransit, and taxi drivers often provide as an official or unofficial part of their jobs.

It is possible, though, that the cost of making every robotaxi a WAV will prove prohibitive. In that case, legislators could adopt a policy like California’s. Either taxpayers generally or robotaxi and TNC riders specifically could contribute to a public fund. Then regulators could offer those funds to companies that operate WAVs. The downside of this approach is that regulators would need to monitor service levels to make sure that riders who need WAVs aren’t enduring unreasonable waits.

NHTSA can encourage the development of accessible robotaxis today. As we saw in Part I, companies introducing automated vehicles that do not meet NHTSA’s Federal Motor Vehicle Safety Standards need an exemption from the agency.³⁵⁴ NHTSA could announce that it will prioritize exemption requests for automated vehicles that are also WAVs³⁵⁵—a small step that nonetheless may have an important signaling effect. That might persuade some ADS developers to experiment with more accessible vehicle designs. And, if and when it is clear that accessible robotaxis are financially viable, regulators should mandate them.

Sparsely Populated Areas

The case for subsidizing mobility in sparsely populated regions is more complicated. Policymakers have long sought to diminish geographic disparities in the availability and price of transportation service. In taxi regulation, the combination of entry restrictions and universal service requirements ensures that the profits taxis make in high demand areas cross-subsidize service in low demand areas.³⁵⁶ Transit budgets often work similarly. Very few transit lines manage to break even on farebox revenue alone. But that revenue plus subsidies based in part on ridership numbers support less popular routes in sparsely populated areas.³⁵⁷

In the absence of subsidies, robotaxis are more likely to be deployed—and likely to be cheaper on a per mile basis—in places with high travel demand. This dynamic plays out on two levels. On a local scale, robotaxis are likely to be cheaper in cities than in their surrounding suburbs and exurbs. On a national scale, robotaxis are more likely to be deployed in large metropolitan areas than in smaller metropolitan areas or rural areas.

The policy case for local, place-based subsidies is weak. If the deployment of robotaxis reduces the absolute per mile cost of travel, it will increase demand for longer trips. That could facilitate commutes to city centers from suburbs and exurbs and shift development to places where it will have a greater environmental impact. This is how robotaxis might encourage sprawl.³⁵⁸

But that analysis is incomplete. Even if actual and perceived travel costs were to decline overall, shorter trips in densely populated areas are still likely to cost less than longer trips in sparsely populated areas. Robotaxis might also enable “distributed density”—more dense pockets of development within already urbanized areas—if land use regulation can be liberalized to allow it.³⁵⁹ If, however, a government attempts to equalize the per mile cost of travel, it will be effectively subsidizing sprawl.

It might be argued that local, place-based subsidies will help low-income neighborhoods. In some U.S. metropolitan areas, average incomes are higher in the city than in the surrounding suburbs and exurbs. But if the policy goal is subsidizing mobility for low-income people, the most efficient intervention is means-based subsidies, not place-based subsidies.

There may, however, be a political justification for local, place-based subsidies. If cities make driving or parking more expensive, they may face opposition from suburban commuters. The opposition might be particularly intense if suburbanites pay much higher per-mile fares for robotaxis and are thus less willing to replace their personal motor vehicles. In that case, place-based subsidies could be a kind of compromise: suburbanites give up their cars, and in exchange they get cheaper robotaxi service. But the cost of the compromise is encouraging sprawl.

The case for subsidies at the national level is different. In the absence of subsidies, large metropolitan areas might switch to robotaxis while smaller metropolitan areas and rural areas remain dependent on personal motor vehicles. If the primary advantage of robotaxis is economic, this might be an acceptable outcome. Even the most zealous transit advocates do not call for subways to be built under Topeka, even though it might expand mobility. But we can see a case for subsidizing robotaxis in less dense regions if robotaxis provide other benefits and if subsidies provide an important and preferably temporary boost over a critical adoption hump.

More broadly, these risks and opportunities are also why we advocate for more holistic and whole-stream approaches, such as a carbon tax that is collected and rebated per capita, that empower people to make their own choices while simultaneously reducing the externalities that distort those choices.

Conclusion

We recognize that some advocates are skeptical about robotaxis.³⁶⁰ They have been working to build a transportation system that relies less on cars and more on walking, biking, and mass transit. They worry that the deployment of robotaxis will undermine those efforts and entrench the automobile. And they do not want the transportation system to privilege the interests of large automakers and other tech companies.

We share these concerns. We recognize what Zipcar’s founder has described as a choice between “heaven or hell”³⁶¹—and the many gradations between those two extremes. Automated driving is like the internet: a tool that opens up possible futures, some better and some worse.³⁶² Its use can and should be subjected to democratic control. With careful regulation, the introduction of robotaxis can liberate cities from the worst effects of the automobile—and thereby save lives, expand mobility, and make cities more livable.

99 S. Cal. L. Rev. 603

Download

Bryant Walker Smith* & Matthew T. Wansley†

* Associate Professor of Law and Engineering, University of South Carolina.
† Professor of Law, Cardozo School of Law. We thank Amitai Bin-Nun, Hannah Bloch-Wehba,
Jill Fisch, Eric Goldwyn, Phil Koopman, Mark Lemley, Jared Mayer, Gerard Magliocca, Michael Pollack,
David Schleicher, Ganesh Sitaraman, Stew Sterk, Brad Templeton, Marshall Van Allstyne, William
Widen, Katrina Wyman, Jinhua Zhao, and participants at the 2025 American Law and Economics
Association Annual Meeting and the 2025 MIT Mobility Initiative Vision Day for helpful suggestions.
We thank Camila Schaulsohn for her valuable research assistance and the editors of the Southern
California Law Review for their thoughtful editing.

Quis Custodiet Ipsos Custodes: Labor & Privacy in the Age of Kidfluencers and the Internet’s Stage Mothers

March 2026March 2026Elinor J. Haddad*

INTRODUCTION

In 2022, a group of minors sued Tiffany Smith, mother and producer of prolific child influencer Piper Rockelle, and her corporation Piper Rockelle Inc. (“PRI”), alleging nineteen claims in total, nearly all for violations of either state tort law or the California Labor Code.¹ The minors had previously appeared in monetized content on Rockelle’s YouTube channel, which then boasted over 8.5 million followers,² as part of a group of children self-nicknamed “the Squad.”³ According to their complaint, they devoted long hours—in some cases more than twelve hours a day for seven days a week⁴—over three years to producing “hundreds” of “highly lucrative” videos but were never compensated, were denied meal and rest breaks while filming, and did not receive regular on-set education.⁵ Following the suit’s initial filing, YouTube demonetized Rockelle’s channel, and venues where Rockelle had upcoming tour dates canceled her appearances.⁶ In 2023, Smith countersued for $30 million, accusing plaintiffs and their parents of defamation, fraud, and extortion; before plaintiffs responded, Smith dropped her lawsuit.⁷ In March 2024, a Los Angeles Superior Court judge denied Smith’s motion for summary judgment, thus scheduling the case for trial.⁸ By October 2024, the parties had settled for $1.85 million.⁹

The suit illustrates the potential for severe damage inherent in the world of child influencers—a world that is, as of now, largely unregulated. The plaintiffs in the suit, and Rockelle herself, represent a common demographic among child influencers (“kidfluencers”): children between ten and sixteen years of age with public, monetized accounts on large social-media platforms like YouTube, Instagram, and TikTok, and talent and training in skills like dancing and singing as well as video editing and other skills required for content creation. Between 2017 and 2020, the plaintiffs appeared in content on Rockelle’s YouTube channel and on her accounts on other platforms; while Rockelle’s early postings were relatively innocuous (videos with titles like “My trip to the Los Angeles Zoo”¹⁰ and “Getting a pet turtle!!!”¹¹), the channel’s tone quickly took a questionable turn, with videos featuring children performing skits, challenges, and pranks in various stages of undress and in suggestive situations accompanied by clickbait thumbnails and titles¹² such as “24 HOURS HANDCUFFED to my ‘BOYFRIEND’ ” (featuring a then-ten-year-old Rockelle),¹³ “11 YEAR OLD BELLY PIERCED **PRANK** (Can’t Say No 24 Hour Challenge) 🚫👌,”¹⁴ and “Asking STRANGERS To Be My BOYFRIEND Challenge **1 DATE = $100** ❤️💵” (featuring a then-twelve-year-old Rockelle).¹⁵

Using the Piper Rockelle lawsuit (“the PRI lawsuit”) as a case study,¹⁶ this Note will focus on the growing number of kidfluencers and the need for standardized, federal laws ensuring their fair labor conditions and preservation of personal privacy. In particular, this Note will discuss the inadequacy of federal and state regulation of two forms of exploitation that present concerns in the kidfluencer context: (1) labor (exploiting a child’s work without compensation, meaningful consent, or regulation) and (2) privacy (exploiting a child’s image or likeness without compensation and meaningful consent).¹⁷ Part I of this Note presents an overview of the kidfluencer phenomenon and the evolution of stage parents from vaudeville and the early motion picture industry to the Internet and social media. Part II describes kidfluencers’ vulnerability to labor exploitation, discussing how measures protecting child performers remain largely unavailable to kidfluencers and require expansion to cover this new demographic of child workers. Part III details the rampant exploitation of kidfluencers’ privacy and analyzes how the increasing legal spotlight on protecting children as social-media users has yet to acknowledge kidfluencers’ privacy and publicity interests and must do so to adequately protect them. Part IV proposes that, in addition to enacting laws to protect the labor and privacy rights of kidfluencers, Congress should empower social-media platforms as enforcers of kidfluencer laws and impose liability on platforms that host content produced in violation of these recognized kidfluencer rights. Ultimately, this Note presents a holistic set of common-sense regulations, grounded in analogous, existing law, that are designed to close the critical gaps in kidfluencer protections as quickly and effectively as possible. This all-encompassing approach—covering both privacy and labor—to regulating children in monetized content is essential given the pervasiveness of their online presence and the reality of ever-advancing online technology that is here to stay.

I. THE ARRIVAL OF KIDFLUENCERS

The influencer economy is worth over $250 billion worldwide¹⁸ and is expected to swell to $480 billion before the year 2030.¹⁹ U.S. brands spend more than $5 billion on influencers each year.²⁰ Massive content-sharing platforms like YouTube, Instagram, and TikTok host millions of influencers who then share content to millions more subscribers.²¹ On YouTube, influencers creating and sharing videos on their “channels” earn revenue based on the number of views their videos generate. When a YouTube channel is monetized, YouTube collects forty-five percent of advertising revenue from the creator’s videos, and the creator receives the remainder.²² With this formula, top creators earn tens of millions of dollars each year—and kidfluencers with at least one million followers can earn $10,000 or more for each sponsored post they share.²³ Before the onset of the PRI lawsuit, PRI made between $4.2 million and $7.5 million annually from social-media advertising alone, and the PRI plaintiffs averaged up to $28,000 per month in YouTube revenue.²⁴

And kidfluencers are a fast-growing demographic in monetized social-media content.²⁵ Social-media accounts listed in children’s names but managed by parents (typically with a moniker like “Managed by Mom” in the account biography) feature young children almost exclusively, with little to no regulations governing the children’s compensation, working conditions, or content output. Thus, children can work extensive hours, receive little to no formal schooling, and have their intimate details shared on the Internet at-large with essentially no recourse and no safeguarding of their earnings from parents or other adults controlling their accounts. Many kidfluencer accounts boast massive followings, with subscribers in the hundreds of thousands or even millions, and the financial payout is huge. Roughly a century ago, states began regulating labor conditions for child performers, many of whom were pushed into the entertainment industry by their parents and subsequently experienced extensive exploitation.²⁶ Now, social media has given stage parents a new arena—one with novel and potentially catastrophic dangers if left unchecked.

A. A Brief History of Stage Mothers

The concept of “stage parents” and “stage mothers” enjoys a long and controversial history in American culture.²⁷ Early discussion of overbearing and even abusive parents pushing their children into careers on stage and in film arose from personal anecdotes of early film stars. Legendary movie star Judy Garland often recounted growing up on a vaudeville stage in the 1920s and 1930s, and the intensity with which her mother, Ethel Gumm, pushed her to perform; in a 1967 interview, Garland, recalling her early days of performing onstage, stated, “[My mother] would sort of stand in the wings . . . and if I didn’t feel good, if I was sick to my tummy, she’d say, ‘You get out and sing, or I’ll wrap you around the bedpost and break you off short!’ So, I’d go out and sing.”²⁸ Garland, cemented in American culture by her performance as Dorothy in 1939’s The Wizard of Oz, later characterized her mother as “the real Wicked Witch of the West” and described how Ethel began giving her pills to increase energy or to promote sleep before Garland’s tenth birthday.²⁹

Nearly a century and the passage of much legislation for child performers later, stage parents like Ethel Gumm remain, motivated by many of the same interests—money, fame, power, attention—as their twentieth-century counterparts. These interests can easily collide with children’s needs, and the development of laws protecting child actors demonstrates a commitment by the traditional entertainment industry to limiting the effects of such conflict. Today, child actors in multiple states, including California and New York, and members of entertainer unions like SAG-AFTRA have protections that Judy Garland’s generation did not, such as guaranteed access to wages, adequate education, and limitations over working hours.³⁰ These regulations acknowledge both the potential conflict of interest between stage parents and child performers as well as the reality of children as a key and enduring presence within the entertainment industry. But while child actors today are more protected from parents who squander their earnings or force them to work oppressively long hours, children are still at the mercy of their parents as to whether they ultimately pursue an entertainment career in the first place and, if they do, the relentlessness of that pursuit.

In 2022, former child star Jennette McCurdy released her memoir I’m Glad My Mom Died. Chronicling her ascent from poverty to fame on the highly successful Nickelodeon show iCarly, McCurdy detailed her late mother’s longstanding obsession with McCurdy’s success as a child actor, regardless of McCurdy’s own disinterest in such a career. Recalling the initial signing meeting with her first agent, McCurdy wrote,

“It’s important that Jennette wants to act, in order for her to do well,” [the agent] says.

“Oh, she wants this more than anything,” Mom says as she signs on the next page’s dotted line.

Mom wants this more than anything, not me. [Auditioning] was stressful and not fun, and if given the choice, I would choose to never do anything like it again. On the other hand, I do want what Mom wants, so she’s kind of right.³¹

McCurdy emphasized her lack of agency and meaningful choice in embarking on her career as an actor, framing her mother’s eventual death from cancer as the catalyst that allowed McCurdy to leave behind the career she never wanted—though she could not as easily escape her fame.³²

When I was six years old, she pushed me into a career I didn’t want. I’m grateful for the financial stability that career has provided me, but not much else. I was not equipped to handle the entertainment industry and all of its competitiveness, rejection, stakes, harsh realities, fame. I needed that time, those years, to develop as a child. To form my identity. To grow. I can never get those years back.³³

B. Reality Television Bridges the Gap from Film and Television to the Internet

In 2011, the Lifetime reality series Dance Moms premiered, unwittingly marking the beginning of a new era and a new medium for twenty-first-century stage parents. Following a group of young competitive dancers and their intense and argumentative mothers, Dance Moms became an overnight sensation and launched the show’s young dancers into stardom. In the show’s early seasons, the dancers’ mothers spoke of their hopes for their children to achieve careers on a Broadway stage and in film.³⁴ In 2011, Instagram was in its infancy and the advent of TikTok was years away; a handful of hit reality shows featuring children, like Jon and Kate Plus 8 and the ill-fated 19 Kids and Counting,³⁵ existed but the children on those shows were not positioned adjacent to entertainment careers and also had not built independent followings or fanbases—the concept of kidfluencers was entirely new. Dance Moms changed the game.³⁶

Today, the original Dance Moms dancers are in their early to mid-twenties and their primary careers are as social-media influencers.³⁷ Instead of becoming “stars” in a traditional sense on stage and in film, the Dance Moms girls achieved stardom as themselves, beloved by young fans of their show who flocked to follow them on social media as Instagram and other platforms simultaneously took off.³⁸ While the first Dance Moms dancers did not begin their time on the show imagining kidfluencer fame, cast members during the show’s later seasons arguably did. In 2016, a group of younger dancers joined the now-wildly successful Dance Moms cast; entering the show in the post-Instagram and Musical.ly (TikTok’s forerunner application) world, these new dancers had social-media pages ready when the show’s global audience began following them in droves. Now teenagers, many members of Dance Moms’ second generation work as kidfluencers today³⁹—and the world of kidfluencers and reality child stars is a small one. Dance Moms’ second generation includes seventeen-year-old Lilliana Ketchman and eighteen-year-old Elliana Walmsley. Ketchman was named by the PRI plaintiffs as a perceived competitor to Rockelle, “anger[ing]” Smith; the plaintiffs believed Smith subsequently used “dirty tactics” to cause a significant decline in Ketchman’s followers, viewership, and revenue in January 2021.⁴⁰ Meanwhile, Walmsley is a former member of Rockelle’s Squad, though she was not a party to the PRI lawsuit.⁴¹

Image 1. Former Dance Moms Cast Member and Current Influencer Kendall Vertes’s Instagram⁴²

Image 2. Former Dance Moms Cast Member and Current Influencer Chloé Lukasiak’s Instagram⁴³

Barely a decade after Dance Moms’ premiere and Instagram’s launch, kidfluencing is now eclipsing the once-well-trodden paths to child stardom found on television and in film. Piper Rockelle exemplifies this phenomenon:

Paparazzi don’t wait outside Piper’s fuchsia-painted mansion in the San Fernando Valley, but among a young, YouTube-fixated demographic, the ebullient brunette is idolized. As a rising star on the most-watched video-content platform of her generation, Piper bypassed the traditional paths of Nickelodeon and Disney to become a millionaire through the monetization of her social media content.

Propelled by the force of millions of likes and heart emojis, Piper was making between $4.2 million and $7.5 million a year before the Squad’s lawsuit. Her YouTube videos had amassed over 1.87 billion views, and companies such as NBCUniversal, Disney and Amazon were paying her to promote their products on Instagram and TikTok. Super-VIP tickets on her tour—a live variety show that trades on the Squad’s online personas—went for $599.99. She was also selling merchandise on her website, offering personalized greetings via Cameo and making music. She has released seven singles.⁴⁴

The PRI “empire[],” much like many YouTube money machines, “was built at home.”⁴⁵ Smith’s live-in boyfriend, Hunter Hill, also a defendant in the PRI lawsuit, filmed and edited the Squad’s videos in the Smith home, and Smith planned video content and coordinated filming schedules for Squad members.⁴⁶ Initially, Rockelle and other members of the Squad sought success as actors on stage and in film; after her social-media channels took off, however, Rockelle narrowed her focus solely to kidfluencing, while Smith “strongly discouraged” other Squad members from continuing to pursue work beyond their growing YouTube empire.⁴⁷

And though stage parents like Smith are pursuing fame for their children in a new medium, the same conflicts of interest between parents and children that persist in film and television recur in the Internet-child-stardom era. In the early 2000s, the challenges of living in poverty colored Jennette McCurdy’s high-stress journey into the television industry; just a few years later, PRI would allegedly take advantage of children also coming from limited means in order to profit from their involvement in the Squad. Said one PRI plaintiff, “[s]ingle mothers using YouTube to support the family—there’s a lot of those in the [Squad’s families].”⁴⁸

While the PRI lawsuit is seemingly unique (as of now) in terms of its size and the breadth of the allegations at-issue, Rockelle and the Squad are in good company as part of a vast, bankable movement of kidfluencer content creators. Kidfluencer accounts are undeniably popular: a 2019 study revealed that videos featuring a child younger than thirteen-years-old receive three times the views garnered by videos without children.⁴⁹ And critics of the kidfluencer phenomenon say that platforms like YouTube, as well as brands that partner with kidfluencers for paid product placements, are deliberately skirting child labor laws because of kidfluencer accounts’ popularity and payoff; in their view, the legal gray area surrounding kidfluencers enables platforms and brands to make “billions” from kidfluencer content while avoiding the costs and coordination that film and television productions are legally required to undertake to work with child performers.⁵⁰ YouTube currently makes it fairly easy, with strategic use of algorithmic tools like hash-tagging, to achieve monetized status, requiring that channels reach just 1,000 subscribers and 4,000 viewing hours within twelve months to become monetized; as of last year, YouTube hosted roughly two million monetized accounts.⁵¹

Between YouTube, Instagram, and TikTok, opportunities for children to build a massive online presence—and for adults to make serious money off their backs—are exploding. As the last century of developing adequate legal protections for child actors demonstrates, this level of financial promise coupled with children as the key moneymakers is a recipe for exploitative disaster. Now that the recipe has found a new home on the Internet, the potential for lifelong damage to the children behind the money machines has reached devastating levels. The baby steps that some lawmakers are beginning to take toward protecting, primarily, kidfluencers’ compensation are, to be sure, essential regulatory efforts. But the reality of the kidfluencer world demands a much more all-encompassing approach—one that treats kidfluencers as the professionals they are and treats the Internet as the uniquely permanent and wide-ranging medium it is. Making parents the unchecked shot-callers over their children’s labor conditions and privacy is an untenable arrangement because of the potential conflict of interest inherent in parents choosing between substantial monetary gain and their children’s best interests. Kidfluencers and the Internet (much like child film stars and the motion picture industry as seen a century ago) are not going anywhere. So, lawmakers must get serious about how to regulate them.

II. REGULATING THE LABOR OF KIDFLUENCERS

While federal law does provide some protections for child labor, it expressly exempts child performers from those protections. Thus, to the extent that child entertainers receive protection from labor exploitation, those protections come either from state law or from unions for media professionals such as SAG-AFTRA. However, summarizing what relevant federal law is present in this area helps contextualize the gaps in child entertainer regulations that state laws and unions have had to attempt to fill. And while neither state laws (for the most part) nor unions protect kidfluencers’ labor rights, they do protect child entertainers and thus provide helpful and relevant models for what effective legal protections for kidfluencers’ labor should entail.

Only a handful of states have laws governing child entertainers, and the most stringent laws exist in California and New York; both states limit child entertainers’ working hours, regulate their education, mandate their on-set supervision and advocacy, and protect their wages. All of these regulations should be expanded to cover kidfluencers; further, because kidfluencers primarily work at home and thus are not restricted by a need to live within range of entertainment hubs like Los Angeles and New York City, these regulations should apply to kidfluencers in every state through federal legislation. Recent legislation in California, Illinois, Utah, and Minnesota protecting primarily kidfluencers’ wages, while helpful, is but one small piece of the comprehensive regulatory scheme needed to adequately protect kidfluencers’ labor.

A. Existing Labor Regulations for Child Entertainers

1. Federal Measures for Child Workers: The Fair Labor Standards Act

In 1938, the Fair Labor Standards Act (“FLSA”) marked a new era for regulation of child workers. Setting the minimum age of employment for most non-agricultural work at sixteen,⁵² the act came on the heels of the United States Supreme Court striking down laws aimed at regulating commercial goods produced by child workers in Hammer v. Dagenhart⁵³ and the Child Labor Tax Case.⁵⁴ These decisions were but one component of a long struggle by labor reformers to protect child workers—by the twentieth century, reformers heavily emphasized how child labor led to extensive health problems and the deprivation of adequate education.⁵⁵ In developing their platform regarding child labor, advocates also had to reckon with the difficult but inescapable reality that many child workers came from immense poverty. Some reformers lobbed heavy criticism at parents who they claimed were “too lazy to work” and had “become accustomed to subsist[ing] by their children’s labor.”⁵⁶

The FLSA still has multiple exemptions, some critical to child entertainers and kidfluencers alike: the FLSA exempts from regulation “a parent employing his own child”⁵⁷ and does not apply to “any child employed as an actor or performer in motion pictures or theatrical productions, or in radio or television productions.”⁵⁸ The latter exemption is known as the “Shirley Temple Act” because without it, the then-wildly popular child star would have disappeared from movie screens.⁵⁹ Further, the lawmakers behind the FLSA did not consider entertainment work especially hazardous or oppressive, unlike the dangerous factory and agricultural labor the FLSA was intended to address, and thus excluded minors in entertainment from coverage.⁶⁰ Due to this exclusion of child performers from federal regulation, labor rights for child performers fall under state law, and states have adopted a variety of protections (including, in seventeen states, no protections at all) for this demographic.⁶¹

2. SAG-AFTRA, States’ Approaches & the Coogan Law

Some of the most comprehensive protections for child entertainers come from SAG-AFTRA, the primary union for media professionals in the United States. SAG-AFTRA’s collective bargaining agreements with production companies require that companies adhere to the standards delineated in SAG-AFTRA’s contracts as well as applicable state law regarding employment of minors.⁶² Thus, SAG-AFTRA functions as the enforcer of its own standards for employing child performers; its collective bargaining agreements act as a bottleneck against potentially negligent or exploitative employment practices because production companies that are SAG-AFTRA signatories must comply with these standards in order to employ children with SAG-AFTRA membership.⁶³ SAG-AFTRA restricts the working hours of child entertainers working anywhere in the United States, stipulating that minors may not work before 5:00 a.m. or after 10:00 p.m. on days preceding a school day (and may not work after 12:30 a.m. on mornings of non-school days); SAG-AFTRA further limits total working hours per school day to four hours for children ages six to eight, five hours for children ages nine to fifteen, and six hours for children ages sixteen and seventeen.⁶⁴ School days for SAG-AFTRA contract purposes conform to the public school calendar for the district where the minor resides, and SAG-AFTRA requires that school-age minors receive an average of at least three hours of educational instruction on school days.⁶⁵ Minors between six months and two years old may work up to two hours while minors between two and five years old may work up to three hours; only preschool-age minors do not attend on-set school.⁶⁶

SAG-AFTRA’s protections for child actors’ compensation also conform to applicable state law, where present.⁶⁷ Originally passed in California in 1939, the Coogan Law now requires that fifteen percent of all minors’ earnings for entertainment work be placed in a blocked trust account (known as a “Coogan Account”) accessible only by the minor once they reach adulthood.⁶⁸ The law’s namesake, child actor Jackie Coogan, enjoyed a tremendously successful career in the 1920s after being discovered by Charlie Chaplin.⁶⁹ But despite Coogan’s millions of dollars in earnings as a child star, he only ever received a weekly allowance of $6.25 from his mother until, when Coogan turned twenty-one, she ultimately refused to ever turn over more of his earnings to him.⁷⁰ Though intended to prevent exploitation like that Coogan suffered from befalling future young actors, the first iteration of the Coogan Law had critical gaps, including merely permitting, rather than mandating, trust accounts for child performers.⁷¹ It was precisely these gaps that enabled the parents of Shirley Temple herself to devote her earnings entirely to supporting their family of twelve even after the initial passage of the Coogan Law; after her acting career slowed down in her teenage years, the generation-defining star’s “only assets were a few thousand dollars and the deed to her dollhouse in the back yard [sic] of her parents’ Beverly Hills home.”⁷² California closed the gaps in its Coogan Law in January 2000 following advocacy by SAG-AFTRA for unequivocal legal recognition that minors’ earnings from entertainment work are their own.⁷³ Currently, New York, Illinois, Louisiana, and New Mexico all have trust-account mandates for child actors comparable to California’s Coogan Law.⁷⁴

Meanwhile, some states also have laws concerning child performers’ labor conditions in addition to compensation requirements and union protections. California mandates a maximum eight-hour workday for child entertainers in addition to three hours of on-set education for each weekday that children work; California also requires that a state-licensed teacher or welfare worker be present at all times on sets where child performers are working,⁷⁵ and that adults obtain permits before employing children and ensure that a minor’s parent or guardian is within their sight and hearing range at all times that the minor is on set.⁷⁶ In New York, employers of child entertainers working three or more consecutive days must provide a credentialed on-set teacher to ensure that state educational requirements for child entertainers are met.⁷⁷

3. When Does the Home Become a Set?

State laws protecting child entertainers, however well-established, largely do not extend to kidfluencers—even in states like California, which has very strict regulations for child performers⁷⁸ (PRI is located in Los Angeles and the Squad’s videos were filmed there⁷⁹). If we apply California and SAG-AFTRA’s labor regulations for child actors to PRI and the Squad, PRI—sometimes allegedly, other times admittedly—fell far short.⁸⁰ Smith did not obtain permits to work with the minors in the Squad.⁸¹ Some PRI plaintiffs claimed they worked up to twelve hours per day, seven days a week, without rest and meal breaks and without compensation.⁸² The mother of two plaintiffs, sisters, worried that one of her daughters “was falling behind in school because she wasn’t getting enough sleep” due to Smith’s demanding filming schedule.⁸³ Some of the plaintiffs’ parents alleged that Smith “regularly forbade other adults from being on set”;⁸⁴ Smith reportedly only ever “briefly” hired an on-set teacher for Squad members and “was uninterested in the children’s education,” even though none of the minors attended traditional in-person school during their years filming.⁸⁵ After some of the plaintiffs’ parents hired a private tutor to work with the minors in Smith’s guesthouse, Smith “barged” into the guesthouse mid-lesson, “screaming” that the child currently studying needed to “report to set immediately” and that “she didn’t care whether the tutor’s hour wasn’t up.”⁸⁶ The tutor left her position teaching the Squad after the incident.⁸⁷ Plaintiffs also reported that Rockelle herself had significant educational gaps, claiming Rockelle, who has only ever been homeschooled,⁸⁸ had trouble reading and “never” did schoolwork.⁸⁹

Commenting on the allegations in the PRI lawsuit regarding failure to provide compensation as well as the maintenance of an oppressive work environment, plaintiffs’ attorney Matthew Sarelson remarked, “Imagine if these kids had been on a movie set for Lionsgate . . . . People would go to jail if this had happened at a studio.”⁹⁰ But kidfluencers occupy a legal gray area existing somewhere between professional child performers and the kids-next-door getting together to make a funny video.⁹¹ And the PRI plaintiffs assert that that legal gray area has given rise to a “Wild West atmosphere of content creation” where adults can push children into extensive, high-profile content creation with little to no oversight.⁹²

Throughout the PRI lawsuit, Smith emphasized that she “did not view her home as a workplace” nor herself as the plaintiffs’ employer; she described the Squad’s activities as “ ‘kids get[ting] together voluntarily to collaborate on making videos,’ ” a far cry, in her view, from a professional studio environment that would necessitate her compliance with state child labor laws.⁹³ Smith’s lawyer commented, “There is tremendous uncertainty about what labor laws apply in the context of filming a YouTube video at home, with an iPhone . . . . At what point is that a professional production?”⁹⁴ Meanwhile, Sarelson argued that “PRI should be treated no differently than a traditional production company” and expressed “hopes [that] the lawsuit sparks change in the social media space.”⁹⁵ Some of PRI’s activities—including using a professional camera to film content and posting audition notices for young actors to film with Rockelle—could indicate that the corporation was effectively operating as a professional production company.⁹⁶ But currently, no federal legislation exists delineating the line between making home videos and shooting professional social-media content.

B. New Efforts: Expanding Child Labor Regulations to Cover Kidfluencers

A handful of states are beginning to enact labor protections for kidfluencers, underscoring the desire and need for a comprehensive, federal approach to kidfluencer regulation.⁹⁷ In July 2025, Minnesota enacted some of the most significant kidfluencer regulations so far: not only does the state now mandate protected trust accounts to safeguard kidfluencers’ earnings, but it also prohibits children less than fourteen years old from appearing in monetized content at all.⁹⁸ Instead of designing its law solely as a means of “legitimizing” kidfluencers as akin to child entertainers, University of Minnesota Law School Dean William McGeveran said Minnesota “ ‘set [its law] up as almost a child labor law. . . . It’s about kids needing to be able to be paid for work that they do . . . . And if they’re 13 and under, kids can’t work in the ice cream shop and they can’t work in their parents’ content creation either.’ ”⁹⁹ Minnesota’s statute does not enshrine any further labor regulations for kidfluencers over fourteen beyond protecting their earnings.

For the other six states that now protect kidfluencers’ labor, their measures are limited to regulating kidfluencers’ compensation. In July 2024, Illinois became the first U.S. state to enact laws expressly protecting kidfluencers’ earnings.¹⁰⁰ Content creators in Illinois must now set aside a portion of earnings in a protected trust account for all minors age sixteen and under who appear in at least thirty percent of their monetized content.¹⁰¹ Illinois Senator Dave Koehler, who introduced the law, took action after Shreya Nallamothu, a fifteen-year-old high school student in his district, alerted him to the issue of young children being featured extensively online with no labor protections for them in place.¹⁰² “This new digital age has given us tremendous opportunities to connect with one another, but it’s also presented legal issues that have never existed before,” said Koehler.¹⁰³ “We need to work with our children to see the problems they face and tackle them head-on before any further harm is done.”¹⁰⁴

The Illinois law protects earnings for minors under the age of sixteen while stipulating that minors under sixteen who produce their own videos are not considered “vlogger[s]” subject to the compensation and record-keeping requirements established by the law.¹⁰⁵ The law explicitly includes “famil[ies]” in its definition of “vlogger[s],” thus requiring parents who produce content featuring their own children (as well as any other children) to set aside the minors’ earnings if their inclusion reaches the specified threshold. The law also amends Illinois’ Child Labor Law by allowing teenagers who are at least eighteen years old to take legal action against their parents for failing to compensate them in accordance with the new requirements.¹⁰⁶ In response to the law, University of Alabama professor of digital media Jessica Maddox called the legislation “long overdue” and pushed for other states to take similar steps as well as expand protections to allow eighteen-year-olds to petition for the removal of social-media content that features them.¹⁰⁷ Emphasizing the need for regulations that adequately measure up to the reality of the kidfluencer phenomenon, Maddox commented:

[Kidfluencing and vlogging] are actual jobs, possible ways of earning income, that need protection . . . . Since there aren’t unions, there isn’t systemic protection in terms of laws, that is why Illinois law is super important for setting the precedent that this type of labor needs to be protected, especially for minors.¹⁰⁸

Meanwhile, on September 26, 2024, California Governor Gavin Newsom signed legislation expressly expanding the state’s Coogan Law to cover kidfluencers sharing content on YouTube and similar platforms.¹⁰⁹ The bill in question, AB 1880, defines “content creator” as “an individual who creates, posts, shares, or otherwise interacts with digital content on an online platform,” including “vloggers, podcasters, social media influencers, and streamers”; “online platform” is defined as “any public-facing website, web application, or digital application.”¹¹⁰ Regarding Governor Newsom’s support for the bill, bill author Assemblymember Juan Alanis remarked:

I thank Governor Newsom for signing AB 1880 and for his commitment to addressing the unique challenges minors face as online content creators in the rapidly growing digital entertainment industry. Child content creators deserve the same protections under the Coogan Law as their counterparts in traditional entertainment. With this bill, California takes a significant step in protecting the financial rights and well-being of child online influencers by extending critical protections against exploitation and ensuring they receive a fair share of earnings from their content.¹¹¹

Former child actor and successful musician Demi Lovato championed the bill as a critical step toward “grant[ing] agency” toward kidfluencers upon reaching adulthood.¹¹²

Signed alongside AB 1880 was SB 764,¹¹³ the Child Content Creator Rights Act (“CCCRA”), authored by Senator Steve Padilla.¹¹⁴ The CCCRA stipulates that video bloggers (“vloggers”) engage a minor “in the work of vlogging” when at least thirty percent of the vlogger’s monetized visual content includes “the likeness, name, or photograph of the minor.”¹¹⁵ Vloggers engaging minors in vlogging work under the definition of the CCCRA are required to keep detailed records of the minor’s age during the vlogging period and the extent of their appearance in and compensation for monetized content.¹¹⁶ Contracts for vlogging work between a minor and their parent must be approved by a court to avoid application of the bill’s terms; “[i]n determining whether to approve such a contract, the court shall consider whether the terms of the contract are at least as beneficial to the minor as the compensation the minor would otherwise receive under [the CCCRA].”¹¹⁷

And as of May 2025, Utah now also mandates protected trust accounts for kidfluencers.¹¹⁸ With similar provisions to those in California and Illinois, Utah’s law also lays out procedures for managing kidfluencers trusts and also requires that content creators “inform a minor’s parents that the minor is featured” in their content if, as in the PRI lawsuit, the creator is not themselves the minor’s parent.¹¹⁹ In the same vein, Virginia, Arkansas, and Montana all enacted kidfluencer laws in 2025, and each state focused its labor protections for kidfluencers on compensation safeguards, mandating Coogan Account-esque trusts for kidfluencers appearing in a certain percentage of creators’ content.¹²⁰

As lawmakers in California, Minnesota, Illinois, Utah, Arkansas, Montana, and Virginia have recognized, kidfluencing is a job, plain and simple. It demands the same safeguards against labor exploitation that are accepted throughout the United States for children in traditional entertainment jobs, along with additional protections that are necessary to address issues unique to kidfluencing. Thus, while the recent legislation in these states represents important progress, much more robust protections for kidfluencers—regulations modeled after California’s existing laws for child actors—are needed. Because of the geographic flexibility inherent in kidfluencer work, such protection is needed at the federal level to be fully comprehensive; further, kidfluencer regulations must not only mandate safeguards to compensation, but also ensure limits on working hours, guaranteed access to education, on-set supervision and advocacy, and the obtainment of permits to employ minors. As it stands today, even for kidfluencers now protected from financial exploitation in a handful of states, the rest of their working conditions remain largely unregulated—as does their privacy.

III. REGULATING THE PRIVACY OF KIDFLUENCERS

Growing up in the pop culture spotlight compromises a child’s privacy and reputation in ways that can be painful and enduring. As child actor Jennette McCurdy put it, “Growing is wobbly and full of mistakes, especially as a teenager—mistakes that you certainly don’t want to make in the public eye, let alone be known for for the rest of your life. But that’s what happens when you’re a child star.”¹²¹ And for kidfluencers, the extent to which their privacy and reputations are at stake is much greater. For Shirley Temple and Judy Garland, while the laws protecting them were still woefully inadequate, the personal information they shared with the public was limited to their performances as fictional characters, filmed on a soundstage by a camera that never followed them home. But for kidfluencers, the camera lives at home. Nothing is off-limits and every experience, every mistake, every embarrassment is potential content with dollar signs attached to it.

If labor regulations for kidfluencers are largely undeveloped, laws protecting kidfluencers’ privacy seem like less than an afterthought—perhaps even conceptually oxymoronic given that the point of kidfluencer content, in general, is to share children’s personal lives online. Even as lawmakers take steps to protect children as Internet users, kidfluencers are nowhere to be found in their policies. Though states have common law rights to privacy and publicity and a 1998 federal act regulates online platforms’ collection of children’s personal data, these rights can all generally be waived with consent—and for children, the consenting parties are their parents. Meanwhile, online platforms typically limit accounts to users aged thirteen and older, but given the numerous active kidfluencer accounts heavily featuring children under thirteen, platforms do not appear to restrict accounts that overwhelmingly feature children if the accounts are set up and managed by adults. These gaping loopholes in existing rights and policies allow kidfluencer accounts to thrive unchecked,¹²² leading to severe, long-term harm to and exploitation of kidfluencers that society is likely only beginning to reckon with.¹²³

A. Privacy Regulations for Children as Users Online

Existing and Proposed Federal Regulations for Children Online

i. The Children’s Online Privacy Protection Act of 1998

The Children’s Online Privacy Protection Act of 1998 (“COPPA”) is the primary set of federal regulations concerning children’s online privacy, covering consent and notice requirements for online platforms and entities that collect personal data from children.¹²⁴ COPPA’s “primary goal . . . is to place parents in control over what information is collected from their young children online,”¹²⁵ and it focuses on protecting children as users of online platforms as opposed to children appearing in online content. COPPA requires the Federal Trade Commission (“FTC”) to regulate online collection of children’s data and was last amended in 2013 in an effort to keep up with advancing technology.¹²⁶ Kidfluencers are not explicitly covered by COPPA or any other federal law.

As a protective measure for children who are merely consumers of online content, COPPA is reasonably comprehensive (though it needs continuous updates to remain effective). Its critical failure as a protective measure for kidfluencers, however, lies in its parental-consent-based structure—and in the fact that it makes no actual mention of kidfluencers at all. COPPA only applies to children under thirteen and requires that online entities obtain parental consent before collecting children’s personal data from children. COPPA prohibits “unfair and deceptive acts and practices in connection with the collection and use of personal information from and about children on the Internet.”¹²⁷ The act applies to websites or online services “directed to children”; in determining whether a given platform qualifies under this standard, the FTC considers the platform’s “subject matter,” “use of . . . child-oriented activities and incentives,” and “presence of child celebrities” as among relevant factors.¹²⁸ COPPA defines “collection” as “the gathering of any personal information from a child by any means, including . . . [r]equesting, prompting, or encouraging a child to submit personal information online,” “[e]nabling a child to make personal information publicly available,” and “[p]assive tracking of a child online.”¹²⁹ “[P]ersonal information” under COPPA includes identifiers like first and last name, physical address, and a “photograph, video, or audio file where such file contains a child’s image or voice.”¹³⁰ “Child” under COPPA includes only “individual[s] under the age of 13.”¹³¹

Before online entities collect personal data from a child, COPPA requires that the child’s parent receive adequate notice about the information collected and its intended use and that the parent consent to such collection.¹³² Online platforms also must provide parents with a “reasonable means . . . to review the personal information collected . . . and to refuse to permit its further use or maintenance.”¹³³ COPPA specifies that any means employed for parents to review collected information cannot be “unduly burdensome” to the parent and asserts that parents have the right to “at any time . . . refuse to permit . . . further use or future online collection of personal information . . . and to direct the [online platform] to delete the child’s personal information.”¹³⁴ Platforms have the right to terminate a child’s use of its services if the child’s parent revokes consent and requests deletion of collected information.¹³⁵ Platforms also must only retain children’s information for “as long as is reasonably necessary to fulfill the purpose for which the information was collected.”¹³⁶

Lastly, COPPA includes safe harbor provisions, allowing online entities that follow approved sets of self-regulatory guidelines to be deemed compliant with COPPA and eligible for safe harbor treatment shielding them from potential liability.¹³⁷

ii. COPPA 2.0

In May 2023, U.S. Senator Edward Markey, the author of COPPA, alongside Senator Bill Cassidy, introduced a new version of COPPA, “COPPA 2.0.”¹³⁸ After the Senate Commerce, Science, and Transportation Committee unanimously advanced COPPA 2.0 in July 2023, the Senate passed the bill in August 2024.¹³⁹ Senators Markey and Cassidy then reintroduced the bill in March 2025.¹⁴⁰ In early 2024, COPPA 2.0 cosponsor Senator Ted Cruz described the bill’s purpose as ensuring that no child leaves behind a digital footprint:

When Congress first passed the Children’s Online Privacy Protection Act, Americans were using dial-up to search “Ask Jeeves” instead of Google. Now, kids can access the Internet in the palm of their hands, and tech companies routinely surveil and target America’s youth. I’m proud to have worked with Sens. Markey, Cantwell, and Cassidy on bipartisan legislation to empower parents to safeguard their children’s online privacy and hold tech companies responsible for keeping minors safe from data collection. Every child deserves to grow up free of a digital footprint, and this bipartisan legislation is one step closer to achieving that goal.¹⁴¹

Championed as a means of bringing “children and teen’s online privacy standards into the 21st century,”¹⁴² COPPA 2.0 enumerates additional categories of online platforms, including mobile applications,¹⁴³ and forms of personal data, including biological and physiological information.¹⁴⁴ Most significantly, however, COPPA 2.0 creates an entirely new class of protected minors: teenagers between thirteen and sixteen years old.¹⁴⁵ Under COPPA 2.0, teenagers—not their parents—consent to collection of their own personal data and are empowered to request review of collected data as well as revoke consent for data collection.¹⁴⁶ However, COPPA 2.0 does not permit teenagers to withdraw consent for their own data that was collected with their parents’ consent before they turned thirteen.¹⁴⁷ The omission of this right, under either iteration of COPPA, is particularly sobering in the kidfluencer context because it prevents kidfluencers from compelling platforms to remove their data, collected before age thirteen, in the event that their parents cannot or will not do so.

2. Online Platforms’ User Age Restrictions

The largest social-media platforms typically require users to be at least thirteen years old,¹⁴⁸ though caveats to this rule exist. YouTube’s terms of service specify that users “must be at least 13 years old to use [YouTube]; however children of all ages may use [YouTube and YouTube Kids] . . . if enabled by a parent or legal guardian.”¹⁴⁹ TikTok requires users to be at least thirteen years old,¹⁵⁰ and TikTok’s settings default accounts associated with minor users to private mode; TikTok users ages sixteen and seventeen can choose to make their accounts public.¹⁵¹

Instagram also requires that users be at least thirteen;¹⁵² on September 17, 2024, Instagram began defaulting all accounts created by users who indicated they are under eighteen to private mode.¹⁵³ These changes, which Instagram says are being “rolled out on an individual basis,”¹⁵⁴ are part of Instagram’s new “Teen Accounts” initiative promoted as a means of increasing safety for minors using the platform.¹⁵⁵ Under the “Teen Accounts” setup, users ages sixteen and seventeen can change the default privacy setting themselves to make their accounts public; minors under sixteen need their parents’ permission to do so.¹⁵⁶

It is not clear whether Instagram’s recent changes will affect accounts that feature minors but are at least ostensibly managed by an adult (as most kidfluencer accounts typically are); however, Instagram makes no mention of such accounts in its communications about this new measure, while stipulating that the “Teen Accounts” setup applies to “users.” Thus, even as platforms begin rolling out age restrictions, kidfluencer accounts continue to

occupy a gray area outside of the growing spotlight on child social-media users.

B. Relevance and Current Limitations of the Common Law Rights of Privacy and Publicity

In the United States, the common law rights of privacy and publicity are “distinct” from one another and “intended to vindicate different interests,” though the latter initially evolved out of the former.¹⁵⁷ While the right of publicity enshrines the “right to control the commercial value of one’s identity,”¹⁵⁸ the right of privacy “protects one’s right ‘to be let alone.’ ”¹⁵⁹ The common law right of privacy comprises four tort causes of action: intrusion upon seclusion, public disclosure of private facts, false light, and appropriation.¹⁶⁰

The common law right of publicity developed out of both the right of privacy and intellectual property law, and has existed formally in the United States since the 1970s.¹⁶¹ While the United States Supreme Court recognized the existence of the right of publicity in 1977 in Zacchini v. Scripps-Howard Broadcasting Co.,¹⁶² there is no federal right of publicity; rather, the right of publicity exists at the state level and is currently recognized in thirty-five states, including California.¹⁶³ The right of publicity stipulates that individuals have a common law right against appropriation of “the commercial value of [their] identity . . . without consent”;¹⁶⁴ inherent in the right is the recognition that “an individual’s likeness” is that individual’s “own property.”¹⁶⁵ The right of publicity is based on three core justifications: (1) the right to “reap the fruit of [one’s] labors,” connected to concerns about unjust enrichment;¹⁶⁶ (2) the “copyright-incentive theory” that the law must protect the individual’s persona so as to promote creative artistry; and (3) the need to protect “consumer[s] from advertising deception.”¹⁶⁷ Section 3344 of the California Civil Code (“section 3344”) codifies California’s common law right of publicity and prohibits use of another’s image or “likeness” for profit without consent.¹⁶⁸ For minors, however, it is precisely the element of “consent” that is likely to prove most challenging if and when section 3344 is invoked to protect their rights, for the law expressly recognizes consent by a minor’s parent or guardian as equivalent to the minor’s own consent.¹⁶⁹

While the PRI lawsuit is currently unique, it illustrates how disputes over consent are likely to be central to any efforts to protect kidfluencers’ privacy and publicity rights under the common law and corresponding statutes. Three plaintiffs in the PRI lawsuit alleged violations of both section 3344 and California’s common law right of publicity;¹⁷⁰ Smith argued that she could not be liable under section 3344 and the common law precisely because the parents of the three plaintiffs had consented to the use of their children’s likenesses for commercial purposes on Rockelle’s channel.¹⁷¹ The plaintiffs disputed the fact of such consent¹⁷² and, in denying summary judgment in March 2024, the Superior Court of California ruled that these claims created issues of triable fact. Presumably, parents of the other eight plaintiffs had consented to use of their children’s likenesses for profit by Smith and PRI. And given that no plaintiff ever alleged that their parent had no knowledge whatsoever of their appearance in videos on Rockelle’s channel, it follows that the parents of the three children alleging publicity violations simply may not have given meaningful consent.

At least for situations like the ones in which these three PRI plaintiffs found themselves, requiring that online platforms verify meaningful consent and notice by kidfluencers or their parents to use of the child’s likeness in monetized content would counteract harm. But still further, the lack of application of recognized privacy and publicity rights to the kidfluencer context as well as the parental-consent waiver’s potential for conflicts of interest in that context is representative of the current limitations of existing laws. Looking at the plain language and spirit of the recognized rights of privacy and publicity alongside the raw reality of the kidfluencer phenomenon, as typified by the PRI lawsuit, it follows not only that our society and legal system should care about protecting kidfluencers’ privacy and publicity rights, but that we in fact do care about it. However, our society has not yet recognized how our concern for privacy and publicity rights implicates kidfluencers due to their novelty; and it would likely take years of litigation—and kidfluencer exploitation—before the common law could produce a legal framework appropriate for the competing claims of parents and kidfluencers to control over the child’s rights to privacy and publicity.

C. Falling Through the Gaps: Protecting Kidfluencers’ Privacy

1. Kidfluencing’s Unique Threat to Privacy

The Senate’s passage of COPPA 2.0 indicates a strong desire on the part of lawmakers to protect children online. But thus far, kidfluencers are missing entirely from that conversation—and to disastrous results. The types of information COPPA and COPPA 2.0 mention specifically as constituting “personal” data worth protecting—full names, online contact information, photographs, video and audio files containing a child’s image or voice, geolocation information, and more—are available in droves on kidfluencer accounts. And even as social-media platforms place age restrictions on users, kidfluencer accounts need only include a few words claiming to be managed by a parent in their description to post massive amounts of kidfluencer content to vast online audiences without constraint.

And kidfluencers’ audiences grow more dangerous as their accounts gain traction: in early 2024, the New York Times published an in-depth investigation into kidfluencers’ follower demographics, and the results are sobering. The proportion of kidfluencer account followers who are adult males grows “dramatically” as accounts grow in popularity.¹⁷³ While men made up approximately 35 percent of kidfluencer audiences overall, “[m]any [accounts] with more than 100,000 followers had a male audience of over 75 percent,” while some had over 90 percent.¹⁷⁴ The Times discovered men previously charged with or convicted of sex crimes among kidfluencer followers and found that some of these men participated in chat rooms with thousands of members, “treat[ing] children’s Instagram pages . . . as menus to satisfy their fantasies.”¹⁷⁵

While some parents are ignorant of the dangers posed by their children’s audiences,¹⁷⁶ others have grown “numb” trying to beat back the unending tide of suspicious followers.¹⁷⁷

“You are so sexy,” read one comment on an image of a 5-year-old girl in a ruffled bikini. “Those two little things look great thru ur top,” said another on a video of a girl dancing in a white cropped shirt, who months later posted pictures of her 11th birthday party.

For many mom-run accounts, comments from men—admiring, suggestive or explicit—are a recurring scourge to be eradicated, or an inescapable fact of life to be ignored. For others, they are a source to be tapped.

“The first thing I do when I wake up and the last thing I do when I go to bed is block accounts,” said Lynn, the mother of a 6-year-old girl in Florida who has about 3,000 followers from the dance world.

Another mother, Gail from Texas, described being desensitized to the men’s messages. “I don’t have as much of an emotional response anymore,” she said. “It’s weird to be so numb to that, but the quantity is just astounding.”¹⁷⁸

Still other parents are taking knowing advantage of this population: men in the chat rooms that the Times uncovered “frequently praise[d] the advent of Instagram as a golden age for child exploitation” and “trade[d] information about parents considered receptive to producing and selling ‘private sets’ of images.”¹⁷⁹ And among the allegations in the PRI lawsuit was a claim by one plaintiff that she accompanied Smith in mailing “several of Piper’s soiled training bras and panties to an unknown individual,” whereupon Smith told the plaintiff that “old men like to smell this stuff.”¹⁸⁰ Plaintiffs also alleged that Smith often “boast[ed] . . . about being the ‘Madam of YouTube’ ” and a “Pimp of YouTube,” and about making “kiddie porn.”¹⁸¹

Rockelle’s content and the PRI plaintiffs’ allegations paint a stark picture of the rampant sharing of invasive kidfluencer content carrying on unchecked throughout social media. For the members of the Squad, their experience working with PRI shares themes with Jennette McCurdy’s recollection of losing her childhood, autonomy, and privacy to child stardom. The Squad made countless videos centered around the group’s internal “crushes” and these videos performed much more strongly than the more innocent videos from Rockelle’s early days.¹⁸² Smith and Hill documented Rockelle’s first kiss on camera at age eleven¹⁸³ and filmed challenges among the Squad in which the minors competed to see who could kiss without stopping for the longest period of time.¹⁸⁴ The mother of two PRI plaintiffs, who is also Rockelle’s aunt, claimed that Smith sent Rockelle “a daily iPhone checklist cataloging the attention she needed to pay to her boyfriend, including sending him heart emojis [and] giving regular kisses, hugs and loving touches.”¹⁸⁵

In addition to the suggestive video content on Rockelle’s channel, the thumbnail images for the videos themselves are clearly set up to provide shock value and drive an increase in viewership. The mother of one PRI plaintiff alleged that Smith “often urged [plaintiffs] to pose more provocatively for thumbnail photo shoots,” ¹⁸⁶ and the lawsuit claimed that Smith, declaring that “sex sells,” “would frequently tell [the Squad members] to make ‘sexy kissing faces’ for thumbnails, to ‘push their butts out,’ to ‘suck their stomachs in,’ ‘wear something sluttier’ and would otherwise position [the p]laintiffs’ bodies in explicitly and sexually suggestive positions.”¹⁸⁷ As a result, minors are frequently depicted in provocative, revealing, or otherwise exploitative positions and situations in Rockelle’s thumbnails.

Image 3. Video on Piper Rockelle’s YouTube Channel, Featuring Eleven-Year-Olds¹⁸⁸

Image 4. Video on Piper Rockelle’s YouTube Channel, Featuring Eleven-Year-Olds¹⁸⁹

Image 5. Video on Piper Rockelle’s YouTube Channel, Featuring Eleven-Year-Olds¹⁹⁰

Image 6. Video on Piper Rockelle’s YouTube Channel, Featuring Eleven-Year-Olds¹⁹¹

The following YouTube video thumbnail images are merely described herein to protect the privacy of the minors featured in them:

Six teenagers (four female, two male), aged thirteen to seventeen, photoshopped to appear crowded together inside a bubble bath. The two male teenagers are shirtless, while the female teenagers appear to be wearing tank tops. The female teenager in the center has her hair arranged covering the straps of her tank top. The video is entitled “LAST TO LEAVE THE BUBBLE BATH!!” and has 2.3 million views.¹⁹²

Six teenagers (three female, three male), aged twelve to fifteen, arranged in co-educational pairs, each in one of three horizontal panels. Each female is touching her male counterpart. The male in the center panel is shirtless and his female counterpart is touching his bare torso. The video is entitled “LAST TO STOP MASSAGING THEIR BOYFRIEND WINS **Couples Challenge** 💆‍♀️💕” and has 1.9 million views.¹⁹³

One female aged eleven pictured in a cropped shirt pointing at her navel. A fake piercing is attached to her navel and a yellow circle is superimposed around her stomach while a zoomed-in image of her navel with the piercing appears in the right-hand side of the thumbnail. In the center of the thumbnail, the words “11 YEARS OLD!!” appear in large block lettering. The video is entitled “11 YEAR OLD BELLY PIERCED **PRANK** (Can’t Say No 24 Hour Challenge) 🚫👌” and has 4.6 million views.¹⁹⁴

Two females, aged eleven and twelve, wearing fake “baby bumps” designed to look like a pregnant woman’s belly with their shirts raised to expose the bumps. The video’s description includes the note, “We are only 11 and 12 so [this is] a pretty crazy challenge for us.” The video is entitled “24 Hours Being PREGNANT Challenge in PUBLIC with TWINS **FUNNY REACTIONS** 🍼🎀” and has 14 million views.¹⁹⁵

According to the Los Angeles Times’ investigation of the PRI lawsuit, PRI’s videos chronicling the Squad’s “crushes” performed the best with Rockelle’s online audience.¹⁹⁶ This data combined with the New York Times’ findings regarding dangerous followers of kidfluencers reflect the significant market that exists for kidfluencer content that is sensitive at best and criminal at worst. If, in the words of COPPA 2.0 cosponsor Senator Ted Cruz, “[e]very child deserves to grow up free of a digital footprint,”¹⁹⁷ the law is currently failing kidfluencers to a staggering degree.

Further, even content that perhaps falls short of the hallmark suggestiveness of Rockelle’s brand victimizes kidfluencers—according to some kidfluencers themselves. In July 2023, Ruby Franke, former figurehead of the now-defunct YouTube channel “8 Passengers,” made headlines when her two youngest children, then ages nine and twelve, were found emaciated and wounded.¹⁹⁸ The children had been imprisoned and suffered months of abuse by both Franke and her business partner Jodi Hildebrandt.¹⁹⁹ Franke had stopped posting videos of her children over a year before, changing the name of her channel to “Moms of Truth” and posting solemn videos alongside Hildebrandt discussing parenting strategies and religion. But in the 8 Passengers heyday, Franke posted videos of her family of eight almost daily, chronicling her six children’s lives as they grew up in front of an audience of up to two million subscribers.²⁰⁰

By 2022, 8 Passengers viewers had started to grow concerned about Franke’s behavior—while the harrowing nature of Franke’s eventual abuse would have been impossible for viewers to predict, many subscribers began to notice that Franke showed an indifference, at best, to her children’s privacy.²⁰¹ Franke spoke at length in her YouTube videos about sensitive matters in her children’s lives; over the course of several videos, she described in-depth her and her husband Kevin’s decision to send their oldest son, then fourteen, to a behavioral modification camp in the Arizona wilderness. At one point, Franke played a voicemail for viewers that her son had left her while at the camp; her son cried throughout the voicemail as he described his experience.²⁰² Another video featured the parents taking their preteen daughter to buy her first bra. After Kevin asked his preteen, “How come you’re all embarrassed?” his oldest daughter Shari spoke up off camera: “Because you’re filming her and you’re her dad?”²⁰³

2. Adapting COPPA 2.0 and the Necessity of a Right to Removal

In October 2024, Shari, now twenty-one, addressed Utah’s Business and Labor Interim Committee; Utah Representative Doug Owens, who sponsored Utah’s subsequent bill regulating kidfluencers, introduced her testimony.²⁰⁴ Shari told lawmakers that she appeared before them “as a victim of family vlogging” in hopes of “shed[ding] light on the ethical and monetary issues that come from being a child influencer.”²⁰⁵ Her words highlighted how adequate compensation is but one small component of a comprehensive regulatory scheme to protect kidfluencers; her experiences as a kidfluencer also evoke many of the same themes as Jennette McCurdy’s retelling of her time as a child actor—in particular, the sense that the compensation she received, while helpful, was simply not worth the loss of her childhood.

[Being a kidfluencer] is more than just filming your family life and putting it online. It is a full-time job with employees, business credit cards, managers, and marketing strategies. The difference between family vlogging and a normal business, however, is that the employees are all children. Children, from before they are born to the day they turn eighteen, have become the stars of family businesses on YouTube, Instagram, and most other social media platforms.

. . . .

At first, family vlogging is an alluring business that can bring high revenue. For my family, it became the primary source of income . . . . Many child influencers are paid for their work as I was, and this money has helped me in my adult life. However, this payment was usually a bribe. For example, we’d be rewarded $100 or a shopping trip if we filmed a particularly embarrassing moment or an exciting event in our lives. . . . Any payment that happens is under the table, with no paper trail. And how do we determine how much a child should make from appearing in family content? What price is worth giving up your childhood?

. . . Some of our most popular videos were when my eyebrow was accidentally waxed off, and the whole world saw a crying teenager when I just wanted to mourn in private. Or the time I was violently ill and got the leading role in the video for that day. My friends became scarce because dates were filmed and none of my friends wanted to be on camera. The camera never stops and there is no such thing as a [vacation] from filming.

. . . .

[A]s children, we do not understand the consequences of filming our lives and [having it] post[ed] for the world to see. We cannot give consent to our parents to post our lives. . . . I did not realize the impact that filming as a child would have on me now. . . .

. . . .

If I could go back and do it all again, I’d rather have an empty bank account now and not have my childhood plastered all over the Internet. No amount of money I received has made what I’ve experienced worth it. . . . I promise you that my experiences are not unique and are happening to child influencers all over Utah and the country. Let’s tackle this issue before it becomes a bigger crisis than it already is.²⁰⁶

As Shari’s words illustrate, kidfluencing is currently too unchecked and too profitable—for parents—to be safe; thus, common-sense regulations aimed at deterring parents from overworking and oversharing their children for a financial payout are critically necessary. Just as labor protections for kidfluencers would be most effective if enacted at the federal level, protective measures for kidfluencers’ privacy need federal support. COPPA presents a key opportunity to begin developing that support by empowering kidfluencers to wield greater control over their digital footprints long term. While COPPA 2.0 takes an important step forward by expanding online privacy protections for teenagers, a truly comprehensive and effective COPPA amendment would also cover kidfluencers.

Protections for kidfluencers under a new version of COPPA would make explicit the right of teenaged kidfluencers to consent (or not) to sharing their personal information in monetized content and their right to revoke that consent at any time; this system would empower teenaged kidfluencers by allying them with the social-media platforms hosting their content—regardless of a parent’s role in producing kidfluencer content, platforms would require the kidfluencer’s consent before new content could be shared. For kidfluencers under thirteen, the consent that their parents give to sharing their children’s information and to commercial use of their likeness would become provisional only and revocable by the child upon reaching age thirteen. This change would allow kidfluencers to retroactively revoke consent to personal data their parents had agreed to share and compel platforms to remove it.²⁰⁷ And in situations where groups of kidfluencers create content together, as in the case of Piper Rockelle’s Squad, a kidfluencer-focused COPPA section would provide legal scaffolding to discourage casual content-sharing to large online audiences without informed consent by every parent or teenager involved. These amendments would be a first step in giving kidfluencers the privacy protections that they currently lack.

Four of the states that now regulate kidfluencers’ compensation have also taken steps in this direction: recent laws in Montana, Arkansas, Utah, and Minnesota include provisions aimed at empowering kidfluencers to request removal of content featuring them. In particular, Minnesota’s flat ban on children thirteen and under working as kidfluencers is well worth lawmakers’ consideration both in other states and at the federal level; such a ban would have automatically made much of the Squad’s early content unlawful due to the children’s ages, while also avoiding the challenges of enforcing more nuanced regulations. Yet gaps persist—Minnesota’s law provides that “[c]ontent containing the likeness of a child must be deleted and removed from any online platform by the individual who posted the content, the account owner, or another person who has control over the account when the request is made,” either by a kidfluencer at least thirteen years old or by a former kidfluencer who is now an adult.²⁰⁸ However, the law does not provide an explicit enforcement mechanism or a means for relief for kidfluencers whose requests for removal go unheeded; it also seemingly exempts social-media platforms from responsibility entirely as it has no “effect on a party that is neither the content creator nor the minor who engaged in . . . content creation.”²⁰⁹

Meanwhile, Utah’s law does involve social-media platforms that host kidfluencer content explicitly in its removal provisions, requiring that platforms “provide a readily apparent process” for former kidfluencers who are now at least eighteen to request removal of content featuring themselves as minors.²¹⁰ But under Utah’s system, creators can still refuse to comply with removal requests. The law provides only an ex post, litigation-dependent right of action for former kidfluencers to challenge a creator’s refusal; at that point, a court would then consider the “emotional harm or substantial embarrassment” the challenged content poses to the former kidfluencer and both “the interests of the content creator” as well as “the public interest served by” that content.²¹¹ Thus, while Utah and Minnesota’s protections are certainly better than nothing, they are also critically limited; because kidfluencer exploitation is so rampant and systemic, an expensive, slow, after-the-fact system of relief available only on a state-by-state basis is simply not enough to protect them.

From that perspective, Arkansas and Montana have gone the furthest toward effecting an adequate legal solution: both states’ kidfluencer laws put responsibility on platforms, though with some caveats, to enforce kidfluencer protections, including removing kidfluencer content upon request. In Montana, creators are removed from the takedown process entirely; instead, Montana’s law triggers platforms’ responsibility to “take all reasonable steps to permanently delete” kidfluencer content as soon as former kidfluencers (who are at least eighteen) request removal.²¹²

Arkansas’ kidfluencer law is arguably even more sweeping; under that law, platforms must allow for removal requests by kidfluencers and then notify content creators of their obligation to remove the applicable content within thirty days; if creators do not do so, platforms “shall review and take all reasonable steps to remove the content.”²¹³ Unlike Montana, Arkansas does include caveats to platforms’ mandated removal, including for content that the platform finds “sufficiently newsworthy or of other public interest to outweigh the privacy interests” of the kidfluencer in question.²¹⁴ However, Arkansas also elevates platforms’ responsibilities in an additional, consequential area: its law makes it “unlawful to financially benefit from knowingly producing or distributing publicly . . . any visual depiction of a minor with the intent to sexually gratify or elicit a sexual response in the viewer or any other person.”²¹⁵ This section mandates platforms to “develop and implement a risk-based strategy to help mitigate risks related to monetization of the intentional sexualization of known minors” in a content-creation context; the structure of such strategies is at platforms’ discretion and can include monetization policies, “automated system[s] to identify and enforce against potentially problematic content and accounts,” and “[q]uality assurance processes” to monitor the effectiveness of platform’s policies in this area.²¹⁶ While the precise standard for determining whether content has “the intent to sexually gratify or elicit a sexual response” under Arkansas’ law are unspecified, much of the PRI Squad’s content could likely qualify. Thus, in addition to placing responsibility on social-media platforms to effectuate kidfluencer content removal, Arkansas also made the critical first step, at the state level, toward mandating that platforms develop ongoing procedures to monitor for at least some kinds of problematic kidfluencer content, and, ideally, prevent exploitation before it occurs.

Overall, both Arkansas and Montana’s regulatory approaches—situating platforms as the enforcers of newly-recognized kidfluencer privacy and publicity rights—represent the most effective way forward for a comprehensive federal scheme to protect kidfluencers.

IV. THE SOLUTION—FEDERAL LABOR AND PRIVACY PROTECTIONS AND REQUIRING SOCIAL-MEDIA PLATFORMS TO ENFORCE KIDFLUENCER RIGHTS

Kidfluencers need comprehensive labor and privacy protections, and because the Internet transcends the geographical limits that made state-specific labor regulations for child actors practical, adequate kidfluencer labor and privacy regulations must be set at the federal level. But once enacted, these comprehensive federal protections will require an effective enforcement mechanism—and the social-media platforms that host kidfluencer content are likely the entities best situated to moderate and enforce kidfluencer regulations. Thus, a robust set of federal kidfluencer labor and privacy protections would include an imposition of liability on platforms that feature kidfluencer content on monetized accounts (thereby creating revenue for the platform itself as well as for those managing the kidfluencer accounts) when that content is produced under conditions that violate kidfluencer laws. So far, only two states, Montana and Arkansas, have placed legal responsibility squarely on platforms to remove kidfluencer content upon request; lawmakers seeking to adequately protect kidfluencers must follow these states’ lead by pushing for federal measures that regulate kidfluencers’ labor and privacy and enable platforms to enforce those laws.

A. Section 230 and Techlash

Any conversation surrounding potential liability for online platforms based on a platform’s third-party content implicates section 230 of the Communications Decency Act of 1996 (“section 230”). Recognizing how “[t]he rapidly developing array of Internet . . . services available to individual Americans represent[s] an extraordinary advance in the availability of educational and informational resources,”²¹⁷ and how the Internet “ha[s] flourished, to the benefit of all Americans, with a minimum of government regulation,”²¹⁸ section 230 provides limited immunity to any online platform for content posted by third-party users.²¹⁹ In the nearly thirty years since section 230’s passage, its supporters have credited it with enabling some major online platforms to grow from start-ups into global giants,²²⁰ particularly with regard to the largest companies commonly referred to as a whole as “Big Tech.”²²¹ And many of those supporters have defended section 230 in the last ten years as an increasing number of detractors began voicing concerns over Big Tech’s ever-growing and seemingly unchecked power, a phenomenon dubbed “techlash.”²²²

Kidfluencers are glaringly missing from this increasingly heightened debate over the virtues and dangers of section 230 and, more broadly, about the responsibilities or lack thereof that Big Tech owes to users. Any federal proposal to impose liability upon platforms who violate laws designed to prevent kidfluencer exploitation will prompt questions about whether imposing such liability would infringe platforms’ rights under section 230 and their constitutional rights to freedom of expression. Crucially, however, section 230 itself already includes limiting language: in addition to protecting the right of platforms to “voluntarily” and “in good faith” “restrict access to or availability of material that [the platform] considers to be obscene, lewd, . . . or otherwise objectionable, whether or not such material is constitutionally protected,”²²³ section 230 dictates explicitly that it has “[n]o effect on intellectual property law.”²²⁴ Thus, new kidfluencer regulations, if modeled after this exception for intellectual property law, could be fully consistent with section 230.

B. Contributory Liability as a Basis for Platform Enforcement

In keeping with section 230’s unrestricted exception for intellectual property concerns, the Digital Millennium Copyright Act (“DMCA”), passed two years later, empowers copyright owners to compel online entities to remove infringing material hosted on their platforms or otherwise face liability.²²⁵ Under the DMCA’s “notice-and-takedown system,” online platforms can qualify for limitations on liability, known as safe harbor provisions, provided that they comply with an owner’s takedown request.²²⁶ Thus, the system enables copyright owners to safeguard their work from infringement while avoiding litigation and also ensures, via its safe harbor provisions, that online platforms are not impeded in their industrial development by these intellectual property protections. The DMCA has roots in common law contributory liability doctrine in recognizing partial responsibility on the part of online entities for infringement happening on their platform.²²⁷ In this way, the DMCA serves as an analog for a potential liability model for platforms hosting kidfluencer content produced in violation of expanded regulations.

In the kidfluencer context, online platforms also go a step further than inadvertent sharing of objectionable material—they profit directly from kidfluencer content by collecting a percentage of advertising revenue from the accounts they monetize.²²⁸ Thus, under expanded labor and privacy protections for kidfluencers, adapted from existing laws for child actors and child social-media users, platforms hosting monetized kidfluencer accounts would more than meet the criteria for contributory liability for profiting off of content produced in violation of these new regulations. Yet at the same time, platforms are also likely the most well-situated party to enact protocols that can effectively monitor and enforce updated kidfluencer laws.

Platforms can develop a more robust application process for kidfluencer account monetization requiring that adults running kidfluencer accounts to comply with the same laws regulating studios employing traditional child entertainers: obtaining permits to employ minors, tracking and reporting kidfluencers’ working hours and staying within working hour limits, providing proof of regular education and on-set supervision, and setting up protected trust accounts to safeguard kidfluencers’ compensation. Under this regulatory system, would-be kidfluencer accounts would have to meet these requirements as part of applying for account monetization, and existing kidfluencer accounts would have to provide documentation showing that they are maintaining these mandates to retain their monetized status on a continuing basis. Further, if federal protections for kidfluencers’ privacy were enshrined in an expansion of COPPA, online platforms could also be required to actively monitor kidfluencer accounts’ adherence to COPPA’s expanded mandates; specifically, platforms must obtain consent by teenagers and provisional consent by parents of children under thirteen to appear in monetized content and provide a means to revoke consent and compel removal upon request. Just as proof of continuing adherence to expanded kidfluencer labor regulations should be required for kidfluencer accounts to achieve monetization, so too should kidfluencer accounts be required to demonstrate compliance with privacy protections in order to keep gaining revenue. Online platforms already have established procedures to conform with COPPA’s existing mandates for children’s data collection that are similar to DMCA’s safe harbor criteria—in particular, COPPA includes its own self-regulatory guidelines for platforms to keep themselves eligible for COPPA’s longstanding safe harbor provisions. Thus, platforms are poised with a foundation to further develop protocols that monitor compliance with kidfluencer regulations. And despite the ongoing debate over the fate of section 230, imposing liability for online platforms in the kidfluencer context arguably need not threaten section 230, or platforms’ free expression more broadly, at all; such liability would not be without precedent given section 230’s blanket exception for intellectual property infringement, the DMCA’s subsequent imposition of the notice-and-takedown system, and COPPA’s longstanding restrictions on how online platforms interact with child users.

CONCLUSION

While some former kidfluencers like Shari Franke have explicitly called for a ban on kidfluencing entirely, such a drastic measure would be remarkably difficult, if not impossible, to achieve. At the same time, though the PRI lawsuit is unique, as of this writing, in its involvement of kidfluencers personally suing adult content producers, the PRI plaintiffs are part of an ever-growing cohort, the oldest of whom are only beginning to reach adulthood. As the first generation of kidfluencers comes of age while regulations to protect kidfluencers remain, at best, in their infancy, courts could see a rise in litigation by former kidfluencers only now independent enough to seek legal recourse. Rather than Shari’s proposed all-out ban on kidfluencing or a slew of merely reactive, post-exploitation lawsuits in the spirit of the PRI lawsuit, the more promising approach to addressing kidfluencer exploitation lies in enacting strict labor and privacy regulations at the federal level; once these regulations are created or expanded, lawmakers can then explore mechanisms for imposing liability on social-media platforms that host kidfluencer content produced in violation of these expanded regulations. If kidfluencers are to remain a fixture of the content-creator world (and they likely will, given the pervasiveness of their online presence as well as their financial value to the platforms that feature them), their career field needs to be regulated like the bona fide occupation that it is. Thus, federal law must ensure the right of kidfluencers in every state to limits on their working hours, guaranteed access to education, on-set supervision and advocacy, and compensation safeguards—the same protections that the most stringent states afford to professional child actors.

But merely applying labor regulations for child actors to kidfluencers as an overall protective measure still falls short because the nature of kidfluencing itself presents an unprecedented privacy intrusion. Child actors have built-in privacy protections by virtue of conducting their work on a set, away from home, playing characters. Their work, by and large, is only seen by people who pay to see it and is only broadcast subject to intellectual property and other licensing agreements between production companies and distributors. In contrast, when kidfluencers’ parents say, “Action!” the entire world immediately has an unrestricted window directly into their personal, private life. Thus, just as federal law must be expanded to regulate kidfluencers’ labor, COPPA should be amended to explicitly cover kidfluencers and also to make parental consent to collection of kidfluencers’ personal data provisional only—once children turn thirteen, they must be able to retroactively withdraw consent for data their parents turned over on their behalf. Under this new regulatory system, social-media platforms would be charged with monitoring kidfluencer accounts’ adherence to these requirements and suspending accounts in violation, drawing upon their existing safe harbor guidelines that currently ensure their compliance with COPPA and the DMCA as a model. This all-encompassing approach will serve to close the gaps in kidfluencer protections as quickly and effectively as possible, preventing future generations of kidfluencers from needing to wait to reach adulthood before they can pursue legal recourse after years of exploitation. It defies common sense that, as far as kidfluencers’ labor and privacy are concerned, the younger—and more vulnerable—they are, the fewer rights they have.

APPENDIX

My name is Shari Franke. My mother, Ruby Franke, is the prominent family vlogger arrested last year for child abuse. I don’t come today as the daughter of a felon, nor a victim of an abnormally abusive mother. I come today as a victim of family vlogging. My goal today is not to present any idea of a solution to this problem, but to shed light on the ethical and monetary issues that come from being a child influencer.

When children become stars in their family’s online content, they become child influencers. It is more than just filming your family life and putting it online. It is a full-time job with employees, business credit cards, managers, and marketing strategies. The difference between family vlogging and a normal business, however, is that the employees are all children. Children, from before they are born to the day they turn eighteen, have become the stars of family businesses on YouTube, Instagram, and most other social media platforms.

Utah is specifically a hotspot for family content due to the LDS culture around family and the goal to share the church with the world. We also have large families which makes family content more lucrative. Specifically, many parents film their regular family life as an online video blog, called a vlog. But I want to be clear that there is never, ever a good reason for posting your children online for money or fame. There is no such thing as a moral or ethical family vlogger.

At first, family vlogging is an alluring business that can bring high revenue. For my family, it became the primary source of income as is often the case for full time family vloggers. Many child influencers are paid for their work as I was, and this money has helped me in my adult life. However, this payment was usually a bribe. For example, we’d be rewarded $100 or a shopping trip if we filmed a particularly embarrassing moment or an exciting event in our lives. Or other times, simply going on vacation was expected to be payment enough—because most kids don’t get to go on regular and expensive trips. Never mind the fact that the child’s labor is actually what paid for the vacation or trip. There is no law in place to guarantee that child influencers get any money from their work. If a family account does not become an LLC, parents are taxed heavily for paying their children. But parents receive tax write offs for the regular clothes they wear, the gas money used to drive places, and even the houses they live in—anything that is filmed can be written off. And even after registering their business as an LLC, there is no guarantee that children will get paid. Any payment that happens is under the table, with no paper trail. And how do we determine how much a child should make from appearing in family content? What price is worth giving up your childhood?

But despite any monetary payment children may receive, don’t let this excuse the 24/7 labor that these children are subjected to. As a child, I was fully aware that I was an employee. The business was successful when I was happy or when I shared my hardships with the world. Some of our most popular videos were when my eyebrow was accidentally waxed off, and the whole world saw a crying teenager when I just wanted to mourn in private. Or the time I was violently ill and got the leading role in the video [for] that day. My friends became scarce because dates were filmed and none of my friends wanted to be on camera. The camera never stops and there is no such thing as a [vacation] from filming.

At the time, I’d tell you that I had a choice in what was filmed. But I’ve come to learn that every child influencer, in a way, suffers from Stockholm syndrome. Most child influencers would probably tell you they have full control over what is posted; but the reality is that their parents bribe and shame them into posting their most vulnerable moments. In fact, many child influencers may tell you they enjoy their work because of the monetary perks they receive, or the fun experiences that they can have. After all, what child would say no to a fun vacation or shopping spree if all they needed to do was film [a mental breakdown or] an embarrassing moment?

But as children, we do not understand the consequences of filming our lives and [having it] post[ed] for the world to see. We cannot give consent to our parents to post our lives. In any other context, it is understood that children cannot give consent—but for some reason, people think family vlogging is different. I did not realize the impact that filming as a child would have on me now. My social media became flooded with rumors of having sexual relations with my own brother, to being called a baby birthing machine at the age of thirteen. All these things have stuck with me, and I will forever live between the ages of thirteen to seventeen in many of my viewer’s minds. In addition, pedophiles stalk the internet, specifically seeking out child influencers. I promise you that the parents are aware of these predators and choose to post their children anyway.

I understand that this a big issue to tackle. I am not asking you to ban family vlogging, though that is my end goal. I also understand that as Utahns, we don’t appreciate big government overreach. But when it comes to protecting children, it should be a bipartisan issue. The only people harmed by child influencer laws are the parents exploiting their children. While this may not seem like an issue now, as child influencers in Utah continue to grow up, I foresee there will be legal crises with these children realizing that vlogging has brought severe emotional distress. Or these kids may realize they don’t have an appropriate amount of money to show for their [forced] labor. After all, how does that child know how much they should have made versus what their parents may or may not have paid them? Let’s deal with this now, before we reach that point. But even despite a good paycheck, I want to be absolutely clear that there is no amount of money can justify selling your soul, as a child, to the world. In no other industry would we justify unregulated child labor with a huge paycheck, and we should not do that here.

If I could go back and do it all again, I’d rather have an empty bank account now and not have my childhood plastered all over the Internet. No amount of money I received has made what I’ve experienced worth it. While I don’t have all the answers, nor many feasible solutions for this problem, I am proud to be one of the first child influencers in the state of Utah to speak against this issue. I don’t want people to look at me and blame my unique circumstances, with a mother in prison, to the Franke criminal case. Family vlogging ruined my innocence long before Ruby committed a crime. I promise you that my experiences are not unique and are happening to child influencers all over Utah and the country. Let’s tackle this issue before it becomes a bigger crisis than it already is. Thank you.²²⁹

99 S. Cal. L. Rev. 449

Download

Elinor J. Haddad*

*Executive Postscript Editor, Southern California Law Review, Volume 99; J.D. Candidate, 2026, University of Southern California Gould School of Law; B.A. Law, History, and Culture, 2016, University of Southern California. This Note is dedicated to the memory of my grandmother Nan Johnson. Thank you to my advisors Professors Jonathan Barnett and Jef Pearlman for their support and guidance; to Cristopher Swain for his unconditional encouragement; to Mark E. Haddad for his faith and wisdom; to Miranda Johnson-Haddad for her unwavering support; to Madeline Goossen and Robyn Kazemaini for their loyal mentorship; and to Kelcey Sholl, Isabella Flaherty, Nicholas Considine, and the staff of the Southern California Law Review for their thoughtful and dedicated editing.

Life Story Rights Litigation: Negotiating for a Happy Ending

May 2022May 2022Kendall Ota*

Filmmakers, television writers, and authors alike have made millions of dollars in the entertainment industry by telling stories that have already been lived by real people. Not only do these creative works force enormous public exposure upon the real people portrayed, but they often portray these real-life inspirations in inaccurate, or even harmful ways. Furthermore, without an agreement to sell their life story rights, many of these real-life inspirations receive no compensation from the use of their life story in these highly successful creative works.

* Senior Submissions Editor, Southern California Law Review, Volume 95; J.D. Candidate, 2022 University of Southern California, Gould School of Law; B.A. Communication 2017, University of Southern California. A huge thank you to the editors of the Southern California Law Review for all of your guidance throughout the publication process, and to all of my family and friends for their support throughout law school

Download

Data Protection in the Wake of the GDPR: California’s Solution for Protecting “the World’s Most Valuable Resource” – Note by Joanna Kessler

November 2019January 2020Southern California Law Review Admin

Note | Privacy Law
Data Protection in the Wake of the GDPR: California’s Solution for Protecting “the World’s Most Valuable Resource”

by Joanna Kessler*

From Vol. 93, No. 1 (November 2019)
93 S. Cal. L. Rev. 99 (2019)

Keywords: California Consumer Privacy Act (CCPA), General Data Protection Regulation (GDPR)

This Note will argue that although the CCPA was imperfectly drafted, much of the world seems to be moving toward a standard that embraces data privacy protection, and the CCPA is a positive step in that direction. However, the CCPA does contain several ambiguous and potentially problematic provisions, including possible First Amendment and Dormant Commerce Clause challenges, that should be addressed by the California Legislature. While a federal standard for data privacy would make compliance considerably easier, if such a law is enacted in the near future, it is unlikely to offer as significant data privacy protections as the CCPA and would instead be a watered-down version of the CCPA that preempts attempts by California and other states to establish strong, comprehensive data privacy regimes. Ultimately, the United States should adopt a federal standard that offers consumers similarly strong protections as the GDPR or the CCPA. Part I of this Note will describe the elements of GDPR and the CCPA and will offer a comparative analysis of the regulations. Part II of this Note will address potential shortcomings of the CCPA, including a constitutional analysis of the law and its problematic provisions. Part III of this Note will discuss the debate between consumer privacy advocates and technology companies regarding federal preemption of strict laws like the CCPA. It will also make predictions about, and offer solutions for, the future of the CCPA and United States data privacy legislation based on a discussion of global data privacy trends and possible federal government actions.

*. Executive Senior Editor, Southern California Law Review, Volume 93; J.D. Candidate 2020, University of Southern California Gould School of Law; B.A., Sociology 2013, Kenyon College.

View Full PDF

93_1_Kessler

Navigating the Atlantic: Understanding EU Data Privacy Compliance Amidst a Sea of Uncertainty – Note by Griffin Drake

November 2017March 2018Southern California Law Review Admin

From Volume 91, Number 1 (November 2017)
DOWNLOAD PDF

Navigating the Atlantic: Understanding EU Data Privacy Compliance Amidst a Sea of Uncertainty

Griffin Drake [*]

TABLE OF CONTENTS

INTRODUCTION

I. BACKGROUND

A. Key Principles of Privacy Regulations

B. Schrems I and the Invalidation of the Safe Harbor

C. The Road to the Privacy Shield

D. Other Available Transfer Mechanisms

II. THE FUNDAMENTAL DIFFERENCES BETWEEN U.S. AND EU DATA PRIVACY POLICIES

A. EU Privacy Policies

B. U.S. Privacy Policies

III. HOW THE GDPR AFFECTS THE CURRENT AND FUTURE DATA PROTECTION LANDSCAPE

A. What’s New in the GDPR?

B. How Does This Affect Data Transfer Mechanisms?

1. BCRs

2. Model Clauses

3. Codes of Conduct and Certification

IV. THE FATAL FLAWS OF THE PRIVACY SHIELD, MODEL CLAUSES, AND BCRS

A. Privacy Shield

B. Model Clauses

C. BCRs

V. SO, WHAT OPTIONS DO COMPANIES HAVE?

A. Consent

B. Prepare for the GDPR

INTRODUCTION

United States government surveillance has reached a point where the government “c[an] construct a complete electronic narrative of an individual’s life: their friends, lovers, joys, sorrows.”[1] In June 2013, Edward Snowden released thousands of confidential documents from the National Security Agency (“NSA”) regarding classified government surveillance programs.[2] The documents brought to light the fact that that the NSA was spying on individuals, including foreign citizens, and deliberately misleading Congress about these activities.[3] According to Snowden, the spying was so extensive that the spying measures, including a program known as “PRISM,” involved the improper mass collection of data from citizens worldwide through NSA interactions with telecom giants like Google, Microsoft, and Facebook, and by tapping into global fiber optic cables.[4]

These revelations sent shockwaves around the globe, and the backlash was swift and unforgiving. One thing became clear to Americans and the rest of the world: the NSA and the U.S. government had prioritized the massive collection of private information over and above the personal privacy rights of the global population.[5] The concept of throwing civil liberties to the wayside through grossly intrusive surveillance pushed Snowden to step forward and reveal what he had seen all too closely.[6] He no longer wanted to “live in a world ‘where everything that I say, everything that I do, everyone I talk to, every expression of love or friendship is recorded.’”[7]

Across the Atlantic, the priorities of European Union member nations stand in stark contrast to those of the United States. The EU takes a much stronger stance on privacy and data protection and restricts how companies transfer data to non-EU nations. In the EU’s Data Protection Directive (the “Directive”), the right to privacy is described as a “fundamental right[] and freedom[].”[8] This sentiment is echoed in other landmark EU documents such as the Convention for the Protection of Human Rights and Fundamental Freedoms.[9]

Despite the very different treatment of the right to privacy in the U.S. and EU, we live in an era of lightning–quick information transfers and an interconnected global economy in which the sharing of private data (including names, IP addresses, health care information, and so forth) across borders is essential to companies conducting business worldwide.[10] The current state of the world necessitates that data flow seamlessly from country to country.[11] This reality led to the EU’s Safe Harbor Decision (“Safe Harbor”), allowing American companies to self-certify their compliance with certain heightened privacy restrictions when handling the private information of EU citizens and thus facilitating the transfer of information from the EU to the U.S.[12] However, the Safe Harbor was invalidated in Schrems v. Data Protection Commissioner (“Schrems I”).[13] This left American companies to rely on other EU–approved data transfer mechanisms—namely, Model Clauses,[14] Binding Corporate Rules (“BCRs”), or specific statutory derogations. In need of a replacement for the Safe Harbor, the EU and the United States agreed on a new deal known as the “Privacy Shield,” despite heavy criticism.[15] An additional layer of complexity exists due to the fact that the Directive, which long governed the handling of private information in the EU, is now being replaced with the significantly stronger General Data Protection Regulation (“GDPR”).

This Note will argue that in light of the pending commencement of the GDPR, American companies relying on the Privacy Shield are exposed to potential risk, as it fails to satisfy the “essentially equivalent protection” standard set forth in Schrems I, and that alternative data protection mechanisms, such as Model Clauses or BCRs, have serious drawbacks and face similar questions regarding their validity.[16] Subsequently, I will discuss some of the potential alternative mechanisms that companies can use to best mitigate exposure to the risks inherent in transatlantic data transfers.

Part I of this Note will describe the background that has led to the current uncertainty in the validity of the various data protection mechanisms. This Part will discuss the key principles behind data privacy protections, the Schrems I case and the subsequent invalidation of the Safe Harbor, the buildup to the Privacy Shield, and the other possible transfer mechanisms. Part II will discuss the fundamental differences between the United States’ and the European Union’s approaches to protecting individuals’ private information. This section will highlight the irreconcilable differences between U.S. surveillance policies and the EU’s view of the fundamental right to privacy. Part III will discuss the pending implementation of the GDPR and the relevant changes this directive will have to the current transatlantic data transfer legal regime. Part IV will outline the shortcomings inherent in the Privacy Shield, Model Clauses, and BCRs individually. Part V will conclude this Note by briefly discussing potential alternatives that companies can use to attempt to weather the shaky data privacy landscape that exists today. The proposed alternatives include obtaining consent, using codes of conduct and certification, and layering transfer mechanisms.

I. Background

A. Key Principles of Privacy Regulations

With the ability of companies to transfer swaths of consumers’ personal data globally at the click of a button, the United States and the European Union have been forced to adapt privacy regulations to meet this rapidly changing reality. In doing so, certain fundamental principles have arisen and been used to shape modern data privacy laws. In 1973, the U.S. Department of Health, Education, and Welfare developed a committee to review the use of automated data systems that maintained personal information.[17] This committee laid out five principles for data protection, known as the “Fair Information Practices” (“FIPs”).[18] These principles were incorporated, though not by name, in the Privacy Act of 1974.[19] The Privacy Act of 1974 also established the Privacy Protection Study Commission, which in 1977 refined the FIPs into eight clear principles.[20] The principles are: Openness, Individual Access, Individual Participation, Collection Limitation, Use Limitation, Disclosure Limitation, Information Management, and Accountability.[21] These principles, however, apply only to the public sector and were not formally referenced by Congress until 2002.[22]

In the EU in the 1970s, many laws were already consistent with the principles described in the FIPs.[23] In 1980, the Organization for Economic Co–operation and Development (“OECD”) developed a set of privacy guidelines with its own eight principles for data protection.[24] These principles include: Collection Limitation, Data Quality, Purpose Specification, Use Limitation, Security Safeguards, Openness, Individual Participation, and Accountability.[25] These principles clearly bear a strong resemblance to the FIPs with one major difference—they are broadly intended to apply across both the public and private sectors. In 1995, the EU took the principles a step further and adopted the Directive to protect individuals and their private data.[26] These principles were also included in the GDPR, along with a few additional principles.[27] All in all, the principles created in 1973 and revised over time often serve as the foundation for data privacy regulations today.

B. Schrems I and the Invalidation of the Safe Harbor

While transferring data around the world is a practical necessity for large companies, governments in the EU and the United States recognize that due to how quickly and easily personal data is being transferred, this data must be protected. Acknowledging these two conflicting important interests, the EU and the United States struck a deal. In 2000, the European Commission passed a decision known as the Safe Harbor, determining that the United States, in conjunction with the terms of the agreement, provided adequate privacy protection.[28] The Safe Harbor decision allowed U.S. companies to self-certify that they will abide by EU data protection standards when transferring data across the Atlantic.[29] This option was attractive to companies because it was relatively easy to institute and it efficiently lowered transaction costs compared to Model Clauses or BCRs—so much so that over five thousand companies chose to self-certify.[30] Self-certification involved companies (1) outlining specific information about the company and the company’s use of personal data obtained from EU citizens on an online form and (2) paying a processing fee of $200.[31] This option was considered to fall into the category of an “adequacy decision” by the Commission in accordance with Article 25 of the Directive.[32] It is important to note, though, that this decision did not allow free rein for all U.S. companies to freely exchange information across the Atlantic. Instead, this method of achieving adequate protections only applied to the companies that self-certified and complied with the requisite standards.

While this solution worked for over a decade, the revelations published by Edward Snowden served as evidence that the Safe Harbor was built on false assurances. The Safe Harbor met its ultimate demise in Schrems I, in which Maximillian Schrems, an Austrian privacy activist, complained to the Data Protection Commissioner that Facebook, a Safe Harbor–certified company incorporated in Ireland, was transferring personal data into the United States where “the law and practice in force in that country did not ensure adequate protection of the personal data held in its territory against the surveillance activities that were engaged in there by the public authorities.”[33] In his original case, Schrems cited Facebook’s voluntary participation in the aforementioned NSA PRISM program, which gave the U.S. government access to substantial amounts of private personal information.[34] The claim was that “there was ‘no meaningful protection in US law or practice’ regarding data transferred that was subject to US state surveillance.”[35]

The Irish High Court agreed with Schrems, stating that “[t]here is, perhaps, much to be said” for the Snowden revelations exposing “gaping holes in contemporary US data protection.”[36] Accordingly, the Irish High Court, in line with EU law, referred the matter to the Court of Justice of the European Union (“CJEU”) to adjudicate the validity of the adequacy decision regarding the United States.[37]

The CJEU agreed with the Irish High Court and took a large step by fully invalidating the Safe Harbor.[38] The standard as stated by the court vastly elevated the requirements for all future transfer mechanisms by stating that privacy protection measures in non-EU member nations need to be “essentially equivalent to that guaranteed in the EU legal order.”[39] Thus, the CJEU found that U.S. privacy law was incompatible with the EU charter.[40]

C. The Road to the Privacy Shield

With roughly five thousand companies relying on an invalidated measure, uncertainty as to what steps to take was apparent and widespread. But just as economic necessity drove the United States and the EU into the eventually invalidated Safe Harbor, it likewise drove them to craft a new, seemingly more robust agreement.[41] In coming to this agreement, the two parties faced incredible time constraints and deadlines from the Article 29 Working Party, the group designated to represent the EU member nations’ data protection authorities. The agreement that was developed, known as the Privacy Shield, was fully approved and placed into effect in July 2016, despite facing some bumps in the road,[42] and was intended to guarantee that the United States will provide the necessary “essentially equivalent” protections to individuals as those individuals would receive under the Directive.[43] The goal was that the Privacy Shield would fix the weaknesses inherent in the Safe Harbor as identified by the CJEU while providing a useful means to maintain the free flow of information.[44]

The dilemma faced by both the EU and the United States was that data necessarily needs to flow between them to maintain everyday business functions, while at the same time there must be protections in place to ensure the proper handling of the data being transferred.[45] The Privacy Shield was agreed upon because of this dilemma, and it has been described by some as a much stronger version of the invalidated Safe Harbor.[46] The Privacy Shield now includes stronger obligations regarding how companies handle data, increases transparency regarding how data is used, safeguards against U.S. government access, and provides new protections and remedies for individuals and a joint review mechanism.[47]

The agreement, though, was created in line with the Directive (and the Schrems I decision, which was made based on the Directive). Come 2018, the Directive will be replaced by the GDPR.[48] The GDPR was developed to modernize the protections given by the EU to individuals while greatly strengthening individual’s rights.[49] The GDPR is intended to protect personal data in a manner significantly stronger than under the Directive.[50] Further, the new, stronger protections of the GDPR may lead to the invalidation or revision of the Privacy Shield, which was hurriedly designed to comply with the CJEU court decision and the Directive. Even today, there are already complaints about the adequacy of the Privacy Shield’s ability to adequately protect EU citizens’ data, similar to those raised against the Safe Harbor.[51] These complaints have been exacerbated by an executive order issued by President Trump, excluding non-U.S. citizens from the protections of the Privacy Act of 1974.[52]

D. Other Available Transfer Mechanisms

So, what options does a U.S. company have for transferring personal data? The Directive outlines acceptable methods for such transfers, including an adequacy decision by the Commission, a Commission–approved transfer mechanism, or a statutory derogation.[53] A brief overview of these transfer mechanisms follows here, but they are discussed in more depth in Parts II, III, and IV.

An “adequacy decision” is a determination by the Commission that a non-EU member country “ensures an adequate level of protection.”[54] The Safe Harbor and the Privacy Shield were considered adequacy decisions in the sense that they developed certain rules and regulations that would strengthen the United States’ privacy protections to an “adequate” level. The Privacy Shield remains approved, meaning that a company can legally rely on it to transfer data. However, this mechanism could place a company in a position where if the Privacy Shield is invalidated or undergoes substantial revision, the company will need to undertake costly measures to ensure that its data transfers comply with the applicable laws and regulations in order to avoid hefty fines for non-compliance.[55]

A second option is either of the two European Commission-approved transfer mechanisms: Model Clauses or BCRs.[56] BCRs are company-developed rules governing the protection of private data that must undergo a rigorous, multi-step approval process by EU data authorities; they may be used to ensure that all transfers within a single group or company provide adequate protection as described in Article 26(2) of the Directive.[57] It is worth noting, though, that BCRs only legitimize data transfers made within a single overarching group.[58] A major benefit of BCRs is that unlike Model Clauses, there is no need to sign new contracts with each transaction.[59] This allows a company to have a clear internal procedure for handling private data and can lead to particular efficiencies.[60] Any company that is sharing or transferring data outside of its broader corporate entity structure, however, will still need to use a different method to validate those transfers, making this option less attractive to companies that exchange information externally.

This leads some companies to turn to Model Clauses, sets of contract clauses that, as determined by the European Commission, provide adequate safeguards to data privacy.[61] These have become an option oft–recommended by privacy experts and lawyers [62] due to the relative ease of implementation and their long-standing legal validity in the EU.[63] In order to receive the immunity given to companies using Model Clauses, the Clauses must be included in agreements verbatim, leading to the benefit of needing no prior authorization from country-specific data authorities.[64] Model Clauses also have the distinct advantage of covering a wide range of data transfers. Specifically, Model Clauses, like BCRs, can be used for intra-company transfers; they can be used for U.S.-EU transfers, like the Privacy Shield; and they have the additional benefit of being available for transfers between the EU and entities in any other jurisdiction, unlike the other two options.[65] This added flexibility, combined with the lower transactions costs associated with implementing these clauses, can be especially appealing to large, multinational companies that transfer data to different jurisdictions and between different entities. Model Clauses, though, are not without flaws, many of which will be discussed in Part IV.

Lastly, the data transfer itself may qualify for a statutory derogation.[66] Derogations may include a data transfer necessary to protect the vital interests of the data subject or a data transfer after the subject has given unambiguous consent, amongst other options.[67] Due to the highly specific and less common nature of many of the derogations, only consent will be discussed in this Note.

II. The Fundamental Differences Between U.S. and EU Data Privacy Policies

Data protection as a concept is itself a novel and rapidly changing field, due in large part to the fact that commercialized Internet is only a few decades old.[68] Despite the relative infancy of this field, developments in how data is used and managed electronically evolve rapidly, and legislators fight a constant battle to keep pace with these changes. In light of the practical realities that attach to this field, the EU and the United States have taken substantially different views on what measures should be taken to protect the data filling the technological universe. The EU has widely confirmed the belief that citizens have a “fundamental right[]” to data protection.[69] The United States, however, does not explicitly share the view that data privacy protection is a fundamental right of all persons.[70]

A. EU Privacy Policies

The notion that “[e]veryone has the right to the protection of personal data concerning him or her” is stated plainly in the Charter of Fundamental Rights of the European Union, a document designed to lay out the basic rights of European citizens and provide guidelines relating to these rights.[71] As mentioned earlier, this EU-recognized right is reiterated in the Directive with its specifically stated purpose “to ensure that ‘member states [] protect the fundamental rights and freedoms of natural persons, and in particular their right to privacy with respect to the processing of personal data.’”[72]

One explanation put forward by some commentators regarding the EU stance that data protection is a fundamental right stems from the 1940s.[73] During the Second World War, the Nazis appropriated European census records, using these records to expedite deportations to concentration camps and to strengthen Germany’s hold over Europe.[74] I argue that this experience, in part, prompted the EU to take a stronger stance on privacy protections, whereas the United States, a country that has not experienced such a scarring example of what can happen when private information falls into the wrong hands, is less inclined to push for stronger protections.

Another explanation can be seen by the early adoption of the FIPs by many EU nations and the EU as a whole.[75] By adopting these principles and incorporating them into early data privacy rules and regulations, the EU set a precedential course that influenced all future privacy–related decisions. This created a multi-generational awareness of, and belief in, the importance of protecting individuals’ privacy.

The focal point of the EU privacy regime has historically been the Directive. The Directive is an omnibus legislation protecting personal data, as opposed to a fragmented, country-by-country approach. The Directive has been hailed by commentators as “the most influential national data protection law.”[76] Additionally, the drafters of the Directive took an important step in Article 28, making the Directive applicable in countries outside of the EU.[77] Specifically, transfers of data outside of the EU require contracts or other legal acts explicitly governed by EU or member-nation law.[78]

Internationally, the trend has been to follow the EU in creating legislation that applies to all data processing inside and outside of the country, largely mirroring the strict protections laid out in the Directive.[79] The thought is that if foreign countries cannot process information about EU residents, private interests will lose out on a major global market, and thus, countries will have an overwhelming incentive to come into compliance. However, despite a global trend of compliance, two powerful nations have remained defiant in the face of such measures—China and the United States.[80]

Although at first glance it may appear that the EU has come up with a comprehensive and invaluable solution to the data privacy issue, it remains, like most legislation, imperfect. One flaw is apparent simply from the name of the document: it is a directive. As such, member nations maintain some control in dictating their own privacy laws, which has led to fragmentation in the interpretations of the principles laid out in the Directive.[81] This materially limits one of the major strengths of the Directive: its being a single document utilized by all member nations.

This, however, will change with the commencement of the GDPR.[82] The key again comes in the name of the document: here it is “regulation.” As a regulation, member nations no longer have the ability to interpret the document to create their individual data policies.[83] Regulations, therefore, carry with them an increased level of strength that does not exist in the Directive. All things considered, the general idea is to centralize power regarding data privacy and eliminate the sometimes patchwork effects of the Directive. This will be discussed in more detail in Part III.

B. U.S. Privacy Policies

In describing the United States’ approach to data privacy policy, it may be useful to imagine a scheme opposite to that of the EU. The United States government does not recognize a fundamental right to privacy.[84] Additionally, the United States “uses a sectoral approach that relies on a mix of legislation, regulation, and self-regulation.”[85] U.S. privacy laws are often responses to particular events and are tailored to particular industries and types of data, similar to a firefighter running around putting out individual fires one at a time.[86] This has led to not only inefficiently overlapping polices but also notable gaps in the U.S. privacy framework.[87] These gaps in protection have been used as an explanation as to why the United States failed to satisfy an adequacy decision by the EU before the initiation of the Safe Harbor.[88]

As discussed in Part I, the United States produced the FIPs in 1973 as an early step in privacy protection. Here, however, the United States went in a different direction than the EU, which is one possible explanation for the very different positions that each holds today. The United States did not explicitly create broad legislation with the FIPs in mind;[89] instead, it opted for various acts and statutes determined by the needs of certain industries and agencies which interpreted and revised the FIPs in various ways.[90] Further, early laws incorporating the FIPs were applicable only to public sector entities, applying only in specific circumstances to the private sector.[91] I argue that because of the lack of a longstanding and broad commitment to the protection of individuals’ private information, U.S. citizens do not have their EU peers’ deep-rooted, multi-generational awareness of and belief in the importance of protecting individuals’ privacy. This leads to less political pressure on the U.S. government to enact strong privacy policies, perpetuating a cycle of citizens accustomed to weaker protections.

Another explanation for why the United States would take an approach to privacy substantially different from that of the vast majority of developed nations is similar to one rationale behind the EU policy—namely, a massive tragedy. As one commentator described, “[t]he attacks of September 11, 2001, ‘have further weakened Washington’s will to protect data. [In fact, t]hrough new laws and new offices, Washington now has more unfettered access to citizens’ data than ever before.’”[92] Another author, in 2002, went so far as to predict that “[c]ommunications technology is necessarily intrusive and, spurred on by international efforts to ferret out terrorism as a result of the September 11, 2001, attacks on the United States, will become even more so.”[93] In summation, the September 11 tragedy planted an unshakable image in the minds of U.S. citizens as a whole, leading to an increase in concern and vigilance regarding terror threats. Whether this sentiment remains as vibrant today is beyond the scope of this Note, but terror threats are ever–present,[94] suggesting this rationale is unlikely to fade. Evidence of an ongoing desire to manage the danger includes the U.S. government’s covert surveillance tactics, as exposed by the documents leaked by Edward Snowden.[95]

An additional rationale for the U.S. stance on privacy regulation results from a desire to maintain a free market economy with limited government regulation. The idea is that the government should limit regulations on businesses and allow the market to police itself. For instance, the Clinton administration advocated for industry-specific self-regulation, as opposed to government regulation.[96] That is not to say that the Clinton administration was opposed to privacy regulations, but this advocacy was a clear endorsement of a fragmented system of dealing with privacy issues. Additionally, one commentator described the Safe Harbor as being a “minimalist solution” in order to avoid a trade war “that was supposed to evolve into something stronger. It transpired, however, that the United States never intended to follow through on commitments to strengthen it.”[97] While these anecdotes are far from dispositive, they do point to the endurance of an American philosophy holding that the government should not over-regulate markets.

This rationale, though, is at least debatable. For instance, President Obama released a report in January 2017 calling for increased privacy regulations and re-emphasizing the right to be protected from governmental intrusion.[98] The Obama administration itself, though, was heavily criticized upon the exposure of the PRISM program undertaken by the NSA.[99] Furthermore, the views expressed in this report may not be shared by the new administration, which removed the report from the White House website the day after President Trump’s inauguration and issued an executive order cutting back privacy protections for non-citizens just days after his inauguration.[100]

It would be remiss to paint a picture of the United States as being completely indifferent to individuals’ privacy rights. For instance, the First, Third, Fourth, Fifth and Fourteenth Amendments collectively provide the implicit foundation for many of the laws and regulations regarding privacy in the United States.[101] There are also numerous federal laws, including the Health Insurance Portability and Accountability Act of 1996, the Fair Credit Reporting Act, the Gramm-Leach-Bliley Act, and many others, that address the protection of private information.[102] Additionally, the Federal Trade Commission has broad powers to take enforcement actions regarding “unfair or deceptive acts or practices in or affecting commerce.”[103] On top of this, individual states have passed their own regulations, with California’s regarded as amongst the most comprehensive.[104] These different protective measures are likely in place because the U.S. government places at least some value on protecting individuals’ privacy.

The issue, however, is that a system like this is inherently flawed. Using a patchwork structure necessarily leaves gaps.[105] In addition to gaps, individual state and federal laws are often inconsistent with one another.[106] Unfortunately, the United States has consistently rejected both omnibus legislation and the fundamental–rights approach to data protection.[107] There is no more clear depiction of this than the egregious surveillance tactics used by the U.S. government and revealed in the Snowden leak. Just as September 11 dramatically changed the landscape of data privacy protection in the United States, the Snowden documents dramatically altered the state of EU-U.S. privacy relations.

III. How the GDPR Affects the Current and Future Data Protection Landscape

The Directive has stood as the basis for EU data privacy law since 1995. The Directive provides the structure and legal guidelines with which the Safe Harbor, the Privacy Shield, the Model Clauses, and other transfer mechanisms seek to comply. The Directive, however, is nearing extinction. On April 14, 2016, the European Parliament approved the GDPR; it takes effect on May 25, 2018, at which point companies will need to be in compliance with the new, stronger regulation.[108] This section of this Note will focus on how the GDPR differs from the Directive and what that means in terms of compliance and the potential transfer mechanisms.

A. What’s New in the GDPR?

The GDPR sets out to tackle the same goal as the Directive—protecting the fundamental rights and freedoms of the EU citizenry with regard to the handling of personal data.[109] The goal is to do this while also facilitating efficiencies within the European economy and helping to promote economic and social progress.[110] These goals, however, are pursued slightly differently in the GDPR than in the Directive.

First, as mentioned earlier, a relevant distinction between the GDPR and the Directive is identifiable by looking at the titles of the two enactments. The GDPR is a “regulation,” whereas the Directive is a “directive.” This matters because a directive gives only guidance to member nations, allowing each member nation to interpret the directive and achieve its purposes in whatever way they deem appropriate.[111] A regulation, however, is applicable to each member nation and does not have to be enacted into each individual country’s legal framework.[112]

The impact of this should not be understated. A major issue with the current system is that companies must deal with greatly differing regulations in each nation in which they maintain data. This, in large part, will be eliminated. The EU stated in a press release that the estimated savings from creating a “one-stop-shop” will be in the neighborhood of €2.3 billion per year.[113] Nevertheless, while the GDPR will remove a substantial amount of the difficulty that has arisen from potentially having to comply with twenty-eight different member-state data protection laws, companies must be aware that there are still some areas in which member nations have discretion.[114] An example can be seen in Article 6(1)(e), regarding one way in which a company can legally process personal data.[115] This provision allows processing when “processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.”[116] All in all, though, one of the most consequential differences of the GDPR will be the decrease in administrative costs faced by companies who no longer have to negotiate, communicate, and work with data protection authorities from many different nations.

A second difference between the GDPR and the Directive is the strengthened focus on individuals’ rights vis-à-vis the way the world transfers, accesses, and uses data. In 2017, personal data is being transferred at speeds and in volumes that were unthinkable not long ago, and consumers recognize a need for strong protection. As stated by the EU, “[n]ine out of ten Europeans have expressed concern about mobile apps collecting their data without their consent.”[117]

The specific individual rights highlighted in the GDPR are the right to be informed, the right of access, the right of rectification, the right to erasure, the right to restrict processing, the right to data portability, the right to object, and rights related to automated decision-making and profiling.[118] These rights focus on two overarching goals of the GDPR. First, the GDPR increases the availability and clarity of the information provided to individuals whose data is being processed. Second, it grants citizens more control over the data they provide and also gives the citizens easier access to legal remedies for breaches. While not all of these rights are completely new or different than rights discussed in the Directive, in general they are written in a way that strengthens the rights of the citizen.[119]

Third, the definition and application of “consent” have been adjusted to further protect individuals. Consent needs to be clear, unambiguous, specific, informed, and freely given.[120] Further, the language in the GDPR seems to have noticeably narrowed the possibility of a type of implied consent arguably possible under the Directive.[121] The GDPR also has another important new feature regarding consent. Individuals are now allowed to withdraw consent at any time, and this withdrawal must be as easy to execute as the original consent.[122] This further emphasizes the strong weight the EU has placed on strengthening the role of the individual in the handling of one’s private information.

Fourth, the enforceability of the GDPR and the accountability of companies have been enhanced by new procedures, which companies must follow in order to ensure that data is appropriately protected and processed. The accountability principle accompanies transparency in an attempt to strengthen citizens’ trust in how their data is handled.[123] One way of accomplishing corporate accountability is by mandating “[d]ata protection by design” and “[d]ata protection by default.”[124] These concepts, in short, mean that projects being designed or undertaken by companies must consider appropriate data protection mechanisms from inception and throughout their duration.[125] This includes safeguards such as minimizing the processing of personal data, anonymizing data as soon as possible, and building services and applications with “state–of–the–art” data protection.[126] Accountability is also addressed in a few other ways. First, there are stricter regulations governing how companies record what data they are processing and for what purpose.[127] Second, extensive privacy impact assessments are necessary to comply with the requirement that companies maintain effective procedures to protect personal data.[128] These assessments analyze the risks to individuals, determine the necessity and proportionality of the processing in relation to the purpose, and give a description of the processing operations and the legitimate interests pursued by the data controller.[129] Lastly, data protection authorities will be able to fine companies up to 4 percent of their global annual revenue for violations of the rules.[130]

Certainly there are other differences between the two enactments, but I have highlighted the most relevant to the issue at hand. Altogether, the key differences between the GDPR and the Directive are that the GDPR (1) takes a stronger stance on the accountability and enforcement of the principles that underlie the regulation and (2) gives individuals access to more information and a larger role to play in the data processing process. Each of these goals is championed by the EU and appears to have played an important role in the creation of the GDPR.[131] The GDPR balanced pro-economic benefits by achieving a “one-stop-shop” concept to dramatically reduce transaction costs for companies—especially those operating in more than one EU nation—and secured pro-individual rights through greater transparency and accountability from companies processing personal data.

B. How Does This Affect Data Transfer Mechanisms?

As alluded to in the previous section, there are more than a few new and unique challenges that companies will face in trying to transfer data across the Atlantic. The GDPR, however, does quite a bit to clarify the transfer mechanisms available to companies, while also introducing a few new ones. I will focus on BCRs, Model Clauses, and Codes of Conduct and Certification Mechanisms.

1. BCRs

The GDPR provides a very important upgrade to the BCRs that were developed based on the Directive. In an attempt to increase consistency of the enforcement of the data protection laws, indirectly reducing transaction costs and thus appeasing businesses, the GDPR formally recognizes the use of BCRs and lays out a mechanism for utilizing and monitoring BCRs in Article 47.[132] Prior to this change, companies would need separate approvals from each country in which they handled personal data, and only two-thirds of EU member nations recognized BCRs as appropriate protective measures.[133] These upgrades will certainly help to make BCRs much more efficient for companies with entities in various countries.[134] However, as will be discussed in Part IV, BCRs are still far from a perfect option for the vast majority of companies.

2. Model Clauses

As stated in Article 46, Model Clauses will remain an appropriate safeguard for transferring data so long as the clauses are approved as described in Article 93(2).[135] As with BCRs, the provisions of the GDPR substantially reduce the administrative burden of Model Clauses. There are a few relevant changes that facilitate this increase in efficiency. First, the EU commission will create a new set of Model Clauses pursuant to the GDPR, which will not require the prior authorization of the nation from which the data is being processed.[136] While the Model Clauses have long been intended to need little–to–no approval from individual nations under the Directive, nation-specific issues still existed regarding appropriate filings, monitoring, and additional objections.[137] Another relevant change involves ad hoc contractual clauses. These can include independently drafted clauses or some variations to the terms of the Model Clauses. The GDPR makes it so that these clauses will need to be approved only by an appropriate supervisory authority in order to apply to all EU nations.[138] In contrast, the Directive’s clauses required approval by each and every nation’s data protection authority before they could be considered adequate.[139] Here, the important differences are that these clauses are intended to increase efficiency—accomplished by the overarching “one-stop-shop” notion—and to provide flexibility for companies to create adequate provisions that better fit their businesses.

3. Codes of Conduct and Certification

Two of the unique transfer mechanisms detailed in the GDPR are the Codes of Conduct and Certification. Article 40 of the GDPR explains that a notable goal of EU privacy officials is to encourage the creation of Codes of Conduct.[140] The Codes of Conduct in large part work like a non-member state seeking to acquire an adequacy decision under the Directive or a single entity seeking approval of BCRs, except that the codes apply to associations or representative bodies.[141] This option is targeted at small– and medium-size companies within certain sectors of the economy that frequently do business with one another.[142] The codes—if certified by an appropriate supervisory authority and combined with binding and enforceable commitments of the controller/processer to use adequate safeguards—qualify as an appropriate transfer mechanism for data leaving the EU.[143] The codes, however, must be reviewed by multiple levels of the EU data privacy hierarchy in order to be deemed to have “general validity within the Union,” which places an administrative hurdle on the use of this option.[144]

Certification, as described in Article 42, is a transfer mechanism that remains in its infancy, but it is very similar to the Codes of Conduct.[145] Certification mirrors the Codes of Conduct in the sense that it is intended to benefit small– and medium-size companies, it has a similar registration and approval process, and it legitimizes data transfers when combined with appropriate commitments of the controller/processer.[146] It also bears similarity in that it is has the effect of a non-member state’s receiving an adequacy decision, but the key difference between the two is that Certification can be obtained by a single company.

IV. The Fatal Flaws of the Privacy ShiEld, Model Clauses, and BCRs

A. Privacy Shield

It is worth stating at the outset that the Privacy Shield agreement is between the United States and the EU. This is an important starting point, because this transfer mechanism is unique: companies relying on it are relying not just on their own compliance with EU data regulations, but also on the assumption that actions of the U.S. government (such as the illegal surveillance actions that led to Schrems I and the Safe Harbor invalidation) will not jeopardize privacy relations with Europe. This is a risky position for a corporation to place itself in, as the relationship between the EU and the United States is sewn with distrust and remains incredibly fragile due to the Snowden revelations. Additionally, the necessity for a better understanding of the shortcomings of the Privacy Shield is underscored by the fact that over 2,400 companies have signed up for it as of late 2017.[147] This Note will now address some of the risks associated with choosing this method.

First, the Privacy Shield is an unsatisfactory solution for companies aware of the GDPR’s imminence. The Privacy Shield was created in line with the no–longer–applicable provisions of the Directive, instead of with the stronger privacy protections contained in the GDPR. Because of this, it will likely fail to meet the heightened requirements of the GDPR, and it will thus have to undergo serious revision.[148] As seen with the struggle to agree on the Privacy Shield in a quick and efficient manner following the invalidation of the Safe Harbor,[149] revisions to the Privacy Shield or the drafting of a new agreement altogether may create substantial delays and unwanted uncertainty.

Second, as laid out in Part II of this Note, the United States and EU have vastly different views on privacy rights. Granted, they each have a strong incentive to bridge the gap, given the undeniable economic benefits for doing so. But this may be especially hard to do in light of President Trump’s strong stance regarding the utilization of surveillance to combat terrorism. Before taking office, Trump had already encouraged a boycott of Apple products due to its refusal to create a “back door” entry into the cell phone of one of the San Bernardino shooters,[150] and said that he believed that the NSA “should be given as much leeway as possible. However . . . . [t]here must be a balance between those Constitutional protections and the role of the government in protecting its citizens.”[151]

Once in the White House, Trump further strained EU-U.S. privacy relations by issuing an executive order excluding non-U.S. citizens from the protections of the Privacy Act of 1974.[152] In reply, Jan Philipp Albrecht, the rapporteur for the EU’s data protection regulation, tweeted that the EU should immediately suspend the Privacy Shield and sanction the United States.[153] The European Commission issued a statement noting that the Privacy Shield “does not rely on the protections under the U.S. Privacy Act.”[154] Nonetheless, this has added to the tension between the EU and United States and further brought the validity of the Privacy Shield into question. While it is unclear how President Trump and Congress will handle impending issues related to privacy protections, like the expiration of Section 702 of the U.S. Foreign Intelligence Surveillance Act,[155] companies should be aware of the potential for the White House and Congress—each with an eye toward increasing government surveillance—to drastically increase U.S.-EU tensions and put the Privacy Shield at risk.

Third, there are fundamental aspects of the Privacy Shield that are inconsistent with the GDPR and are subject to the same criticisms that led to the Safe Harbor’s invalidation. First, the EU hails U.S. “assurances” that it will limit mass surveillance.[156] Not only did these assurances come from the potentially more privacy–friendly Obama administration, but they also seem weaker than is acceptable under the GDPR standards. For instance, the NSA maintains the ability to utilize “bulk” collection tactics, so long as they are consistent with various opaque limitations subject to a good deal of interpretation.[157] Second, the Privacy Shield’s lauded redress mechanisms, which utilize an independent ombudsperson,[158] are vastly overstated, as well as undermined by a clear conflict of interest: the ombudsperson is appointed by, and reports to, the U.S. Secretary of State.[159] Certainly, the Privacy Shield attempts to lay out provisions to ensure the independence of the ombudsperson, but these provisions are speculative at best. Most importantly, it is difficult to imagine their being considered protections “essentially equivalent” to those afforded by EU member nations.

Fourth, the Privacy Shield is already facing legal challenges, largely in line with the above points,[160] and the initial version received harsh criticism from the Article 29 Working Party regarding the precise issues that led to the Safe Harbor invalidation.[161] Are these legal challenges likely to succeed? It is unclear. Was the Privacy Shield revised to try and appease the Article 29 Working Party? Yes.[162] Regardless, it is concerning that the Privacy Shield is facing such hurdles so early on, especially considering the panicked state in which the Safe Harbor invalidation left so many companies, as well as the already tenuous relationship between the U.S. and EU.[163]

In summation, the Privacy Shield agreement is a potentially dangerous option for U.S. companies. While it certainly has some benefits in terms of relative ease of implementation and flexibility,[164] it is shrouded in uncertainty and question marks. The question marks remain the same as those that led to the invalidation of the Safe Harbor, and with a surveillance-friendly administration in the White House, the relationship between the EU and U.S. will likely remain uneasy going forward. A potential invalidation would leave thousands of companies scrambling for an alternative method of compliance while risking steep fines. Therefore, the decision to certify under the Privacy Shield is the decision to place faith in a hastily prepared band-aid fix for the bursting dam that followed the invalidation of the Safe Harbor. It requires not only trust in one’s own ability to comply with the more complex EU regulations but also trust that U.S.-EU privacy relations will not slip from the shaky ground on which they already reside. That is a scary decision to make, and one that I would not advise.

B. Model Clauses

While the forecast for the Privacy Shield is decidedly gloomy, the outlook for Model Clauses seems at least somewhat brighter. However, there are a few definitive practical flaws that make Model Clauses an insufficient option for long-term GDPR compliance. I will briefly discuss some of the basic practical issues with using Model Clauses, including their rigidity and the cumbersome aspect of having to include them in every data–transfer–related contract, before focusing on the more concerning, potentially fatal flaws regarding the legal validity of this compliance mechanism.

First, the GDPR has not expressly accepted the current Model Clauses. Instead, as described in Part III above, the GDPR outlines a process through which the EU Commission will create a new set of Model Clauses.[165] Utilizing one of the three current sets of Model Clauses is therefore a temporary solution at best. One additional general criticism of Model Clauses is that companies must be sure to include them in every single contract they have in order to validly transfer data. Thus, if the current Model Clauses are not valid under the GDPR, companies will be forced to amend every single contract relating to data transfers. While it is certainly possible that the current Model Clauses may be determined to provide adequate safeguards, it seems unlikely that the GDPR would make no mention of them if this were more assuredly the case, particularly since BCRs were explicitly included and described.

Second, and to go even further with the point above, the current Model Clauses’ validity is hotly contested. One of the strongest examples of pushback came in a position paper from the Independent Center for Privacy Protection in Schleswig-Holstein (“ULD”).[166] In this paper, the ULD took a powerful stance, stating that “a data transfer on the basis of Standard Contractual Clauses to the US is no longer permitted.”[167] Soon after, a conference of Germany’s data protection commissioners largely agreed.[168] Model Clauses also face legal challenges via Maximilian Schrems’s class–action lawsuit against Facebook.[169] The case is progressing slowly due to procedural issues, but it highlights the volatility surrounding the Model Clauses.[170] However, the views of those objecting to the validity of the Model Clauses are not unanimously held. For instance, the Article 29 Working Party and the EU Commission have continued to back the Model Clauses in spite of Schrems I.[171] Even so, it is difficult to ignore the uncertainty surrounding these clauses—and the potential expense their invalidation or amendment would incur.

Third, the current challenges described above have legitimacy. As the ULD stated, American companies using Model Clauses are subject to American surveillance laws—the same ones that led to the invalidation of the Safe Harbor and which make it impossible to provide the necessary protections for citizens.[172] The notion is simple: having Model Clauses in a contract will do nothing to stop the United States from conducting the types of surveillance that led to the invalidation of the Safe Harbor. Because of this, U.S. companies will not be able to comply with the section of the clauses stating that U.S. companies are not subject to laws that make it impossible to follow the instructions of the data exporter.[173] This contention has not yet led to the invalidation of the Model Clauses, but it remains a cloud hanging over their legitimacy.

In summation, Model Clauses are a risky option for companies for multiple reasons. First, using the current Model Clauses will lead to companies having to amend every one of their contracts when the GDPR begins to be enforced. This will be both costly and time–consuming. Also, the Model Clauses already face scrutiny from certain nations’ data protection authorities and could very well be invalidated even before the GDPR comes into play. Again, this would leave companies scrambling to find a new, legally valid mechanism. All this being said, of course, once the EU Commission approves GDPR–compliant Model Clauses, it may well be smart to utilize them, and they should be analyzed at that time. The issue is that these clauses do not yet exist, and the current Model Clauses are riddled with issues.

C. BCRs

BCRs are a long-standing mechanism available by which U.S. companies comply with EU privacy laws. Despite having a history of valid and adequate protection, however, BCRs today are practically useless for most companies. The fatal flaws of BCRs generally stem from the practical impediments to their use as well as their now-questionable legal validity.

First, BCRs only apply to a very specific type of data transfer, making them unavailable to many companies. They apply when data is transferred amongst entities that are part of the same corporate group.[174] Because of this, BCRs are useless for companies that transfer data externally. This excludes a wide variety of industries, including those which transfer human resources data to third parties and which transfer third-party market research data. Thus, many companies cannot use BCRs based upon a basic limiting factor.

Second, practical impediments to BCR approval eliminate this option for the vast majority of remaining companies. Companies must receive approvals from each separate data protection authority, which can take between eighteen and twenty-four months.[175] To further illustrate the difficulty and limited usefulness of BCRs, in more than ten years of their validity as a transfer mechanism, only around one hundred companies have actually obtained approval.[176] The enormous costs of compiling the BCRs make them viable only for massive multinational corporations like General Electric or Shell.[177] Entities with both the resources to pursue the BCR process and strictly (or mainly) intra-company data transfer requirements comprise a decidedly limited category, and many within it will still choose to pursue less burdensome and more practical mechanisms.

Third, BCRs currently face the same legal challenges as Model Clauses. To summarize, some data protection authorities have stopped considering BCRs as an acceptable transfer mechanism.[178] Currently, BCRs are only recognized by about two-thirds of member nations.[179] Ultimately, companies must recognize that the validity of BCRs, like Model Clauses, is necessarily clouded following Schrems I, and that countries have already begun to show distaste for them.

However, BCRs were significantly strengthened via the GDPR, and their future legal validity seems to stand on much firmer ground than the Model Clauses. The GDPR will also allow BCRs to apply to transfers outside the corporate group.[180] These transfers must be accompanied by commitments and agreements of the external parties to provide adequate protections,[181] a requirement that essentially replicates the Model Clauses. Companies will now have to take the time and effort to include contractual protections in every contract they make, thus removing one of the benefits of BCRs—not having the burden of exacting privacy commitments in every contract. Additionally, if a company is going to pursue this option, it is important to guarantee that its BCRs are GDPR–compliant. Companies currently using BCRs may see them invalidated or in need of revision in the future.

Nonetheless, BCRs remain an untenable option for most companies. While the GDPR appears to streamline the process of BCR adoption through the “one-stop-shop” concept that is inherent in the regulation,[182] it is still a complex process demanding substantial resources. Further, there is no evidence that approvals will indeed be streamlined using the GDPR. At this point, any increase in efficiency promised by the GDPR’s passage is speculative at best.

Ultimately, BCRs may be better suited to overcome legal concerns than the other mechanisms and may serve as a relatively stable transfer mechanism under the GDPR. However, BCRs still face the limitations mentioned in the first two points above: they are only viable for large, multinational corporations that are primarily transferring data amongst their own corporate groups. Because of this, BCRs are a solution in only very limited circumstances.

V. So, What Options Do Companies Have?

All hope is not lost. Data is still going to flow across the Atlantic. Many of the above mechanisms will continue to be used, and companies will, at least for the time being, be able to get away without updating and adjusting their privacy policies to conform with the upcoming implementation of the GDPR. For instance, a survey from July 2017 found that 89% of U.S. organizations impacted by the GDPR are unprepared for the upcoming changes.[183] Companies that choose not to address this matter risk facing massive expenses if and when their privacy policies become inadequate.

There are a few potential options that companies can begin to adopt in order to best prepare themselves for privacy regulations going forward. However, there simply is no right answer, no magic solution to insulate companies from all risk. The suggestions below have their flaws, but in my estimation, they provide additional security for companies facing an uncertain privacy landscape. Finally, though it almost goes without saying, companies must strongly consider layering their privacy measures. Having multiple levels of transfer mechanisms enables companies to continue operations if one mechanism faces legal troubles, and they can save companies from the substantial costs of having to rapidly institute new compliance measures. It would be foolish for cautious firms not to diversify their privacy measures, just as it would be foolish for cautious investors not to diversify their investments.

That said, I will discuss how obtaining consent and utilizing the GDPR Codes of Conduct and Certification are useful privacy protections to layer on top of other transfer mechanisms.

A. Consent

As discussed above, a major goal of the GDPR is to increase transparency and give individuals more of a role in how their data is handled.[184] Because of this, consent is discussed at great length in the GDPR.[185] The notion of consent necessarily depends on providing information to the individual whose data will be transferred. Thus, obtaining consent is a valuable tool for acting in accordance with the spirit of the GDPR and thus (potentially) appeasing privacy officials. Consent, however, is not a perfect solution. Consent must be free and specific.[186] This standard can be difficult to achieve in some situations and may not be in a company’s best interest in other situations. For instance, consent to the transfer of human resource data is problematic in an employer-employee relationship in which there is a clear bargaining advantage for the side receiving the data.[187] For example, if a job offer is conditioned on consent to data transfers, the consent that is received is unlikely to be considered “free.” Also, the GDPR mandates that individuals need to consent to the specific use of their data.[188] Some companies may be using data in ways that may be dissatisfying to its users or customers, which could cause bad publicity. Consent is also limited by the age of the individual whose data is being processed. The GDPR states that the processing of data of individuals younger than sixteen will require parental permission, and it gives member nations the choice to lower this age to thirteen.[189] Because of this, companies—like Facebook—with younger users face real difficulties in obtaining adequate consent.

Nonetheless, this is a very good starting point for many firms. Companies are already required to process data in a manner consistent with a clear purpose.[190] This purpose should be articulable to the individuals whose data is being processed, and so consent should be at least theoretically possible. Finally, the cost and additional burden associated with obtaining consent may be minimal for companies, depending on their specific situations, and proper attempts to obtain that consent will likely be viewed positively by the data protection authorities, who have clearly placed an emphasis on this transfer mechanism.

B. Prepare for the GDPR

During this notably volatile time for data privacy compliance, a company should utilize multiple transfer mechanisms, and beyond this, organizations would be wise to begin preparing to meet the stricter regulations of the GDPR. Updating transfer mechanisms in line with the GDPR is a time–consuming and expensive venture,[191] but it is the single best way to minimize risk during this volatile time. To do this, companies will want to work with data protection authorities and/or hire a data protection officer to revise their current Model Clauses or BCRs in line with what the GDPR expects. Further, companies should consider pursuing Codes of Conduct and Certification. These options allow for a certain level of flexibility and insulation from regulatory charges in the country.[192] Additionally, the EU Commission specifically emphasized using these mechanisms.[193] Using the mechanism may thus show an intention to act in line with the goals of the Commission and engender some goodwill. It is not to say that these must be pursued, but at minimum, they should be considered and evaluated. Moreover, despite the criticisms of Model Clauses and BCRs, they can be viable options when drafted in compliance with the GDPR. What is most important here is that companies take the time to work with data protection officers or agencies to ensure that the mechanisms they plan to utilize are GDPR compliant.

In conclusion, depending on the company’s data processing activities, Model Clauses, BCRs, Informed Consent, and/or Codes of Conduct/Certification may be utilized as viable transfer mechanisms if managed and developed in line with the stricter language of the GDPR. On the other hand, companies relying solely on the Privacy Shield, despite its questionable validity and the fragile state of EU–U.S. affairs, expose themselves to substantial risk, which could prove costly to the greater of €20,000,000 or 4% of annual revenue. That being said, determining the best way to insulate any given company from the risks associated with volatile data privacy laws is incredibly difficult. The best thing a company can do to combat this difficulty is to understand what exactly the GDPR will demand and to prepare accordingly. In the meantime, companies can weather the storm, using their understanding of the GDPR to revise current policies to align with the stricter realities of the future. Ultimately, developing an understanding of the variety of options that can be used, employing different transfer mechanisms based on particular data transfer needs and data types, and being proactive will save a company substantial costs and significantly reduce its risk exposure.

[*] J.D. candidate, University of Southern California Gould School of Law, 2018. I am forever grateful to my best friend and fiancée, Venessa Simpson, for the endless love and support she has provided me throughout college and law school, and to my mom and dad, the most loving, caring, and supportive parents there are; you three are my inspiration and make me want me to be a better person each and every day. Many thanks also to Professor Valerie Barreiro for your guidance and feedback during the note-writing process and to Jonathan Frimpong, Emily Arndt, and James Salzmann for your invaluable and much-needed feedback and editing expertise.

[1]. Luke Harding, How Edward Snowden Went from Loyal NSA Contractor to Whistleblower, Guardian (Feb. 1, 2014, 6:00 A.M.), https://www.theguardian.com/world/2014/feb/01/edward-snowden-intelligence-leak-nsa-contractor-extract.

[2]. Id.

[3]. Id.

[4]. Id.

[5]. See Schrems v. Data Protection Commissioner, Electronic Privacy Info. Ctr. [hereinafter Schrems], https://epic.org/privacy/intl/schrems (last visited Nov. 15, 2017).

[6]. See Harding, supra note 1.

[7]. Id.

[8]. Directive 95/46, of the European Parliament and of the Council of 24 October 1995 on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data, art. 1, 1995 O.J. (L 281) 31, 38 (EC) [hereinafter Directive 95/46/EC]. The Directive has since been replaced by the General Data Protection Regulation (“GDPR”). See Commission Regulation 2016/679, 2016 O.J. (L 119) 1 [hereinafter General Data Protection Regulation]. The GDPR will be addressed in depth in Part III of this Note.

[9]. See Convention for the Protection of Human Rights and Fundamental Freedoms, art. 8, Nov. 4, 1950, 213 U.N.T.S. 221, 230.

[10]. See McKay Cunningham, Complying with International Data Protection Law, 84 U. Cin. L. Rev. 421, 422 (2016).

[11]. See id.

[12]. See Commission Decision of 26 July 2000 Pursuant to Directive 95/46/EC of the European Parliament and of the Council on the Adequacy of the Protection Provided by the Safe Harbour Privacy Principles and Related Frequently Asked Questions Issued by the US Department of Commerce, art. 1, 2000 O.J. (L 215) 7, 8 [hereinafter Safe Harbor].

[13]. Case C-362/14, Schrems v. Data Prot. Comm’r, ECLI:EU:C:2015:650, http://curia.europa.eu/ juris/document/document.jsf?docid=169195&doclang=EN.

[14]. The EU Model Clauses are also referred to as Standard Contractual Clauses. For convenience, the term “Model Clauses” will be used throughout this Note.

[15]. See Article 29 Data Protection Working Party, Opinion 01/2016 on the EU-U.S. Privacy Shield Draft Adequacy Decision (2016) [hereinafter Opinion 01/2016], http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2016/wp238_en.pdf.

[16]. Schrems, ECLI:EU:C:2015:650, ¶¶ 73–74, 96.

[17]. U.S. Dep’t. of Health, Educ., & Welfare, No. (OS) 73–94, Records, Computers, and the Rights of Citizens: Report of the Secretary’s Advisory Committee on Automated Personal Data Systems 41 (1973).

[18]. See id.

[19]. Privacy Act of 1974, Pub. L. No. 93-579, 88 Stat. 1896 (codified as amended at 5 U.S.C. § 552a (2012)).

[20]. Robert Gellman, Fair Information Practices: A Basic History 5 (Apr. 10, 2017) (unpublished manuscript) (https://bobgellman.com/rg-docs/rg-FIPshistory.pdf).

[21]. Gellman, supra note 20, at 5.

[22]. Id. at 10. See also 6 U.S.C. § 142. For further discussion, see infra Part II.

[23]. Gellman, supra note 20, at 6.

[24]. Org. for Econ. Co-operation & Dev., Recommendation of the Council Concerning Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (Sept. 23, 1980), reprinted in OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data 11 (2002).

[25]. Id. at 14–16. As further proof of the enduring nature of these principles, the OECD reviewed the principles in 2013 in light of the changes over the past thirty years, choosing to maintain the eight principles in their original form. Org. for Econ. Co-operation & Dev., The OECD Privacy Framework 14–15 (2013), http://www.oecd.org/sti/ieconomy/oecd_privacy_framework.pdf.

[26]. See Directive 95/46/EC, supra note 8, art. 1, at 38 (“In accordance with this Directive, Member States shall protect the fundamental rights and freedoms of natural persons, and in particular their right to privacy with respect to the processing of personal data.”).

[27]. See General Data Protection Regulation, supra note 8, art. 5, at 35–36.

[28]. See Safe Harbor, supra note 12, art. 1, at 8 (describing how companies that self-certify can comply with the Safe Harbor requirements).

[29]. See Kelli Clark, The EU Safe Harbor Agreement Is Dead, Here’s What to Do About It, Forbes (Oct. 27, 2015, 3:30 P.M.), http://www.forbes.com/sites/riskmap/2015/10/27/the-eu-safe-harbor-agreement-is-dead-heres-what-to-do-about-it/#29a319fc7171.

[30]. See id.

[31]. See U.S. Dep’t of Commerce, U.S.-EU Safe Harbor Framework: Guide to Self-Certification 4–10 (2013), https://build.export.gov/build/groups/public/@eg_main/@safeharbor/ documents/webcontent/eg_main_061613.pdf. See also Safe Harbor Fees, Export.gov, https://2016.export.gov/safeharbor/eg_main_020436.asp (last visited Oct. 15, 2017) (“An organization that is self-certifying its compliance with the U.S.-EU Safe Harbor Framework and/or the U.S.-Swiss Safe Harbor Framework for the first time on or after March 1, 2009 must remit a one-time processing fee of $200.00.”)

[32]. See Directive 95/46/EC, supra note 8, art. 25, at 45–46.

[33]. Case C-362/14, Schrems v. Data Prot. Comm’r, ECLI:EU:C:2015:650, ¶ 28, http://curia.europa.eu/juris/document/document.jsf?docid=169195&doclang=EN. See also Schrems, supra note 5.

[34]. See Schrems v. Data Protection Comm’n [2014] IR 75, ¶ 29 (H. Ct.) (Ir.).

[35]. Nora Ni Loidean, The End of Safe Harbor: Implications for EU Digital Privacy and Data Protection Law, 19 No. 8 J. Internet L. 1, 1, 9 (2016) (quoting Schrems, IR 75, ¶ 29).

[36]. Schrems, IR 75, ¶ 69.

[37]. See id. ¶ 71.

[38]. See Case C-362/14, Schrems, ¶ 107.

[39]. Id. ¶ 96.

[40]. Id. ¶ 86.

[41]. See Clark, supra note 29.

[42]. See Opinion 01/2016, supra note 15.

[43]. See European Commission Press Release IP/16/2461, European Commission Launches EU-U.S. Privacy Shield: Stronger Protection for Transatlantic Data Flows (Jul. 12, 2016), http://europa.eu/rapid/press-release_IP-16-2461_en.htm.

[44]. Id.

[45]. Loidean, supra note 35, at 7–12.

[46]. See European Commission Press Release IP/16/2461, supra note 43.

[47]. Id.

[48]. European Commission Statement 16/1403, Joint Statement on the Final Adoption of the New EU Rules for Personal Data Protection (Apr. 14, 2016), http://europa.eu/rapid/press-release_STATEMENT-16-1403_en.htm.

[49]. European Commission Memorandum 15/6385, Questions and Answers—Data Protection Reform (Dec. 21, 2015), http://europa.eu/rapid/press-release_MEMO-15-6385_en.htm.

[50]. European Commission Press Release IP/16/2461, supra note 43.

[51]. See Schrems, supra note 5; Tomaso Falchetta, New ‘Shield’, Old Problems, Privacy Int’l (July 7, 2016), https://www.privacyinternational.org/node/889.

[52]. See Exec. Order No. 13,768, 82 Fed. Reg. 8799 (Jan. 25, 2017). See also infra Part IV.A.

[53]. Schrems, supra note 5.

[54]. Id.

[55]. See General Data Protection Regulation, supra note 8, art. 83, at 82–83. Fines can total up to €20,000,000 or up to 4 percent of the total worldwide annual turnover of the preceding financial year, whichever is higher. Id. at 83.

[56]. Francoise Gilbert, EU General Data Protection Regulation: What Impact for Businesses Established Outside the European Union, 19 No. 11 J. Internet L., May 2016, at 3, 4–6.

[57]. Overview on Binding Corporate Rules, Directorate General for Just. & Consumers, http://ec.europa.eu/justice/data-protection/international-transfers/binding-corporate-rules/index_en.htm (last visited Nov. 16, 2017).

[58]. Id.

[59]. Id.

[60]. Id.

[61]. Id.

[62]. See Melinda L. McLellan & William W. Hellmuth, Safe Harbor is Dead, Long Live Standard Contractual Clauses?, Data Privacy Monitor (Oct. 22, 2015), https://www.dataprivacymonitor.com/enforcement/safe-harbor-is-dead-long-live-standard-contractual-clauses (summarizing best practices for the usage of Model Clauses following the invalidation of the Safe Harbor Framework by the CJEU).

[63]. See id. See also Model Contracts for the Transfer of Personal Data to Third Countries, Directorate General for Just. & Consumers, http://ec.europa.eu/justice/data-protection/international-transfers/transfer/index_en.htm (last visited Nov. 16, 2017).

[64]. Data Prot. Unit, Directorate Gen. for Justice and Consumers, Frequently Asked Questions Relating to Transfers of Personal Data from the EU/EEA to Third Countries 26–28 (2009), http://ec.europa.eu/justice/data-protection/international-transfers/files/international_ transfers_faq.pdf.

[65]. McLellan & Hellmuth, supra note 62.

[66]. Practical Law Intellectual Prop. & Tech., Expert Q&A: EU-US Personal Information Data Transfers (2016), Westlaw W-000-8901.

[67]. Id.; Data Prot. Unit, supra note 64, at 48.

[68]. Cunningham, supra note 10, at 422.

[69]. Directive 95/46/EC, supra note 8, art. 1, at 38.

[70]. See generally Cunningham, supra note 10, at 422 (“Unlike in Europe, U.S. law does not recognize a fundamental right to privacy.”); Loidean, supra note 35, at 8 (stating that the United States has a framework that has “rejected the fundamental rights approach to information privacy”).

[71]. Charter of Fundamental Rights of the European Union, art. 8, 2012 O.J. (C 326) 391, 397. Cf. Bradyn Fairclough, Privacy Piracy: The Shortcomings of the United States’ Data Privacy Regime and How to Fix It, 42 J. Corp. L. 461, 466 (2016) (discussing how in the United States this right is never explicitly stated in the Constitution, and it is only implied to be relevant in certain specific areas).

[72]. Jörg Rehder & Erika C. Collins, The Legal Transfer of Employment-Related Data to Outside the European Union: Is It Even Still Possible?, 39 Int’l Law. 129, 130 (2005) (quoting Directive 95/46/EC, supra note 8, art. 1, at 38).

[73]. Cunningham, supra note 10, at 426–27.

[74]. Id.

[75]. See Gellman, supra note 20, at 6–10.

[76]. Cunningham, supra note 10, at 427.

[77]. Directive 95/46/EC, supra note 8, art. 28, at 47–48.

[78]. See id. art. 25, at 45–46.

[79]. Cunningham, supra note 10, at 426–27.

[80]. See id. at 426–27 (“The Directive set the international standard for data privacy and security regulation and facilitated a trend among technologically advanced countries toward adopting nationalized data privacy laws.”).

[81]. See generally Rehder & Collins, supra note 72, at 132.

[82]. Manu J. Sebastian, The European Union’s General Data Protection Regulation: How Will It Affect Non-EU Enterprises?, 31 Syracuse J. Sci & Tech. L. 216, 225–26 (2015).

[83]. See id.

[84]. See Cunningham, supra note 10, at 422; Fairclough, supra note 71, at 464–66; Loidean, supra note 35, at 8.

[85]. W. Gregory Voss, The Future of Transatlantic Data Flows: Privacy Shield or Bust?, 19 No. 11 J. Internet L. 1, 1, 9 (2016). See also Julie Brill, Commissioner, Fed. Trade Comm’n, Keynote Address at the Amsterdam Privacy Conference, Transatlantic Privacy After Schrems: Time for an Honest Conversation (Oct. 23, 2015), 2015 WL 9684096.

[86]. See Cunningham, supra note 10, at 422–26.

[87]. See id.

[88]. Martin A. Weiss & Kristin Archick, Cong. Research Serv., R44257, U.S.-EU Data Privacy: From Safe Harbor to Privacy Shield 3, 7 (2016).

[89]. Gellman, supra note 20, at 10.

[90]. Fairclough, supra note 71, at 463–66, 476.

[91]. Gellman, supra note 20, at 19–20.

[92]. See generally Rehder & Collins, supra note 72, at 131 (quoting David Scheer, Europe’s New High-Tech Role: Playing Privacy Cop to the World, Wall Street J., Oct. 10, 2003, at A1).

[93]. Marsha Cope Huie et al., The Right to Privacy in Personal Data: The EU Prods the U.S. and Controversy Continues, 9 Tulsa J. Comp. & Int’l L. 391, 392 (2002).

[94]. See generally Uri Friedman, Is Terrorism Getting Worse?, Atlantic (July 14, 2016), https://www.theatlantic.com/international/archive/2016/07/terrorism-isis-global-america/490352 (explaining the rise of terrorist attacks in the period from Operation Iraqi Freedom to the present).

[95]. Harding, supra note 6, at 4–6.

[96]. See Cunningham, supra note 10, at 423.

[97]. Voss, supra note 85, at 10 (quoting Simon Davies, Privacy Opportunities and Challenges with Europe’s New Data Protection Regime, in Privacy in the Modern Age 55, 57 (Marc Rotenberg et al. eds., 2015)).

[98]. White House, Privacy in our Digital Lives: Protecting Individuals and Promoting Innovation, 3–9, 12–14 (2017).

[99]. Kate Kaye, New Privacy Report Already Removed from White House Site, Ad Age (Jan. 20, 2017), http://adage.com/article/privacy-and-regulation/privacy-report-removed-white-house-site/307632.

[100]. See Exec. Order No. 13,768, 82 Fed. Reg. 8799 (Jan. 25, 2017).

[101]. Cunningham, supra note 10, at 422.

[102]. Id. at 423–24. See Gramm-Leach-Bliley Act, Pub. L. 106-102, 113 Stat. 1338 (1999) (codified as amended at scattered sections of 12 U.S.C. (2012)); Health Insurance Portability and Accountability Act of 1996, Pub. L. 104-191, 110 Stat. 1936 (codified as amended at scattered sections of 18 U.S.C., 26 U.S.C., 29 U.S.C., and 42 U.S.C.); Fair Credit Reporting Act, Pub. L. 91-508, 84 Stat. 1114-2 (1970) (codified at 15 U.S.C. 1681).

[103]. Brill, supra note 85, at 1 (quoting 15 U.S.C. § 45(a)).

[104]. Loidean, supra note 35, at 8.

[105]. Id.

[106]. See Cunningham, supra note 10, at 423.

[107]. Loidean, supra note 35, at 8.

[108]. EU GDPR Portal, http://www.eugdpr.org (last visited Nov. 16, 2017).

[109]. General Data Protection Regulation, supra note 8, at 1.

[110]. Id.

[111]. Gilbert, supra note 56, at 4.

[112]. Id.

[113]. European Commission Statement 16/1403, supra note 48.

[114]. Gilbert, supra note 56, at 4.

[115]. Lawful Processing, Info. Commissioner’s Off., https://ico.org.uk/for-organisations/data-protection-reform/overview-of-the-gdpr/key-areas-to-consider (last visited Nov. 16, 2017).

[116]. General Data Protection Regulation, supra note 8, at 9.

[117]. European Commission Memorandum 15/6385, supra note 49. There is a growing concern over data privacy associated with in-home connected devices and apps, such as Amazon’s Alexa, and health-tracking devices, like Fitbit. For further discussion, see Sarah Kellogg, Every Breath You Take: Data Privacy and Your Wearable Fitness Device, 72 J. Mo. B. 76, 78–81 (2016); Adam R. Pearlman & Erick S. Lee, National Security, Narcissism, Voyeurism, and Kyllo: How Intelligence Programs and Social Norms Are Affecting the Fourth Amendment, 2 Tex. A&M L. Rev. 719, 760–62 (2015).

[118]. Individuals’ Rights, Info. Commissioner’s Off., https://ico.org.uk/for-organisations/data-protection-reform/overview-of-the-gdpr/individuals-rights (last visited Nov. 16, 2017).

[119]. European Commission Memorandum 15/6385, supra note 49.

[120]. General Data Protection Regulation, supra note 8, arts. 4, 7, at 34, 37. Consent is further discussed throughout the GDPR. See id., passim.

[121]. See Gilbert, supra note 56, at 6–7. But see Cunningham, supra note 10, at 437–38.

[122]. Sebastian, supra note 82, at 233.

[123]. European Commission Memorandum 15/6385, supra note 49.

[124]. Id. See also Ann Cavoukian, Privacy by Design: The 7 Foundational Principles (2011), https://www.iab.org/wp-content/IAB-uploads/2011/03/fred_carter.pdf.

[125]. Sebastian, supra note 82, at 230.

[126]. General Data Protection Regulation, supra note 8, art. 25, at 48.

[127]. Accountability and Governance, Info. Commissioner’s Off., https://ico.org.uk/for-organisations/data-protection-reform/overview-of-the-gdpr/accountability-and-governance (last visited Nov. 16, 2017).

[128]. Sebastian, supra note 82, at 231.

[129]. Accountability and Governance, supra note 127.

[130]. European Commission Memorandum 15/6385, supra note 49. To understand the potentially massive scope of these penalties, the fines that could be levied against Amazon and Google, based on their 2016 reported revenues, would be approximately $5.4 and $3.6 billion, respectively. Richard Stiennon, Unintended Consequences of the European Union’s GDPR, Forbes (Nov. 27, 2017, 6:26 P.M.), https://www.forbes.com/sites/richardstiennon/2017/11/27/unintended-consequences-of-the-european-unions-gdpr/#46aae406243c,

[131]. Id.

[132]. General Data Protection Regulation, supra note 8, art. 47, at 62–64.

[133]. Gilbert, supra note 56, at 5 (stating that fewer than one hundred companies have sought to use BCRs, despite this option having been available for a decade).

[134]. See Practical Law Intellectual Prop. & Tech, supra note 66.

[135]. General Data Protection Regulation, supra note 8, arts. 46, 93, at 62, 86.

[136]. Gilbert, supra note 56, at 4–5.

[137]. See Directive 95/46/EC, supra note 8, arts. 21, 26, at 44, 46 (outlining the roles of member states in ensuring adequate protection for data transfers and the objections and limits that they may put in place). See also ULD Position Paper on the Judgment of the Court of Justice of the European Union of 6 October 2015, C-362/14 (Oct. 14, 2015), https://www.datenschutzzentrum.de/uploads/ internationales/20151014_ULD-PositionPapier-on-CJEU_EN.pdf (arguing that Model Clauses are an inappropriate transfer mechanism for transfers to the United States, due to direct conflicts between U.S. law and the provisions in the Model Clauses.).

[138]. General Data Protection Regulation, supra note 8, arts. 92–93, at 85–86.

[139]. Cunningham, supra note 10, at 438–40.

[140]. General Data Protection Regulation, supra note 8, art. 40, at 56.

[141]. See Directive 95/46/EC, supra note 8, arts. 25–26, 30, at 45–46, 48–49 (providing language regarding adequacy decisions).

[142]. General Data Protection Regulation, supra note 8, art. 40, at 56.

[143]. Gilbert, supra note 56, at 5.

[144]. General Data Protection Regulation, supra note 8, art. 40, at 57.

[145]. See generally id. art. 42, at 58–59.

[146]. Compare id. with id. art. 40, at 56.

[147]. Report from the Commission to the European Parliament and the Council on the First Annual Review of the Functioning of the EU–U.S. Privacy Shield, at 4, SWD (2017) 344 final (Oct. 18, 2017) [hereinafter Report on the First Annual Review]; Grant Gross, Tech Companies Like Privacy Shield but Worry About Legal Challenges, PCWorld (Dec. 21, 2016, 3:00 AM), http://www.pcworld.com/article/3152559/security/tech-companies-like-privacy-shield-but-worry-about-legal-challenges.html.

[148]. Doron S. Goldstein et al., Understanding the EU-US “Privacy Shield” Data Transfer Framework, 20 No. 5 J. Internet L. 1, 1, 21 (2016).

[149]. Privacy Shield Timeline, PrivacyTrust, https://www.privacytrust.com/privacyshield/ privacy-shield-timeline.html (last visited Nov. 16, 2017).

[150]. Reuters, Trump Election Ignites Fears over U.S. Encryption, Surveillance Policy, Fortune, (Nov. 9, 2016), http://fortune.com/2016/11/09/trump-encryption-surveillance-policy.

[151]. Yoni Heisler, A Comprehensive Look at All of Donald Trump’s Positions on Technology Issues, Boy Genius Rep. (Oct. 19, 2016, 10:53 A.M.), http://bgr.com/2016/10/19/donald-trump-politics-technology-opinions.

[152]. See Exec. Order No. 13,768, 82 Fed. Reg. 8799 (Jan. 25, 2017).

[153]. Jan Philipp Albrecht (@JanAlbrecht), Twitter (Jan. 26, 2017, 1:45 AM), https://twitter.com/ JanAlbrecht/status/824553962678390784.

[154]. Natasha Lomas, Trump Order Strips Privacy Rights from Non-U.S. Citizens, Could Nix EU-US Data Flows, TechCrunch (Jan. 26, 2017), https://techcrunch.com/2017/01/26/trump-order-strips-privacy-rights-from-non-u-s-citizens-could-nix-eu-us-data-flows.

[155]. See Report on the First Annual Review, supra note 147, at 4. For additional discussion, see Kaye, supra note 99.

[156]. European Commission Press Release IP/16/2461, supra note 43.

[157]. See Commission Implementing Decision 2016/1250, 2016 O.J (L 207) 1, 13–20 (EU).

[158]. See id. at 28–29 (explaining that the ombudsperson is supposed to be independent from the U.S. intelligence agencies and is in charge of following up on complaints and enquiries from individuals regarding potential privacy violations).

[159]. See id. at 27–29, 71.

[160]. See Loyens & Loeff, Digital Rights Ireland Challenges EU-US “Privacy Shield,” Lexology (Nov. 4, 2016), http://www.lexology.com/library/detail.aspx?g=5055de04-e2d7-4b0b-9bbe-789a4a97b318; Reuters, French Privacy Groups Challenge the EU’s Personal Data Pact with U.S., Fortune (Nov. 2, 2016), http://fortune.com/2016/11/02/privacy-shield-pact-challenge.

[161]. See Opinion 01/2016, supra note 15, at 9–14.

[162]. See generally Voss, supra note 85 (discussing how the Privacy Shield came about and what it is meant to do).

[163]. See Steven C. Bennett, EU Privacy Shield: Practical Implications for U.S. Litigation, 2 Prac. Law., Apr. 2016, at 60, 62–64.

[164]. Goldstein et al., supra note 148, at 20 (discussing the Privacy Shield requirements and implications for participating organizations).

[165]. See Cunningham, supra note 10, at 426–28; Gilbert, supra note 56, at 4–5.

[166]. See ULD Position Paper, supra note 137.

[167]. Id., at 4.

[168]. See DSK Position Paper (Oct. 21, 2015), https://www.datenschutz-hamburg.de/fileadmin/ user_upload/documents/DSK_position_paper_Safe-Harbor_2015-10-21.pdf.

[169]. Matt Burgess, Facebook Privacy Case Is Making Its Way to the European Court of Justice, Wired (Sept. 13, 2016), http://www.wired.co.uk/article/facebook-privacy-eu-case-cjeu.

[170]. Id.

[171]. Darren Isaacs, Practical Strategies for Maintaining HR Data Flows from Europe to the US and Beyond—After the Schrems Case, ‘Safe Harbor 2.0’ and the Incoming Data Protection Regulation, 1 Emp. & Indus. Rel. L. 33, 33, 35 (2016).

[172]. ULD Position Paper, supra note 137, at 4. See also Gross, supra note 147.

[173]. See Commission Decision 2001/497/EC, app. 2, 2001 O.J. (L 181) 19, 22, 30 (EC).

[174]. Overview on Binding Corporate Rules, supra note 57. See also Cunningham, supra note 10, at 439–40.

[175]. See Cunningham, supra note 10, at 440; Gilbert, supra note 56, at 5.

[176]. See Gilbert, supra note 56, at 5.

[177]. Sebastian, supra note 82, at 242.

[178]. DSK Position Paper, supra note 168, ¶ 2.

[179]. Gilbert, supra note 56, at 5.

[180]. See General Data Protection Regulation, supra note 8, art. 47, at 63.

[181]. See id.

[182]. European Commission Statement 16/1403, supra note 48.

[183]. Alex Hickey, 6 Months to GDPR: What’s Next, CIO Dive (Nov. 28, 2017), https://www.ciodive.com/news/6-months-to-gdpr-whats-next/511761.

[184]. See European Commission Statement 16/1403, supra note 48.

[185]. See General Data Protection Regulation, supra note 8, passim.

[186]. See id., arts. 4, 6–8, at 34, 36–38.

[187]. See Isaacs, supra note 171, at 35.

[188]. General Data Protection Regulation, supra note 8, art. 6, at 37.

[189]. Gilbert, supra note 56, at 4.

[190]. General Data Protection Regulation, supra note 8, at 6–7.

[191]. See Pulse Survey: GDPR Budgets Top $10 Million for 40% of Surveyed Companies, PwC, https://www.pwc.com/us/en/increasing-it-effectiveness/publications/general-data-protection-regulation-gdpr-budgets.html (last visited Nov. 29, 2017) (finding that 40% of companies that have completed their GDPR preparations have spent more than $10 million).

[192]. See General Data Protection Regulation, supra note 8, art. 40, at 56–58. See also Gilbert, supra note 56, at 3–5.

[193]. See Gilbert, supra note 56, at 3–5.

The Second Amendment and Private Law – Article by Cody Jacobs

July 2017February 2018Southern California Law Review Admin

From Volume 90, Number 5 (July 2017)
DOWNLOAD PDF

The Second Amendment, like other federal constitutional rights, is a restriction on government power. But what role does the Second Amendment have to play—if any—when a private party seeks to limit the exercise of Second Amendment rights by invoking private law causes of action? Private law—specifically, the law of torts, contracts, and property—has often been impacted by constitutional considerations, though in seemingly inconsistent ways. The First Amendment places limitations on defamation actions and other related torts, and also prevents courts from entering injunctions that could be classified as prior restraints. On the other hand, the First Amendment plays almost no role in contractual litigation, even when courts are called on to enforce contractual provisions that directly restrict speech. The Equal Protection Clause was famously interpreted to bar the enforcement of a racially restrictive covenant in Shelley v. Kraemer, but in the years since, courts have largely limited that case to its facts.

This Article reconciles these disparate outcomes to develop a coherent theory of the role constitutional rights play in private law. The Article argues that three guideposts inform whether constitutional rights are applied to limit private law: (1) whether the private law cause of action threatens the core of a constitutional right, (2) whether placing a constitutional limitation on private law would impair other constitutional rights, and (3) whether the private law imposition on constitutional rights was freely bargained for. The Article then applies this framework to the individual Second Amendment right recognized in District of Columbia v. Heller by examining several areas where the right to keep and bear arms could intersect with private law, including negligent entrustment, products liability, and trespass.

90_945

An Ocean Apart: The Transatlantic Data Privacy Divide and the Right to Erasure – Note by Paul J. Watanabe

July 2017February 2018Southern California Law Review Admin

From Volume 90, Number 5 (July 2017)
DOWNLOAD PDF

This Note argues that fragmented free expression laws across European member states and data controllers’ ability to select their reviewing supervisory authority give U.S. data controllers latitude to exploit the privacy-expression balance in favor of the U.S. prioritization of expression. Whereas the current literature revolving around the right to be forgotten and the GDPR focuses on reconciling and converging transatlantic values of privacy and free expression, this Note examines the mechanisms of the European Union’s assertion and imposition of privacy values across the Atlantic through the right to be forgotten and the right to erasure and describes weaknesses in the GDPR that may undermine those mechanisms.

Part I outlines the diverging paths that led to the rift in data protection policy. Part II details how the experimental implementation of the Google Spain right to be forgotten preliminarily exported the European privacy scheme across the Atlantic, previewing the potential impact of the GDPR’s right to erasure. Part III outlines the provisions of the GDPR that thwart the right to be forgotten as a tool of imposing EU privacy values on U.S. data controllers. The Conclusion prophesies the ultimate effects of the Regulation on American privacy values, given the Regulation’s flaws.

90_1111

Get a Warrant: A Bright-Line Rule for Digital Searches Under the Private-Search Doctrine – Note by Dylan Bonfigli

January 2017February 2018Colleen Bazak

From Volume 90, Number 2 (January 2017)
DOWNLOAD PDF

A girlfriend hacks her boyfriend’s computer and discovers evidence of tax evasion. She contacts a local law enforcement officer who arrives at her house and looks at the files she found. Without a warrant, the officer opens other files in the same folder the girlfriend had searched. The officer notices another folder labeled “xxx.” He opens the folder and discovers child pornography. The officer seizes the computer based on what he found. The boyfriend is indicted for possession of child pornography and tax evasion. Before trial, the boyfriend moves to suppress all evidence obtained pursuant to the officer’s warrantless search of the computer. What evidence should the judge suppress?

The answer turns on the Fourth Amendment’s private-search exception. Under this exception, a government agent may recreate a search conducted by a private individual so long as the agent does not “exceed the scope” of the prior private search. The question under the existing framework is: at what point did the officer exceed the scope of the prior search—if at all? Was it when he viewed files the girlfriend had not viewed, when he opened files in a different folder, or did he stay within the scope of the girlfriend’s search by only searching the computer’s hard drive? This is what I will refer to as the denominator problem, which asks what courts should use as the unit of analysis to measure the scope of a digital search.

There are at least four competing approaches to the denominator problem, discussed in Part II, and the Supreme Court has provided little guidance on how the private-search doctrine applies to digital searches, resulting in a circuit split. Until this issue is resolved, law enforcement has little guidance on when to obtain a warrant following a private search and can unknowingly subject individuals to unreasonable invasions of privacy, which may result in suppression of relevant evidence. One recent example is United States v. Lichtenberger.

90_307

Introduction

I. Robotaxis Today

A. Technologies

B. Economics

Market Structure

Cost Structure

Deployment

C. Potential for Wider Adoption

D. Regulation

Safety Regulation

Service Regulation

II. Curbing Externalities

A. Externalities and Mode Choice

B. Pollution

C. Wear-and-Tear

D. Congestion

E. Privacy

III. Protecting Riders

A. Promoting Competition

Competition and Safety

Open Entry

Lock-in Contracts

B. Preserving Autonomy

Transparent and Rider-Neutral Fares

Emergency Planning

IV. Redesigning Mobility

A. Liberating Land

B. Refocusing Transit

C. Expanding Access

People with Low Incomes

People with Disabilities

Sparsely Populated Areas

Conclusion

99 S. Cal. L. Rev. 603

INTRODUCTION

I. THE ARRIVAL OF KIDFLUENCERS

A. A Brief History of Stage Mothers

B. Reality Television Bridges the Gap from Film and Television to the Internet

II. REGULATING THE LABOR OF KIDFLUENCERS

A. Existing Labor Regulations for Child Entertainers

1. Federal Measures for Child Workers: The Fair Labor Standards Act

2. SAG-AFTRA, States’ Approaches & the Coogan Law

3. When Does the Home Become a Set?

B. New Efforts: Expanding Child Labor Regulations to Cover Kidfluencers

A. Privacy Regulations for Children as Users Online

Existing and Proposed Federal Regulations for Children Online

i. The Children’s Online Privacy Protection Act of 1998

ii. COPPA 2.0

2. Online Platforms’ User Age Restrictions

B. Relevance and Current Limitations of the Common Law Rights of Privacy and Publicity

C. Falling Through the Gaps: Protecting Kidfluencers’ Privacy

1. Kidfluencing’s Unique Threat to Privacy

2. Adapting COPPA 2.0 and the Necessity of a Right to Removal

IV. THE SOLUTION—FEDERAL LABOR AND PRIVACY PROTECTIONS AND REQUIRING SOCIAL-MEDIA PLATFORMS TO ENFORCE KIDFLUENCER RIGHTS

A. Section 230 and Techlash

B. Contributory Liability as a Basis for Platform Enforcement

CONCLUSION

99 S. Cal. L. Rev. 449

From Volume 91, Number 1 (November 2017) DOWNLOAD PDF

From Volume 90, Number 5 (July 2017) DOWNLOAD PDF

From Volume 90, Number 5 (July 2017) DOWNLOAD PDF

From Volume 90, Number 2 (January 2017) DOWNLOAD PDF

From Volume 91, Number 1 (November 2017)
DOWNLOAD PDF

From Volume 90, Number 5 (July 2017)
DOWNLOAD PDF

From Volume 90, Number 5 (July 2017)
DOWNLOAD PDF

From Volume 90, Number 2 (January 2017)
DOWNLOAD PDF