JTIP Blog

Every school day, millions of parents wave goodbye as their kids get on a bus or into a carpool to head to school. Now fast-forward 20 years and replace the driver with an autonomous driving system. Will parents be comfortable letting their kids get in that vehicle? Should a 15-year-old be able to order a ride in an autonomous vehicle (AV) without parental consent? How about a 9-year-old?

Increasing mobility for those unable to drive is an important benefit of AVs. Experts and academics are exploring how to design AVs to be kid-friendly (and parent approved) given the technical and non-technical issues that can emerge when a child rides solo. Proposed features include two-way audio communication, seatbelt checks, and the ability to monitor the vehicle remotely. However, each new feature also raises a myriad of new questions or concerns around cybersecurity, authorizing access, overriding decisions, emergency interventions, and more.

While protecting riders’ and other road users’ physical safety is the foremost concern, AV riders’ privacy, and especially minors’ privacy, also deserves attention. The FTC’s recent $170 million settlement with YouTube for violation of the Children’s Online Privacy Protection Act (COPPA,15 U.S.C. §§ 6501–6505) highlighted concerns about minors’ online privacy and content access. COPPA protects those under 13 years of age from “unfair or deceptive acts or practices in connection with the collection, use, and/or disclosure of personal information from and about children on the Internet.”

At first glance, AVs seem outside the scope of COPPA. However, the law defines “online service” broadly. AVs are similar to other examples of online services in the FTC’s guidance such as internet-enabled location-based services and Internet of Things devices. Furthermore, AV companies should recognize the wealth of personally identifiable information that these vehicles collect on their riders, which will include children under the age of 13 and categories of information covered by COPPA:

• User Information: e.g., name, addresses, contact details.
• Geolocation Data: e.g., start/end point, route, and time travelled.
• Voice/Facial Recognition, Imaging, and Biometrics: e.g., verifying compliance with company policies (ex: cleanliness) and monitoring wellness.
• Passive tracking: e.g., browsing data from devices using on-board Wi-Fi.
• Financial/Payment Information: e.g., credit card numbers

Most uses of this information by AV companies comply with COPPA and seem in line with societal expectations of privacy, for example rider authorization and customizing the vehicle to its user’s preferences (temperature, radio station, and seat position).

However, AV companies might be tempted to make the same mistake as YouTube by marketing the information it has on its riders, knowing that some of its riders are protected by COPPA. For example, an AV company that infers a child’s favorite pizza restaurant based on analysis of his family’s past trips could sell this data to the restaurant or accept payment to intentionally take routes that passes by the restaurant. These applications may violate COPPA’s protections on disclosure of a minor’s identifiable information to third parties for any purpose.

AV companies interested in the “collection, use, and/or disclosure of personal information from children” for allowable ends under COPPA require verifiable parental consent. However, meeting the requirements of COPPA raises additional challenges:

• How is age verified?
• How and when is verifiable parental consent obtained?
• Is consent needed each time a minor under age 13 enters an AV, or just once?
• Does an adult’s consent to monitoring apply if he or she is riding with a minor?
• If AVs are fleet-based, does consent in one vehicle apply to the whole fleet?
• While there are broad exceptions in the rule for contextual advertising and user safety, what is the extent of these for riders in AVs?

These challenges will be compounded by state-level privacy rules, most notably the California Consumer Privacy Act (CCPA), which can require actual knowledge of a user’s age or place greater restrictions on the collection and use of data.

Even with parental consent, how data from AVs is managed and analyzed merits further consideration. For example, the Supreme Court’s decisions in US v. Jones andUS v. Carpenter (and other cases at lower levels) highlighted how location data can reveal or be used to infer one’s most intimate and sensitive personal information. Even anonymized and aggregated location data disassociated from the rider, regardless of age, is re-identifiable at high levels of accuracy when combined with other data sets. Therefore, an AV company required to share data with a city or state government (as is increasingly required and allowed under COPPA) that then makes this data publicly available could rightfully be concerned that their users’ identities can be determined.  

Without additional clarity, AV operators may find it easier to place age restrictions on ridership, limiting these vehicles’ social utility. Unfortunately, these restrictions may also incentivize cheating or lying. For example, Uber and Lyft’s policies say that passengers under the age of 18 must be accompanied by an adult, yet enforcement is loose. Furthermore, future design concepts see vehicles becoming platforms for third-party application integrations and partnerships, similar to the app store on cellphones, some of which would target minors.

Therefore, to unlock the medium and long-term benefits of AVs for minors, lawyers and policymakers must recognize AVs are not just vehicles; AVs are directly connected to a broader ecosystem of technologies and policy areas. Especially as new regulations around privacy and the internet are considered, lawyers and regulators must recognize and account for the new era of connected products, like AVs, that will be affected.

Doug Lavey is a third-year student at Northwestern Pritzker School of Law.