Regulatory Landscape for Humanoid Robots (2026)

Humanoid robots – machines that look or act like people – are becoming much more common in workplaces and public spaces. International reports note there are millions of factory robots in use worldwide (ifr.org). As robots move around warehouses, shops, and public areas with cameras and sensors, many rules must be followed. These include machine safety and electrical certification laws, as well as privacy laws (for cameras, microphones, and face data). Below we review the main rules in key regions (Europe, the USA, etc.), explain privacy rules (like GDPR and CCPA), and give a compliance checklist.

Safety and Certification Standards by Region

European Union (EU)

In the EU, robots are treated as “machines” under law. New robots must meet the EU Machinery Directive (currently 2006/42/EC) and carry the CE mark to be sold or used (www.haufe.de). CE marking means the manufacturer has followed all required safety directives. For example, a CE-marked robot must have a Declaration of Conformity signed by the maker, pledging it meets EU rules (www.haufe.de). Key EU safety and certification requirements include:

• Machine Safety: The Machinery Directive and the upcoming EU Machinery Regulation (2023/1230) set strict safety rules. Robots must be designed to prevent injuries. Manufacturers use standards like ISO 12100 (risk assessment) and ISO 10218/ISO/TS 15066 (robot safety) to show compliance. A common example is requiring an emergency stop system and safe speed limits (www.evsint.com) (www.evsint.com). In fact, EU insurance firms often require documented compliance with these standards before covering a robot (www.evsint.com).
• Electrical Safety (Low Voltage Directive): Robots with electrical parts (motors, wiring) also fall under the EU Low Voltage Directive (2014/35/EU). They must be built to prevent shocks or fires. Conformity is usually shown by testing to standards like EN 60204-1.
• Electromagnetic Compatibility (EMC): Robots with electronics must meet the EMC Directive (2014/30/EU). This ensures the robot won’t interfere with other equipment, and isn’t overly sensitive to outside signals. For example, EMC testing checks the robot’s motors or Wi-Fi don’t cause radio noise.
• Radio and Wireless (RED): If a robot has wireless radios (Wi-Fi, Bluetooth, cellular, or other spectrum), it must meet the EU Radio Equipment Directive (2014/53/EU). That means getting type approval or certification for the radio modules. In practice, many robot makers buy pre-approved WiFi/BLE modules (with CE) and include them with proper labeling.
• Waste and Batteries: New EU rules (2023 Battery Regulation) require robots with batteries to meet specific eco-design and recycling standards. That includes labeling batteries and providing information on disposal. (For example, Tesla’s planned “Optimus” humanoid would need to provide recycling details for its batteries.)

Beyond CE marking, EU law also imposes workplace safety rules. For example, the EU’s general Work Safety Directive (89/391/EEC) requires employers to do a risk assessment whenever they introduce new equipment like robots. That means they must ensure the robot is integrated safely in the work area (with guards, training, etc.).

United Kingdom

After Brexit, the UK largely mirrors EU rules for safety. Robots in Great Britain now need the UKCA mark (UK Conformity Assessed) instead of CE (CE is still allowed until early 2025 for many products). The underlying requirements are almost the same: machines must be safe and producers must sign a declaration. UK law channels EU directives into British law, so design and testing standards are similar to the EU. In Northern Ireland, CE marking with the UKNI suffix is used.

For radio equipment, the UK follows its own Radio Equipment Regulations 2017 (updated 2025), which are very close to the EU RED. That means Wi-Fi and Bluetooth on robots must be certified under the UK system.

United States

The US has a different approach. There is no single “CE-equivalent” for all machines, but there are various rules:

• Occupational Safety and Health (OSHA): OSHA sets requirements for dangerous machinery. There is no robot-specific OSHA rule, but general machine safety standards apply (e.g. 29 CFR 1910.212 on machine guarding). OSHA publishes guidelines on robotics safety, emphasizing hazard analysis and protective measures (www.osha.gov). In practice, companies often follow ANSI/RIA R15.06 (USA’s robot safety standard) to ensure OSHA compliance. For example, an assembly-line computer vision robot must have physical barriers or speed limits to meet these guidelines.
• Electrical Safety: For electrical safety, many robots get tested by Nationally Recognized Testing Laboratories (NRTLs) like UL or ETL. UL 1740 is a certification standard for “robots and robotic equipment.” A UL listing isn’t legally required by OSHA, but many employers demand it for insurance. Similarly, motor controllers and power supplies inside robots often need a UL or CSA (Canada) approval.
• Electromagnetic and Radio: In the US, the Federal Communications Commission (FCC) regulates electromagnetic emissions. A robot with Wi-Fi or Bluetooth must have an FCC ID under Part 15 (unlicensed devices). For example, many service robots list their FCC ID in the manual. The FCC ensures the radio doesn’t interfere with other users. Similarly, if robots use radiofrequency for other purposes, they must comply with FCC rules or get Special Temporary Authority (STA) if out of normal bands.
• State Regulations: There is no federal privacy law like GDPR, but some states have data rules (more below). OSHA’s General Duty Clause also requires employers to keep workplaces safe, which can include safe robot operation.

Other Regions

• Canada: Follows standards similar to the US. Robotics equipment needs to be safe, often tested to UL or CSA standards. Radio use falls under ISED (formerly Industry Canada) rules (Type Approval). Workplace safety is governed by provincial regulations and Health Canada guidelines, which mirror OSHA in spirit.
• Asia: Many countries have their own rules. Japan uses JIS (similar to ISO) standards and requires good manufacturing practice. In China, robots may need CCC (China Compulsory Certification) for certain components, and the MIIT sets rules on radio use. China’s standardization committees are also drafting a national standard for humanoid robots (e.g. “Safety Requirements for Humanoid Robots – Part 1: General Safety” (std.samr.gov.cn)). India recently released a robotics safety framework. In general, compliance often means following global standards (ISO, IEC) plus local approvals.

In all regions, workplace safety remains crucial. Even if the robot itself is certified, the final installation requires a risk assessment. For example, if a warehouse deploys a humanoid robot, the integrator must ensure emergency stops work, workers are trained, and any barriers or sensors are in place. Many companies follow the principle that each collaborative robot cell should meet at least the requirements of ISO 10218-2 and ISO/TS 15066 (even in the US).

Data Privacy and Surveillance Considerations

Humanoid robots often have cameras, microphones, and even face/voice recognition. These devices collect personal data whenever humans are nearby. Key privacy laws to consider are the EU’s GDPR, the California Consumer Privacy Act (CCPA/CPRA), and various biometric laws (like Illinois’s BIPA).

• Video and Audio Capture: Under GDPR (EU), any image or voice that can identify a person is personal data (robotomated.com). Even if the robot is just navigating, its video of employees or customers is covered. Companies must have a legal basis for this data. In workplaces, “legitimate interest” is often used (the robot needs sight to function), but the robot maker or operator must do a Data Protection Impact Assessment (DPIA) if it means large-scale monitoring (robotomated.com). This DPIA should consider rope-like factors (e.g. analyzing what happens if the footage is leaked, and how to minimize it). In public places (shops, streets), GDPR usually requires transparency or even consent (robotomated.com). If a robot patrols a mall, visitors should be informed they’re being recorded.

• Biometric Data: Many humanoid robots use face or voice recognition. Under GDPR, biometric data used to identify individuals is a special category. Processing it usually needs explicit consent or very specific legal grounds. In the US, Illinois’s BIPA law is one of the strictest: it requires written consent before collecting fingerprints or faceprints (robotomated.com). Some states (Texas, Colorado, Washington) have new biometric provisions, often requiring policies or opt-in. Even if GDPR or CCPA don’t directly ban face ID, these laws mean a robot scanning faces for identity asks for extra caution. (For example, an employee-training robot that recognizes workers’ faces to personalize help would need clear notice and agreement.)

• Data Retention and Storage: GDPR demands data be kept “no longer than necessary.” Robot vendors should set retention limits for video/audio. For instance, raw camera footage could be auto-deleted within hours after processing, storing only metadata (like occupancy counts). Robotomated notes that robots should define and enforce retention periods for their data (robotomated.com). In practice, some facilities keep a rolling buffer (e.g. 24-72 hours) in case of security incidents, then delete old files. Any long-term storage (like for analytics) should be anonymized.

• Cross-Border Transfers: If robot data leaves the region (e.g. an EU robot sending footage to a US cloud), GDPR’s transfer rules apply. That means using approved protections (EU-UK data bridge, Standard Contractual Clauses, etc.) (robotomated.com). The California rules (CCPA) don’t specifically restrict overseas storage, but require notice if data is “sold”. Generally, a robot operator should pick local data centers if possible, or ensure contracts cover privacy.

• Public Space vs. Private Facilities: Rules differ if the robot is in a public area (like a shopping mall or street) versus a private workspace (a factory floor). In the EU/UK, video surveillance in public spaces requires visible signs. For example, France’s CNIL says any camera filming the public (street, mall) must be signposted with a camera symbol and contact info for the data controller (www.cnil.fr). The sign must say why the video is there (purpose), who’s collecting it, and data subject rights. Inside a company (private workplace), signage is still good practice, but explicit consent isn’t always needed – instead the robot could operate under “legitimate interest” with internal company notices.

  • In short, a robot working behind closed doors (only filming employees) can rely on company policies and labor privacy rules. But a robot in a mall corridor is effectively surveilling the public and must follow stricter notice/consent rules (robotomated.com) (www.cnil.fr). In the US, there is no federal CCTV notice law, but some states have camera laws (e.g. audio recording laws vary; robot makers must ensure any recording beeps or signs if required by local law).

• Consent and Notice: Both GDPR and CCPA require transparency. Under GDPR, if footage is personal data, the operator must inform people (a sign or policy). Robotomated advises that camera-equipped robots must have “notice at collection” under CCPA too (robotomated.com) (e.g. telling users on signs or websites that data is being gathered). Some workplaces handle this by employee training. Laws like BIPA effectively require very explicit consent for biometric scans.

In summary, privacy considerations for humanoids include treating their sensors like CCTV: mapping out all data collected, minimizing it (blur faces if not needed), running DPIAs, and posting clear notices. Ignoring these rules can cost: GDPR fines up to 4% of global revenue, CCPA violations thousands per person, and BIPA has led to massive lawsuits (robotomated.com) (robotomated.com).

Checklist and Audit Cadence

Before deploying a humanoid robot, make a compliance checklist to gather evidence of meeting all rules:

• Safety and CE/FCC Documentation:

  • CE Mark: Copy of the CE mark certificate or Declaration of Conformity for the robot (Machinery Directive). Ensure it lists any applicable directives (e.g. LVD, EMC, RED).
  • Technical File: The risk assessment, design standards (ISO 10218, 12100, etc.), test reports, and instructions (English/EU languages). (EU law requires keeping this file for 10 years (www.wanve.net).)
  • Radio Cert: If the robot uses radio, keep FCC or ISED certification reports for each module.
  • Electrical Safety: Any UL/NRTL reports or LVD test certificates.

• Workplace Integration:

  • Risk Assessment: A document showing how you evaluated hazards (from machine moving or falling objects). Include safe speed settings, emergency stops, guards, and human-robot separation measures. For collaborative robots, note how collision forces were assessed.
  • Training Records: Proof that staff were trained on the robot (e.g. operating manuals reviewed, safety briefing attendance).
  • Maintenance Logs: Records of regular inspections (e.g. every 6 months, check brakes/sensors).
  • Incident Reports: A system to log any safety incidents or near-misses involving the robot.

• Privacy Compliance:

  • Data Map: Spreadsheet of all data types the robot collects (video, audio, location, biometric). Note which are personal or sensitive.
  • DPIA: If in EU or large-scale, a completed Data Protection Impact Assessment covering video capture and other sensors.
  • Policies and Notices: A privacy policy describing use of cameras/AI in human language. Copies of any signs (camera icons) posted. Sample consent forms if used.
  • Retention Schedule: A table defining how long each data type is kept (e.g. “raw video: 48 hours”). Evidence that old data is routinely deleted (e.g. automated purging setup).
  • Contracts: Signed Data Processing Agreements with any cloud vendors or AI service providers involved with the robot, ensuring GDPR/CCPA compliance.

• Periodic Audit Plan:

  • Self-Assessment Frequency: Aim to review compliance at least annually. Each year, verify CE/UL certifications are still valid (or if the robot hardware changed), re-run any machine risk analysis if the robot’s use changes, and review privacy settings.
  • Update DPIA & Training: Update the DPIA if new sensors are added or the robot’s duties change. Retrain staff if procedures change.
  • Audits: Conduct internal audits (or have a consultant) every year to walk through the checklist again. For high-impact robots (e.g. those filming public spaces), consider more frequent checks (semi-annually).
  • Incident Response Drills: Test what happens if data is breached or a robot malfunctions. Document these drills.

By keeping this evidence on file, a company can show regulators that “we did everything by the book”. This includes not only the robot’s technical certifications but also documentation of all policies, training, and reviews. Remember that rules evolve – for example, the new EU AI Act and updated OSHA guidance might add requirements soon.

In summary, deploying a humanoid robot in 2026 requires careful preparation. Meeting machine safety and radio laws (CE/FCC) and protecting people’s data are both crucial. But with the right planning—following checklists, posting notices, and auditing regularly—robot users can stay compliant.