What is Section 230 of the Communications Decency Act?

Both consequences would discourage free online speech and innovation on the internet. Section 230 is often credited for enabling social media companies, search engines, and cloud storage systems to be as successful and integrated into society as they are today.

Section 230 of the Communications Decency Act prevents courts from viewing interactive computer service providers as “publishers” in cases involving content published by third-party information content providers (“ICP”s). The text of Section 230(c)(1) states that:

“No provider or user of an interactive computer service shall be treated as the publisher or speaker of any information provided by another information content provider.”

Section 230(c)(1) classifies interactive computer service providers and users (“ISP”s) as intermediaries and grants them broad immunity from liability for content published on their services by third-parties. What is more, Section 230 enhances an ISP’s oversight power over content published on their platforms without considering them publishers of the objectionable content and making them liable for a third-party’s unlawful content.

Without the broad immunity provided by Section 230, ISPs, including Google and social media sites such as Facebook, Twitter, or YouTube, could be liable for every message or post made using their services. This would make it very costly for these websites to allow users to publish content on their services. It would also cause many of these services to shut down or lead to most websites heavily restricting user internet speech.

Courts use a three-prong test to determine if the CDA provides an ISP defendant immunity.

• First, the defendant must be a provider or user of an interactive computer service.
• Second, the plaintiff’s cause of action must view the defendant as the “publisher” or “speaker” of a harmful statement.
• Third, the harmful information was provided by another information content provider, other than the defendant.

If all three prongs are met, then the defendant is protected by the CDA and immune from legal liability.

Likewise, in Smith v. California, 361 U.S. 147, 152-153 (1959), the Supreme Court considered a bookseller a distributor, because a bookseller may not be aware of the contents of every book in his shop. To impose liability on every bookseller as though they published the content could lead the seller to strictly inspect all materials sold, which isn’t very practical and would eventually restrict the public’s access to materials and have a chilling effect on speech. A publisher plays an active role in the publication whereas a distributor plays a more passive role.

The problem with the internet was determining the line between when an ISP was publishing its own material or merely distributing material published by third-parties.

Publishing activity generally goes beyond merely allowing a post to be viewable on a website, and requires that an ISP affirmatively acted or otherwise exercised editorial control over the content published on a website. The more editorial control an ISP exercises over its website, the more it will open itself to liability for what was published on their services. See Stratton Oakmont, Inc. v. Prodigy Services Co., 1995 N.Y. Misc. LEXIS 712.

Stratton Oakmont, Inc. v. Prodigy Services Co.

In Stratton Oakmont, an anonymous user posted to Prodigy Services’ Money Talk bulletin board alleging that Stratton Oakmont, an “over the counter” securities brokerage founded by the infamous ‘Wolf of Wall Street’ Jordan Belfort, committed fraudulent and criminal acts in association with an initial public offering (“IPO”). Stratton Oakmont then sued Prodigy Services and the anonymous poster for defamation.

The plaintiffs argued that Prodigy Services was a publisher of the defamatory content and should be held liable for defamation. Prodigy argued that the case should be dismissed on the grounds that they could not be held legally liable for content published by third-parties. The Court ultimately found that Prodigy was in fact a publisher because they exercised editorial control over the messages in their bulletin board by:

• Posting content guidelines for users;
• Enforcing content guidelines with ‘Board Leaders’; and
• Removing objectionable and offensive language via screening software.

The Court reasoned, “PRODIGY’s conscious choice, to gain the benefits of editorial control, has opened it up to a greater liability than CompuServe and other computer networks that make no such choice.”

The decision in Stratton Oakmont encouraged ISPs to stop controlling or reviewing what content was published on their services because it opened them up to greater liability. Section 230 of the CDA was specifically enacted to overturn the court’s decision in Stratton Oakmont and to encourage ISPs to exercise oversight in-house, rather than subjecting them to liability for every statement published by a third-party using their services.

Supporters of Section 230 argue that it protects free speech rights on the internet and minimizes the cost and burden of having to engage in lengthy litigation for millions of unmeritorious claims made against ISPs. They also argue that Section 230 encourages ISPs to self-regulate content without being overly pressured by the constant threat of lawsuits based on any potential post made using their services.

Section 230 immunity provides an all-encompassing defense to a myriad of potential civil claims and, thus, only requires the ISP to prove a single defense rather than having to combat each claim individually. This limits costs and allows courts to efficiently dispose of or sustain those claims. Without Section 230 protection, supporters contend that ISPs would be encouraged to censor user speech out of fear that they could be opening themselves up to lawsuits. Censorship of user speech could ultimately offend the core principles of the First Amendment.

Opponents of Section 230 argue that it puts plaintiffs with meritorious claims at a disadvantage and with limited or no other means of recovering for injuries suffered as a result of online content. They argue that courts have interpreted CDA immunity too broadly in protecting ISPs, especially when in traditional circumstances, outside of cyberspace, they would be liable for facilitating illegal activity.

For example, a physical magazine or newspaper that published nude photos or clearly defamatory gossip submitted by readers could be liable for that content. But under Section 230, websites who knowingly host the same content cannot be found liable. The original purpose of the CDA and Section 230 was to immunize ISPs who wanted to restrict access to objectionable and offensive material, rather than provide a safe harbor for ISPs to host unlawful content published by third-parties.

Opponents also argue that Section 230 immunity does not necessarily protect free speech rights but rather facilitates harassment and other unlawful forms of speech that would not otherwise be protected.

Hate speech, for instance, has proliferated the internet and can be directly linked to mass shootings committed in the U.S. in the last five years. But because of broad First Amendment protections regarding political opinions, hate speech is not generally considered illegal unless it directly incites violence. Tech companies and ISPs like 8chan are protected under Section 230 from any liability for hate speech. So long as the content is not illegal, they have no incentive to regulate hate speech published on their websites that could possibly lead to mass shootings or other hate crimes.

Section 230 immunity is particularly controversial with regard to sex trafficking cases and other online sexual victimization cases. The internet quickly became an easy way to commit, facilitate, and promote sex trafficking on a national and international scale, sometimes through the use of mainstream websites such as Facebook and Craigslist.

While many of the mainstream websites did work to block content related to sexual victimization after the CDA was enacted, websites like Backpage.com could not be held liable for enabling sex trafficking and victimization on their websites because of the broad scope of Section 230 immunity. A case in the Texas state court system against Facebook is currently being litigated to determine the scope of Section 230 immunity after the FOSTA exception was enacted in 2017.

For further information about Online Extortion and Sextortion, see How to Deal With Sextortion on the Internet.

The CDA does not provide ISPs immunity in all circumstances. Courts have found exceptions to Section 230 immunity where an ISP is directly involved with unlawful activity. If an ISP edits a published statement, materially alters its meaning, and the altered statement is defamatory then the ISP is not immune from a claim based on that statement. If the ISP creates or develops illegal activity, they cannot claim CDA immunity under Section 230. In certain circumstances, an ISP’s promise to remove content and subsequent failure to do so may waive their immunity under Section 230(c)(2).

As a direct response to cases upholding Section 230 immunity with websites like Backpage.com that aided and abetted online sexual victimization, Congress signed the “Allow States and Victims to Fight Online Sex Trafficking Act” (FOSTA) in 2017.

Fight Online Sex Trafficking Act

FOSTA makes it illegal for websites to knowingly assist, facilitate, or support sex trafficking and allows sex trafficking victims to bring civil claims against them, irrespective of Section 230 immunity. Some argue that FOSTA goes too far in removing Section 230 immunity because it does not distinguish between consensual sex work conducted online and nonconsensual sex trafficking.

Critics also argue that it places a large burden on internet companies to regulate user content to prevent any suspected sex trafficking activity. This was a monumental blow to the immunity bestowed on ISPs for content posted to their platform under the CDA. As of June, 2020, it has not yet been widely tested in courts.

Criminal & Intellectual Property Infringement Claims

Additionally, Section 230 immunity only applies to cases involving civil liability. It does not protect ISPs against criminal prosecutions. ISPs can, therefore, be prosecuted for criminal forms of online harassment such as:

• Extortion,
• Sextortion,
• Revenge porn,
• Online stalking, and
• Intellectual property infringement.

But, it does generally bar civil claims of relief for those same actions. So while a prosecutor can criminally indict and convict an ISP for illegal behavior, the victims of harassment may not have a civil avenue to recover damages resulting from the ISP’s criminal conduct.

Product Liability

CDA protections in product liability cases may also be limited. In 2019, the Third Circuit held in Oberdorf v. Amazon.com that negligence and strict liability claims based on defective products sold on Amazon.com did not seek to treat Amazon.com as a publisher or speaker of information and, therefore, the CDA did not bar the plaintiff’s claims.

The plaintiff had bought a defective dog collar through Amazon produced by a third-party vendor and sought to hold Amazon liable for their role as a “seller” or actor in the sales process. Because Amazon plays a large role in sales transactions, such as by selling or distributing products, beyond merely advertising products on its website or other editorial functions, the plaintiff could pursue a claim of product liability. But Amazon was immunized by the CDA to the extent that the claims alleged Amazon failed to provide or edit warnings about the use of products sold on its site.

Possible Damages

If an ISP falls into one of the exceptions listed above, or if the ICP of unlawful content is identifiable, then a plaintiff may recover damages from a civil claim against them. The type and amount of damages vary depending on the type of claim and factual circumstances of the case. Common types of collectible damages include:

• Special damages;
• General damages;
• Punitive damages.

Special Damages

Specific damages are quantifiable monetary losses suffered from the date of the defendant’s unlawful act up to a certain time typically determined at trial.

Special damages can include:

• Lost wages,
• Medical bills,
• Damage to property, or
• Other quantifiable losses suffered by the plaintiff.

General Damages

Also called “compensatory damages”, general damages are not able to be quantified in monetary terms. General damages are to account for pain and suffering as a result of the harm.

For example, if a plaintiff suffers emotional or mental anguish as a result of failure to remove a post, not quantifiable by other means, they may be entitled to recover general damages.

Punitive Damages

Punitive damages are awarded specifically to punish a defendant for unlawful conduct. In most jurisdictions, punitive damages may be recovered in negligence actions. However, punitive damages may generally only be recovered if the plaintiff shows that the defendant acted recklessly, rather than merely with ordinary negligence.

In defamation suits, for example, reckless behavior means that the defendant knew or should have known the statement was false before it was published.

In re Facebook, et al.

One is In re Facebook, et al., filed in Texas state court, and is based on allegations that Facebook provides a platform for sexual predators to exploit and extort children into sex trafficking. The plaintiffs were all minors, one as young as 13, who became connected with sexual predators on Facebook and Instagram.

Social media company and tech giant Facebook moved to dismiss the claims under Section 230 immunity for state civil claims, but the plaintiffs argue that the new exception provided by FOSTA allows their civil claims.

On April 28, 2020, the Fourteenth District Court of Appeals denied Facebook’s request for relief and dismissal of the claims. In 2021, Facebook appealed their ruling to the Texas Supreme Court. The Court held that the Communications Decency Act did bar the victims’ claims of state negligence, gross negligence, negligent-undertaking, and products-liability. However, the CDA did not bar the victims’ claims under the Texas human trafficking statute. In re Facebook, Inc. 625 S.W.3d 80, 101 (Texas 2021).

Malwarebytes, Inc. v. Enigma Software Group USA, LLC

The U.S. Supreme Court may consider a 9th Circuit case considering the breadth of Section 230(c)(2) immunity. Malwarebytes, Inc. v. Enigma Software Group USA, LLC involves the question of whether Section 230 immunizes ISP decisions to filter or block content when driven by anti-competitive motives and, thus, whether a software or internet company can claim that CDA immunity in a false advertising suit. Enigma alleges that Malwarebytes configured its software to block users from accessing Enigma’s security software to divert Enigma’s potential customers.

The 9th Circuit held that providers cannot claim Section 230(c)(2) immunity when the provider restricts content and finds it objectionable because it is the product of a business competitor. This decision puts a limit on Section 230 immunity and would allow ISP liability for unfair competition claims.

Malwarebytes submitted a petition for a writ of certiorari to the U.S. Supreme Court on May 11, 2020. Their petition for a writ of certiorari was subsequently denied.

Hassell v. Bird

Section 230 immunizes ISPs from court orders, as well as lawsuits naming them as defendants. Hassell v. Bird, 5. Cal. 5th 522 (2018) was a case of online defamation that was published on Yelp.com by an ICP. However, unlike in traditional cases involving Section 230 immunity, Yelp was not named as a defendant or alleged to have acted as the publisher of the defamatory review.

Rather, the plaintiff sought and received a court order compelling Yelp to remove certain consumer reviews published on its website. Yelp challenged the judgment, arguing they were immunized from complying under Section 230.

The Supreme Court of California agreed with Yelp and reversed the judgment. They held that Section 230 protected Yelp from having to remove the reviews because the order treated Yelp as the publisher of information under Section 230(c)(1). Even though Yelp was not named as a defendant, the removal order sought to overrule Yelp’s decision to publish the reviews. And, since an ISP’s relevant conduct in a defamation case goes “no further than the mere act of publication…Section 230 prohibited” the court order compelling Yelp to make an editorial decision.

Herrick v. Grindr

An ISP is also immune under the CDA if it provides app features that could be used to engage in unlawful behavior. Herrick v. Grindr, 765 Fed Appx. 586 (2nd Cir. 2019) involved a plaintiff whose ex-boyfriend created Grindr profiles to impersonate and harass him. The plaintiff argued that Grindr was negligent, failed to warn users, and engaged in deceptive business practices because it did not design safety features to its app to prevent that behavior.

The Second Circuit held that the plaintiff’s claims were barred under Section 230 because the claims sought to view Grindr as a publisher and were based on its editorial decisions. To the extent that the claims were based on app features that were used to harass the plaintiff, the claims were also barred.

Under Section 230, an ISP cannot be held responsible for providing the means for harassment to occur unless it “assisted in the development of what made the content unlawful and cannot be held liable for providing neutral assistance in the form of tools and functionality available equally to bad actors and the app’s intended users.”