Cloudflare Defeats Lawsuit Over Nonconsensual Intimate Imagery (NCII) on Facebook–Doe v. Cloudflare

June 28, 2026 · by · in Content Regulation, Derivative Liability

This is a putative class action lawsuit. The named plaintiff provided intimate images to her then-fiance, who (after the breakup) created fake Facebook profiles of the plaintiff and uploaded her intimate images without consent (turning the images into NCII). She requested Facebook remove the images, and when that didn’t happen, she got the local sheriff’s office to serve a search warrant on Facebook, allegedly demanding removal of the images. (That doesn’t sound like how search warrants work, but perhaps we’d analogize the search warrant to another notice that the content is NCII). The opinion doesn’t say when Facebook removed the images.

Cloudflare provides content delivery network (CDN) services to Meta/Facebook. The plaintiff claims the images remained on Cloudflare months after she demanded their removal from Facebook. The opinion doesn’t indicate if the plaintiff tendered a notice directly to Cloudflare or when (if ever) Cloudflare knew/should have known that the images were NCII. Plus, even if the plaintiff had submitted a takedown notice to Cloudflare directly, Cloudflare would have simply forwarded it to Facebook because Cloudflare can’t remove the images from Facebook’s site.

Note how this lawsuit is trying to impose tertiary liability on Cloudflare: Alleged wrongdoer = ex-fiance. Supporter to wrongdoer = Facebook. Supporter to supporter to wrongdoer = Cloudflare as service provider to Facebook. I have repeatedly expressed my concerns about potential tertiary liability. Nevertheless, some courts have illogically implied that a tertiary defendant may be liable for the primary wrongdoing and may not qualify for Section 230, even if the secondary defendant might qualify for Section 230.

Despite the ongoing swiss cheese-ification of Section 230, this case ends up being a fairly straightforward Section 230 dismissal for Cloudflare.

Publisher/Speaker Treatment

The plaintiff argued that because Cloudflare doesn’t have the ability to remove the images, Cloudflare didn’t make any publication decisions and thus wasn’t being treated as a “publisher or speaker.” (The court doesn’t explore the obvious problem when the plaintiff admits that Cloudflare lacked the ability to redress the problem). The court responds that, per Doe v. Twitter, Section 230 applies to any content dissemination, which Cloudflare does.

Cloudflare Doesn’t Become an Information Content Provider if It’s Also an Access Software Provider 

Cloudflare claimed to be an access software provider per Section 230(f)(4). The plaintiff tried a bizarre argument that, by invoking that characterization, Cloudflare admitted it had become an information content provider of the NCII. I didn’t understand this argument, and I don’t think the court did either.

Instead, the court treats this argument as an attempted Roommates.com workaround, which does not succeed: “Not only did Cloudflare not encourage the development of the content, but it had no ability to directly remove it from Facebook. Instead, like GoDaddy, Cloudflare merely provided access to content created by a third party, which is activity protected under section 230.”

IP Exception to Section 230

Although presumably the plaintiff owned the copyrights to the selfies she sent to her ex-fiance, she did not allege copyright infringement, which would have been excluded from Section 230 per the statutory exception for IP claims. Instead, the plaintiff advanced claims per the Violence Against Women Act Reauthorization Act of 2022 § 1309, 15 U.S.C. § 6851. An 6851 claim is not an IP claim. Cite to Doe v. X, which said “the statute under which Plaintiff sues—§ 6851—is not an intellectual property law.”

How Might the Take It Down Act Apply?

The court didn’t discuss the Take It Down Act, but it seems highly relevant to this case. [Note: there isn’t supposed to be a private right of action in the Take It Down Act, but I’m sure plaintiffs will try to manufacture one anyway.]

Per the Take It Down Act, Facebook would have to remove the images within 48 hours of receiving notice.

I can’t tell if Cloudflare would be governed by the Take It Down Act when it’s acting as a CDN. A “covered platform” is either:

  • a platform that “primarily provides a forum for user-generated content.” This does not apply to Cloudflare because it’s a B2B service to such forums.
  • a platform “for which it is in the regular course of trade or business of the website, online service, online application, or mobile application to publish, curate, host, or make available content of nonconsensual intimate visual depictions.” I’m not sure if this definition is meant to cover every website or app that might have a stray depiction of nonconsensual intimate visual depictions (this would be every UGC site that permits video or graphics, and it might apply to Cloudflare as a “host”), or if the definition only reaches platforms that focus on such content, like the old “revenge porn” websites.

The definition of “covered platform” excludes IAPs, email service providers, and a service that “consists primarily of content that is not user generated but is preselected by the provider.” I don’t think a CDN clearly fits into any of those exclusions. So does Cloudflare have to comply with the Take It Down Act? ¯\_(ツ)_/¯

If Cloudflare is a covered platform, I don’t see how Cloudflare could comply. As a CDN, it doesn’t have the ability to remove individual items. Now what? Would Cloudflare have to block all of Facebook each time it receives a Take It Down Act takedown demand covering an item on Facebook?

Case Citation: Doe v. Cloudflare, Inc., 2026 WL 1805000 (N.D. Cal. June 23, 2026)

Selected Prior Posts Relating to Cloudflare/CDNs