Software Manufacturer Denied Section 230 Immunity–Hardin v. PDX

Just like patients should always read the labels before taking a new drug, courts should always read the Section 230 precedent before denying the immunity. Photo credit:  medicine directions // ShutterStock

Just like patients should always read the labels before taking a new drug, courts should always read the Section 230 precedent before denying the immunity. Photo credit: medicine directions // ShutterStock

Hardin suffered significant personal injuries due to the drug Lamotrigine. Hardin bought the drug from the grocery store Safeway’s pharmacy department. She claims that Safeway provided her with a partially redacted “monograph,” the lengthy “drug information pamphlet” that pharmacies provide customers along with their drugs, and that she would not have taken the drug if she had seen the redacted information.

The monographs are prepared by Wolters Kluwer Health, Inc. (WKH), which licensed the monographs to a PDX-affiliated company, NHIN. PDX provides pharmacies with software to access and distribute the monographs as part of a more comprehensive pharmacy management solution. Historically, PDX offered pharmacies both a full monograph (8 paragraphs) and a truncated monograph (5 paragraphs, omitting the headings “Before Using This Medication,” “Overdose,” and “Additional Information”). In 2005, in response to regulatory developments, PDX eliminated pharmacies’ access to truncated monographs. However, allegedly Safeway asked PDX to customize its software so Safeway could continue using truncated monographs; and PDX allegedly prepared that customized software version as Safeway requested–but only after obtaining a release of liability and indemnity from Safeway (which, if it works, would mean that Safeway is the real party-in-interest in this ruling).

I’ve not encountered this particular information network before, but it sounds like a pretty standard walled garden that works as follows:

Content publisher (WKH) -> content database aggregator (NHIN) -> customized software provider to access the proprietary content database (PDX) -> pharmacy (Safeway) -> customer (Hardin)

Hardin sued all of the above players and more. WKH exited the lawsuit on an anti-SLAPP motion. Hardin asserts that PDX became part of the liability chain for her injuries due to its “negligent undertaking.” The trial court denied PDX’s anti-SLAPP motion, and the appellate court affirmed.

Among other defenses, PDX asserted Section 230. NHIN just republished WKH-prepared monographs, and PDX just provided software that enabled Safeway’s access to NHIN’s database. On the surface, this appears to be a paradigmatic Section 230 case. The appellate court disagrees (emphasis added):

PDX’s claim that section 230 of the federal Communications Decency Act (47 U.S.C. § 230, hereinafter CDA) immunizes it from liability for providing electronic access to WKH monographs is also unpersuasive. “The CDA provides that (1) ‘[n]o provider or user of an interactive computer service shall be treated as the publisher or speaker of any information provided by another information content provider’ and (2) ‘[n]o cause of action may be brought and no liability may be imposed under any State or local rule that is inconsistent with this section.’ [Citation.] Section 230(f)(2) defines ‘interactive computer service’ as ‘any information service, system, or access software provider that provides or enables computer access by multiple users to a computer service, including specifically a service or system that provides access to the Internet[.]’ An ‘information content provider’ is ‘any person or entity that is responsible, in whole or in part, for the creation or development of information provided through the Internet or any other interactive computer service.’ [Citation.] ‘Congress clearly enacted § 230 to forbid the imposition of publisher liability on a service provider for the exercise of its editorial and self-regulatory functions.’“ (Anthony v. Yahoo! Inc. (N.D.Cal.2006) 421 F.Supp.2d 1257, 1262 (Anthony ).)

Hardin’s claim against PDX does not arise from its role as the software or service provider that enabled Safeway to access the WKH Lamotrigine monograph. Hardin sued PDX because it intentionally modified its software to allow Safeway to distribute abbreviated drug monographs that automatically omitted warnings of serious risks. As the trial court found, “this is not a case in which a defendant merely distributed information from a third party author or publisher.” PDX cites, and we are aware of, no case holding the CDA to have immunized a defendant from allegations that it participated in creating or altering content. (See Anthony, supra, 421 F.Supp.2d at pp. 1262–1263.) “One need look no further than the face of the statute to see why. The CDA only immunizes ‘information provided by another information content provider.’ (47 U.S.C. § 230(c)(1).)” (Id. at p. 1263.)

On the one hand, this looks like a bad Section 230 loss. PDX is being held liable for third party content. On the other hand, this could be an example where a republisher’s edits makes third party content tortious. Recall the Roommates.com example:

However, a website operator who edits in a manner that contributes to the alleged illegality— such as by removing the word “not” from a user’s message reading “[Name] did not steal the artwork” in order to transform an innocent message into a libelous one—is directly involved in the alleged illegality and thus not immune.

I can see an argument how PDX contributed to the alleged illegality by omitting the headings “Before Using This Medication,” “Overdose,” and “Additional Information,” which converted the WKH-supplied monographs from accurate to incomplete.

Nevertheless, this ruling has a troubling undertone. PDX’s culpability is based on how it programmed its software, and plaintiffs routinely try to work around Section 230 by arguing websites could have programmed their software to handle third party content differently. Section 230 shouldn’t turn on such software programming decisions. For example, Google programs its software to display search results snippets, and as we just saw in the O’Kroley case, Google isn’t liable for any ambiguous implications that might ensue. Dating websites aren’t liable for failures to warn about the presence of criminals on the site, and social networking websites aren’t liable for designing their networks to not prevent adults from messaging underage kids, even if it leads to sexual predation.

This case implicitly subverts those arguments, exposing the software manufacturer to liability for third party content (the monograph) because of the way the software was programmed to access it. Plaintiffs would love to have a “negligent undertaking” exception to Section 230, but the uncited Barnes v. Yahoo case (which would have been a far more credible cite in this case than the obscure Anthony case) seemingly shut that argument down. This ruling opens the door again, at least a little.

Putting Section 230’s equivocal application aside, I’m still stuck on the premise that the full monograph disclosures (rather than the truncated version) would have changed any patient’s behavior. I don’t have any reason to doubt Hardin, and I’m sure some patients read the monographs carefully. However, I’m pretty sure the vast majority of patients rely exclusively on their doctor and pharmacist to orally flag any potentially bad drug interactions or other risks. This case reminded me a little of the wild LinkedIn ruling that customers might have dropped LinkedIn if LinkedIn’s privacy policy had disclosed that it didn’t salt its passwords. While theoretically possible, it takes an incredibly rare plaintiff to make that argument credibly. I recognize my skepticism would apply across a wide swath of failure-to-warn cases, but we keep getting more evidence questioning the efficacy of regulatorily-driven disclosures.

Case citation: Hardin v. PDX, Inc., 2014 WL 2768863 (Cal. App. Ct. June 19, 2014).