This case is a different lawsuit against Classpass, this time over unredeemable Classpass credits. Despite the unmistakable message from the Ninth Circuit that TOS formation screens should be reviewed exactingly, Judge Orrick of the N.D. Cal. district seems to be living in the past. He surprisingly holds that Classpass successfully formed its TOS and sends the case to arbitration. Why did Classpass succeed here when it failed last year at the Ninth Circuit? (If you expect a logical and sensible answer to that question, you must be new to the blog).

* * *

The named plaintiff, Blackburn, navigated through three relevant TOS formation screens. The opinion never precisely identifies which one successfully formed the TOS. It seems like all three did?

(The TOS contained an arbitration clause that everyone agrees applies to this lawsuit if the TOS was properly formed).

Blackburn created her Classpass account in 2019 by navigating this screen and choosing the option to continue with her Facebook credentials (the 2019 Sign Up Screen):

A few days later, in the next screen, she acquired her subscription membership through Classpass’ refer-a-friend program (which entitled her to additional credits) (the 2019 Checkout Screen):

In 2023, Blackburn reactivated her Classpass membership by navigating this screen (the 2023 Reactivation Checkout Screen):

Everyone seems to accept the court’s characterization that all three screens are “sign-in-wraps.” That turns us over to the now-familiar three-part test for evaluating sign-in-wrap formation.

Element 1: Reasonably Conspicuous Notice

Blackburn challenged the 2019 Login Screen’s visibility on three grounds:

• It was part of a 5-screen signup sequence. The court responds “the screens are not cluttered and follow a logical flow.”
• The TOS offer was the smallest font size on the screen. The court says it was the same size as other fonts on the screen.
• The TOS offer language was below the “Continue with Facebook” button she clicked. The court says “the “Terms of Use” is bolded, underlined, and in traditional hyperlink blue. That offsets any real concern that a reasonably prudent Internet user would not know or be aware that those hyperlinks existed just below the “Continue with Facebook” button.”

The court is also OK with the 2019 Checkout Screen visibility. The court acknowledges the TOS offer language in grey font, but says the:

text is still visually set apart from the other font that appears on the screen, despite the fact that it does not appear in blue font….

the hyperlinks are denoted by a bolded light grey font and underline, sufficiently contrasting the white background. Further, the “large text block[]” to which Blackburn refers is actually a two-sentence paragraph separated in space by the one-sentence paragraph denoting the Terms of Use, which makes the presentation of the Terms of Use hyperlink even more noticeable

The court is similarly OK with the 2023 Reactivation Checkout Screen visibility:

The text referring to the Terms of Use is once again just above the commitment button, written in light grey, but bolded font, and while not denoted in traditional hyperlink blue, is set apart from the rest of the text on the screen such that its presence draws the eye. The primary difference between the 2023 Reactivation Checkout Screen and the 2019 Checkout Screen, as Blackburn points out, is that the 2023 Reactivation Checkout Screen includes a black and bolded pronouncement to the user that “you’ll automatically be charged for a full-priced monthly credit plan subscription” and includes, in blue and underlined hyperlinked font, access to information about which Fees may apply. Those decisions to add additional notice of specific terms do not take away from ClassPass’s efforts to make the Terms of Use conspicuous by setting them apart in bolded, underlined font, in a separate paragraph with font color that contrasts the white background.

Element 2: Transaction Context

The Ninth Circuit punted on this factor in Chabolla (wrongly, IMO, because it’s clearly intended to create a long-term subscription), so this court does too. This court adds: “unlike in Chabolla, Blackburn took the additional step and created a ClassPass account by logging in with her Facebook account.”

Element 3: Manifestation of Assent

“Blackburn clicked a button after being presented with a hyperlink to the Terms of Use.”

The court distinguishes Chabolla:

in Chabolla, there was no indication that a user was ever signing up. Here, at the top of the 2019 Sign Up Screen there is a heading that unambiguously reads in bold lettering: Sign up

Blackburn pointed out that in the 2019 Signup Screen, the disclosures inconsistently and ambiguously refer to both “the” TOS and “our” TOS. The court responds that the argument “makes no sense. If a user is signing up through a preexisting Facebook account, that user must have necessarily already agreed to be bound to any Terms of Use or other terms of Facebook. It is not ambiguous to a reasonable Internet user signing up for an account or membership with ClassPass, even by way of Facebook, that any newly presented Terms of Use are those of ClassPass, not Facebook.”

With respect to the 2023 Reactivation Checkout Screen, Blackburn pointed out that the TOS offer language referred to “the” button but there were two buttons below it. The court responds:

“the” in the context of the 2023 Reactivation Screen must mean “either,” because a user attempting to access the 45 free Credits can only click one button to do so, or as the 2023 Reactivation Screen denotes, “the button.”

Normally, “the” connotes a singular reference. Here, the court reads it to connote plural references.  ¯\_(ツ)_/¯

In a footnote, the court says: “I do agree with Blackburn that the 2019 Checkout Screen’s language (“By clicking the Redeem now button, I agree to the Offer Terms and Terms of Use . . .”) is curious because it leaves out whether a user who chooses to pay using G Pay is likewise bound. But a reasonable Internet user would likely understand that payment using either method would bind the user to the visibly hyperlinked Terms of Use and it is clear that Blackburn manifested assent via the 2019 Sign Up Screen and 2023 Reactivation Screen in any event.”

Implications

I view the Chabolla and Godun opinions as companion cases. They came out just a couple of months apart, and they both took highly skeptical approaches to online TOS formation. Remarkably, this court doesn’t cite Godun even once. That is a conspicuous omission.

To me, this ruling is another reminder of how TOS formation analysis has descended into Calvinball. As Judge Bybee warned in dissent in the 9th Circuit Chabolla case: “minor differences between websites will yield opposite results….That sows great uncertainty in this area.” Here, comparing this lawsuit to Chabolla, we have the exact same defendant and similar formation processes from around the same historical time period, yet Classpass gets TOS formation when the Ninth Circuit denied it last year. The outcome appears to flip based on tiny differences.

I will also note how many of the court’s assessments turn fundamentally on consumer expectations, except the court doesn’t cite a shred of empirical evidence about what consumers think. The missing empiricism plays a major role in the Calvinball phenomenon.

If the court had been inclined to do so, it could have picked apart each screen and found deficiencies in each. After all, that’s what the Ninth Circuit did in its Chabolla case. Some examples:

• In the 2019 Signup Screen, the TOS offer language refers to “sign up with Facebook” and the button says “continue with Facebook.” Plus, there is a second “sign up” button lower on the screen that the court ignores even though it matches the TOS offer language. All of this may sound ticky-tack, but…in the Chabolla case, the court rejected a screen where the TOS offer said “I agree to” and the button said “redeem now,” and in the Godun case, one of the screens failed because the TOS offer said “I agree” and the button said “connect now.”
• In the 2019 Checkout Screen, the TOS offer language is stacked below a large paragraph of offer terms, and it appears to be a slightly smaller or lighter font than those. The court could say that reasonable consumers would spot it anyway, but that’s an empirical question without empirical support. Many other courts would have treated the text block as so monolithic that no sentence stood out.
• The 2023 Reactivation Confirmation Screen had the text block problem plus (as the court discussed) the imprecision of a reference to “the” button when there were two button options.

To be fair, I don’t necessarily support courts doing this degree of ticky-tack pixel policing. However, that level of exactitude drove the Chabolla and Godun decisions.

The screenshots at issue all predate the Chabolla and Godun decisions. Today, there’s no excuse for weak sign-in-wraps like this. I expect you to do better. The courts will expect that too.

As Judge Bybee said in dissent in Chabolla, “Our decision today will drive websites to the only safe harbors available to them, the clickwrap or scrollwrap agreements.” Want to opt-out of the TOS formation Calvinball? Take the certainty of clickwraps over the chaos of sign-in-wraps.

Case Citation: Blackburn v. Classpass USA Inc., 2026 WL 962734 (N.D. Cal. April 9, 2026)

The post Remember When the Ninth Circuit Rejected Classpass’ TOS Formation? About That…–Blackburn v. Classpass appeared first on Technology & Marketing Law Blog.

Weiss v. Google LLC, 2026 WL 733788 (Cal. App. Ct. March 16, 2026)

Weiss’ business started running financial services ads on Google in 2015. Google suspended the ads multiple times, until Google issued a final suspension in 2024. The court says Section 230 protects Google’s suspension decisions.

The court starts with standard context-setting: “California’s appellate courts and federal courts have also generally interpreted section 230 to confer broad immunity on interactive computer services.”

The court continues:

Weiss seeks to adjudicate Google’s characterization of his business and its decision to suspend its ads. However, this conduct, i.e., Google’s “refusal to allow certain content on its platform,” is “typical publisher conduct protected by section 230” regardless of the reason for that refusal….

even if Google’s characterization of Weiss’s advertisements does not align with Weiss’s characterization, section 230 still affords Google immunity from liability for its decision to suspend his content…

all the content Weiss claims Google wrongfully suspended was admittedly created by Weiss, not Google…

Google’s determination that Weiss’s ads violated its general policies is not equivalent to contributing to the ads’ content.

In a footnote, the court adds: “Weiss seeks to hold Google liable for its enforcement of its own general policies, rather than a breach of a specific promise.”

When the dust settles, this becomes just another failed lawsuit over account terminations and content removals.

A reminder of the content moderation dilemma Google faces here. A few courts have said that Facebook doesn’t qualify for Section 230 protection for running scammy ads (e.g., Forrest v. Facebook). As a result, Google has good reason to suspend Weiss’ ads to manage its own liability exposure. At the same time, if Weiss succeeded with his claims here, then Google would have been potentially liable for removing ads based on Google’s fears that they are scammy. This would force Google to deploy a Goldilocks version of content moderation: Google would have to get its ad removal policy “just right,” with potential liability for mistakes in either direction. An impossible challenge.

Thompson v. The Meet Group, 2026 WL 730134 (E.D. Pa. March 16, 2026)

Thompson said Tagged deactivated his livestreaming account and stole $10k from him.

For reasons that aren’t obvious to me, Tagged defended on Section 230(c)(2)(A) grounds instead of 230(c)(1). Maybe this has something to do with trying to navigate around the abysmal Anderson v. TikTok case? EDPa courts are bound by that decision.

The court says Tagged can’t establish the 230(c)(2)(A) defense elements on a motion to dismiss: “application of CDA immunity in this case requires assessment of facts that are not in the pleadings—such as the reason why Thompson’s account was disabled and the content of Thompson’s posts.” Also, Thompson’s allegations of theft might defeat 230(c)(2)(A)’s good faith prerequisite. Cites to Smith v. TRUSTe and e-ventures v. Google.

No matter, the case fails anyway. (Another example of Section 230 not being the only reason why lawsuits lose). The court says the plaintiff had no property interest in his social media account that could be converted (cite to Eagle v. Morgan). The plaintiff’s TOS breach claim fails multiple ways, including the TOS’s reservation of termination rights and damages waiver.

So this becomes yet another failed lawsuit over account terminations, just not due to Section 230. You already know this, but if you’re a defendant in these cases, you should be focusing on 230(c)(1), not 230(c)(2)(A).

Gehringer v. Ancestry.com Operations Inc., 2026 WL 734526 (N.D. Cal. March 16, 2026)

Plaintiffs are individuals who have not subscribed to the Ancestry.com service and have not consented to the use of their name or photograph. They allege Ancestry not only includes their yearbook information on a searchable database, but also utilizes their likenesses as part of advertisements for Ancestry.com services…

Plaintiffs contend Ancestry used their likeness in three forms of “advertising”: 1) publication of the yearbook information on a database that contains a paywall for certain features; 2) dissemination of emails to potential Ancestry.com subscribers, noting Ancestry Hints® can expand their family tree, and using the names and images of Plaintiffs as examples; and 3) an Ancestry free trial program that allows potential subscribers to access Plaintiffs’ yearbook information for a limited time.

The court nixes claims over category #1 and #3 ads due to copyright preemption.

As for the category #2 ads:

Plaintiffs allege Ancestry crafted email advertisements that included their likenesses to encourage potential customers to subscribe to Ancestry’s service. The email advertisements were not created by a third-party user of Ancestry.com—Ancestry authored the content, and as such, it is “responsible, in whole or in part, for the creation” of that offending content. To avoid this conclusion, Ancestry attempts to recast the allegations in the First Amended Complaint, asserting Ancestry merely “republish[es] yearbook photos taken and first published by Esperanza High School.” But as the screenshots in the Complaint confirm, the emails sent by Ancestry to prospective users include far more than republished images of Plaintiffs; they incorporate those images into an advertisement for the Ancestry Hints® functionality and Ancestry’s subscription service. Drawing all inferences in Plaintiffs’ favor, Section 230 does not immunize Ancestry against liability for the content of the alleged email advertisements

Notice that Ancestry’s ad creation practices go further than Facebook’s sponsored stories, which also didn’t qualify for Section 230 protection.

State v. Sharak, 2026 WI 4 (Wis. Supreme Ct. Feb. 24, 2026)

Google scanned Sharak’s Google Photo uploads, identified what it thought was CSAM, and submitted a CyberTip. Sharak argued that Google was conducting the search on the state’s behalf. The court disagrees and upholds Sharak’s conviction.

That isn’t unusual. What’s more unusual is the court’s discussion of Section 230. “Rauch Sharak argues that [Section 230(c)(2)’s safe harbor] encourages ESPs to scan for CSAM by granting immunity to ESPs that moderate content and creating civil and criminal liability if ESPs do not scan for CSAM.”

The court responds:

Though § 230(c) may grant immunity to ESPs that choose to scan for CSAM, it does not require, reward, or incentivize scanning for CSAM in the first place. Moreover, § 230(c)(2)(A) grants immunity for “any action voluntarily taken in good faith to restrict access to” obscene material, which sweeps far more broadly than would be required to induce Google’s CSAM scan at issue here….

Even if the statutes encourage Google to scan for CSAM or provide a law-enforcement purpose, Rauch Sharak has not shown that they are enough to turn Google into an instrument or agent of the government.

Alice Rosenblum v. Passes Inc., 2026 WL 711837 (C.D. Cal. Feb. 3, 2026)

[The fact allegations are based on the court’s summary of the complaint.] Passes is a competitor to OnlyFans. Unlike its rivals, Passes allows 15-17 year olds to create accounts with parental consent. Guo is the CEO, and Celestin is a content acquisition specialist. At Guo’s direction, Celestin personally reached out to 17-year-old Alice Rosenblum to create a Passes account. Celestin did a photoshoot of Rosenblum and (with Guo’s help) created a Passes account for her without requiring parental consent.

“Over the next month, while Plaintiff was still 17 years old, Celestin and Ginoza [another Passes employee] allegedly directed Plaintiff to create sexually explicit images and videos of herself….the FAC provides over 14 examples of child sexual abuse material (“CSAM”) involving Plaintiff, being marketed on the Passes platform for $69 to $4,000. Furthermore, Passes agents posing as Plaintiff allegedly communicated via direct message to “big spenders” to continue to market and sell CSAM involving Plaintiff.”

The court rejects Passes’ and Guo’s Section 230 defense:

Section 230 immunity plainly does not apply to Plaintiff’s claims. To be sure, Plaintiff does largely seek to hold Passes Defendants liable as providers of an interactive computer service, and several allegations treat Passes as a publisher, as they involve Passes’ distribution of CSAM involving Plaintiff…Plaintiff alleges that Passes and its agents were directly responsible for the creation and portrayal of the CSAM on the Passes platform: Plaintiff alleges that Celestin, acting as an agent of Passes, personally took at least one photo of Plaintiff which was uploaded to Passes, and further instructed her to create specific photographs and videos and upload them to Passes, which he later marketed under specific captions and sold. Plaintiff further alleges that Passes itself hosted a banner featuring a sexually explicit photo of Plaintiff, which marketed CSAM involving Plaintiff. Plaintiff therefore seeks to hold Passes liable for harm allegedly arising out of its own creation of harmful content.

Passes claimed that Celestin and Ginoza were third parties, but “As alleged, Celestin was
not merely another third-party user of Passes; rather, he acted as an agent and employee of Passes.” Cite to Quinteros.

The court summarizes:

Section 230 immunity does not apply to Passes, a platform which has allegedly, through its agents, deliberately created, marketed, and sold illegal content, acting as an “information content provider” that uses its own “interactive computer service.”

In a footnote, the court adds regarding Guo: “Plaintiff’s allegation that Guo encouraged Plaintiff over the phone to post content, which supports Plaintiff’s claims for IIED and California Civil Code § 52.5, does not hold Guo accountable for Passes’ publishing activity.”

Doe v. X Corp., 2026 WL 772384 (N.D. Tex. Feb. 25, 2026)

“A third party copied commercial pornographic content from Plaintiff’s OnlyFans and studio-based productions and uploaded it to X without his consent, violating the OnlyFans terms and conditions and the studios’ licensing agreements.” He sued pursuant to 15 U.S.C. § 6851(b)(1)(A), a private right of action for nonconsensual production of intimate visual imagery. Doe produced the porn consensually, but he claims the restrictions extended to nonconsensual distribution.

The court says X qualifies for Section 230. Doe responded that he owned the IP in the works, so the IP exception applies. The court says:

The [IP] exception applies only when the claims arise from a law directly implicating intellectual property rights, not merely when intellectual property is involved in the claim. And the statute under which Plaintiff sues—§ 6851—is not an intellectual property law. Rather, it is concerned with “whether the depicted individual consented to a specific disclosure of an intimate visual depiction—regardless who holds the copyright to the image.” Thus, § 6851 creates a privacy-based tort right of action, not an intellectual-property based one.

The boundary between privacy and IP laws remains amorphous–increasingly so with all of the concerns about “deepfakes,” “virtual replicas,” and other AI-related regulations that use privacy framing to create what look like sui generis IP rights. This could be a good student paper topic.

For more discussion of the IP exception to Section 230, see this article.

Teague v. Google, 2026 WL 746996 (D. S.D. March 17, 2026)

Plaintiff claims Google committed defamation based upon the fact that “people think I raped [redacted]. This case (sic) been dismissed in 2021 but it still show (sic) on Google and caused me to (sic) threaten and attacked a few times.” Plaintiff further claims his image is on Google and it is difficult to get a job because the rape charges still appear on Google.”…

Google is not a “publisher or speaker” under the CDA and therefore “cannot be liable under any state-law theory to the persons harmed by the allegedly defamatory material.”

Google is immune from suit for defamation claims arising out of other content providers’ posts on the internet.

The post Section 230’s Application to Account Terminations, CSAM, and More appeared first on Technology & Marketing Law Blog.

In 2024, Photobucket emailed its legacy users, asking if they wanted Photobucket to keep or delete their accounts. Users who clicked on the email’s links–included to delete their accounts–were presented with a new TOS formation process that included a consent to use the photos to derive users’ biometric information for AI purposes. “If users did not opt out of the Biometric Policy within 45 days of July 22, 2024, Photobucket claims the right to sell, lease, trade, or otherwise profit from the users’ biometric information.” (Photobucket claims it hasn’t actually pursued this AI option). The new TOS also contained an arbitration provision that wasn’t in some prior TOS versions. Photobucket invokes the arbitration clause against the plaintiffs’ lawsuit.

Article III Standing. The court says the plaintiffs only have Article III standing for equitable relief, not damages. This narrows the case substantially.

Pierce

Pierce agreed to Photobucket’s 2008 TOS and last logged into Photobucket in 2014. The 2008 TOS informed Pierce that his “continued use” of Photobucket would constitute acceptance to any TOS modifications. Since he didn’t use the site after 2014, he didn’t assent-by-use to the 2024 TOS:

a reasonable person would not understand his failure to take his photos off of
Photobucket, after not logging in for nearly ten years, to constitute “continued use” and thus acceptance of any revised terms.

In other words, a user’s maintenance of a legacy account isn’t “continued use” of the service.

Ms. Hughes

Ms. Hughes agreed to Photobucket’s 2006 TOS and last logged into Photobucket no later than 2011. The 2006 TOS said:

By using the Services you agree to the Terms of Service set forth below as they may be updated from time to time by Photobucket.com, Inc. (“Photobucket.com”). Photobucket.com may modify or terminate the Services from time to time, for any reason, and without notice, including the right to terminate with or without notice, without liability to you, any other user or any third party, provided that when Photobucket.com does so, it will update these Terms of Service. You are advised to periodically check the website for changes in the Terms of Service.

The court says this TOS “told Ms. Hughes that she was “advised to periodically check the website for changes in the Terms of Service.” The 2006 Terms “necessarily inform[ ] how a reasonably prudent user would interact” with Photobucket’s website.”

But…the TOS applicable to Pierce said “It is therefore important that you review this Agreement regularly to ensure you are updated as to any changes.” The court disregarded that language for Pierce. Can you find a difference between the disclosures to Pierce and Hughes? Beyond the (seemingly immaterial) language differences, the court’s different conclusions might be explained by (1) Pierce was governed by Colorado law, Hughes by CA law; or (2) Hughes admitted getting emails telling her about the coming changes, though she didn’t pay attention to them. I don’t find those distinctions persuasive, so I can’t meaningfully distinguish Pierce’s situation from Ms. Hughes’.

The court says Hughes is bound to the 2024 TOS:

the 2006 Terms told Ms. Hughes that she had an obligation to periodically check Photobucket’s website for updates to the Terms. The 2024 Terms and arbitration provision constitute an update to the Terms that Ms. Hughes had an obligation to stay apprised of. Ms. Hughes assented to the 2024 Terms because they informed her that failure to opt out within 45 days of the effective date would constitute acceptance, and Ms. Hughes did not opt out

Whoa. The court is saying that even though Hughes functionally abandoned Photobucket in 2011, a “reasonably prudent user” would have kept checking Photobucket’s TOS 13 years later just in case the terms had changed. Wild.

Because Ms. Hughes “agreed” to the 2024 TOS, she also “agreed” to its jury trial waiver.

However, the arbitration clause excludes IP claims. The plaintiffs alleged 1202(b) claims, which the court says are IP claims and thus not covered by the arbitration provision. This claim stays in court.

Cumming

The parties can’t agree when Cumming created her Photobucket account or when she last used it, but everyone agrees that she agreed to the 2013 TOS and didn’t use the site later than 2013. That TOS version said “so long as you’ve used the Site after the change, regardless of any separate notice, you agree to the current posted version of the Terms.” Similar to the court’s discussion of Pierce, the court says “a reasonable person in Ms. Cumming’s position would not understand her failure to take photos off of Photobucket to mean that she “used” Photobucket after 2010 or 2013 and thus assented to the 2024 Terms.”

Mr. Hughes

He didn’t have a Photobucket account, but Ms. Hughes uploaded photos of him. The court says he’s not a third-party beneficiary of any TOS and not bound by the arbitration clause.

Court Stay

The court stays the litigation until after the arbitration, even though the court held that 3 of the 4 named plaintiffs were not bound by the arbitration and the fourth plaintiff had a claim not subject to arbitration. Because the court will not be bound by the arbitrator’s decisions for the non-arbitrated plaintiffs and claims, I didn’t understand why the court held everything else up. A slightly lucky break for Photobucket, because it avoids the cost of defending the litigation and arbitration simultaneously.

Implications

Here’s where things stand when the dust settled:

• damages are out of the case
• part of one plaintiff’s case is sent to arbitration
• when that’s complete, the court will address the remainder of that plaintiff’s case plus the other three plaintiffs’ cases

A messy outcome…perhaps messy enough to motivate the parties to settle? Without the availability of damages, this case became less interesting to the plaintiffs. Alternatively, I could also see the plaintiffs appealing this ruling.

Though Photobucket nominally got the outcome it wanted (the case sent to arbitration), it does not come out of this ruling looking very good. Some of the lowlights:

• its inital TOS amendment provisions sucked. It had various versions of “you need to come back to the site to check for possibly amended terms,” which has rarely fared well in court. Frankly, it’s shocking to see the judge find this “keep checking the TOS 13 years later” provision worked against Ms. Hughes. I don’t think that’s what a reasonable consumer would do. (As usual, the court cited no empirical basis for its assessment of what a reasonable consumer would do or think).
• the fact that Photobucket’s TOS amendment language kept changing over time. The language differences ensure more litigation work when it’s challenged.
• the fact that Photobucket kept changing its governing law clause. Another decision that increased its defense costs and the risk of inconsistent outcomes.
• the fact that Photobucket couldn’t definitively establish the dates of the users’ account creation or usage.
• its 2017 implosion. How did it misjudge the market so badly?
• its 2024 pivot to potentially engage in AI mining. I guess if you’ve already killed your business, why not try to salvage what’s left of the carcass?
• the attempt to bind legacy users via a TOS that users had to click through even if they wanted to exit Photobucket. Gauche.
• the arbitration provision’s exclusion for IP. Plaintiffs are weaponizing 1202, so IP carveouts have become dangerous. Reminder: every part of the arbitration provision should be carefully vetted for potential plaintiff weaponization.

The result was a messy outcome with different plaintiffs for getting different outcomes. Not what Photobucket was aiming for.

The obvious question: was there a better way for Photobucket to force all legacy users onto its new AI-friendly terms? This judge seemed to believe that the right incantation would let Photobucket put the onus on users to check for TOS amendments, but most judges won’t permit this. Could Photobucket have forced users to the new terms through its emailed notifications? The Ninth Circuit just permitted this, so maybe? The reality is that it’s difficult or impossible to universally bind all legacy users to new terms if they aren’t coming back to the website. I don’t have any clever hacks or tricks to work around this.

Case Citation: Pierce v. Photobucket Inc., 2026 WL 672764 (D. Colo. March 10, 2026). CourtListener page.

Other posts about Photobucket

• Photobucket Qualifies for the 512(c) Safe Harbor (Again)–Wolk v. Kodak
• Photo Hosting Site Gets DMCA 512 Safe Harbor–Wolk v. Photobucket

The post Photobucket’s Attempted TOS Amendment Mostly Fails–Pierce v. Photobucket appeared first on Technology & Marketing Law Blog.

The plaintiffs claim that bad actors misused Tile’s tracking devices to stalk them. The plaintiffs (as a class action) sued Tile for how it designed and sold the trackers. Tile invoked the arbitration clause in its TOS. This sets up a complicated analysis of TOS amendment–though the panel never directly acknowledges that this is an amendment case, not a case about formation in the first instance.

Two plaintiffs agreed to Tile’s TOS in 2021 and early 2023, respectively. Those versions of the TOS contained arbitration clauses that proved ineffective. In October 2023, Tile changed the arbitration provisions to include new language. To step up its existing users to the October 2023 arbitration provisions:

In October 2023, Tile sent to all accountholders the Oct. 2023 Notice—an email with the heading “Updated Terms of Service and Privacy Policy”—advising that Tile was updating its Terms. Sent to the email address provided by accountholders during registration, the Oct. 2023 Notice contained a blue-text and bolded hyperlink to the Oct. 2023 Terms. The email told accountholders that “[i]f you continue to use any of [Life360 and Tile’s] apps, or access our websites (other than to read the new terms) on or after November 26, 2023, you are agreeing to the [Oct. 2023 Terms].”

One plaintiff said the notification email went into the spam folder, but they saw it months later when they went affirmatively looking for it. The other plaintiff said they never saw the email. Both used the Tile service after the purported TOS amendment date. The district court held that neither plaintiff was bound by the October 2023 arbitration provisions, and the arbitration provisions in the earlier TOS versions partially failed due to unconscionability. Tile appealed that ruling, hoping to send these plaintiffs to arbitration.

The Ninth Circuit holds that Tile’s email put both plaintiffs on inquiry notice of the TOS amendment.

Transaction Context. “As Tile users, each Appellee provided an email address during account registration, and should have expected to receive relevant updates there while the account was active.” This is a pretty wild claim. Many services request email addresses during account registration, and yet the initial TOS formation fails. Also, just because I provide an email address during registration doesn’t mean that I assume TOS amendments will be sent via email. That may depend on how the TOS describes the amendment process–an angle this panel remarkably ignores completely.

Reasonable Disclosure. The court says the email disclosures were good enough:

The design and content of the Oct. 2023 Notice provided reasonably conspicuous notice of the Oct. 2023 Terms because the email’s design was “clear and legible,” and it provided the updated Terms through a link with “customary design elements denoting the existence of a hyperlink.” The subject line clearly stated that Tile was updating its Terms. And the body contained a hyperlink to the Oct. 2023 Terms in bold, blue text which contrasted against the white background. Although the email did not say specifically that the arbitration agreement would be updated, reasonable notice does not require the email to discuss every revision.

“Lack of other notices.” The court says “Tile could have done more to ensure that all its users were on inquiry notice of the Oct. 2023 Terms. Tile could, for example, have interrupted users’ next visit to the Tile App with a clickwrap pop-up notice.” The court says the absence of these other notices weighs against inquiry notice.

So, did the TOS amendment work? The court makes a remarkable doctrinal move, something I don’t recall seeing before. The court treats inquiry notice as a multi-factor test and says two factors weigh in favor of notice (transaction context and reasonable disclosures) and one weighs against (lack of other notices). In other words, the two pro-formation factors prevail over the anti-formation factor. But…when did the inquiry notice standards become a multi-factor test with these three factors? This methodology is novel (and dubious). The court might have said that even if other notification procedures would have been more efficacious, the email notice was good enough. This would have reached the same outcome without this weird doctrinal move.

[Hedging its bets, the court says “we do not hold that notice by mass email establishes inquiry notice in every case”].

Manifestations of Assent

Doe unambiguously manifested assent to the Oct. 2023 Terms by downloading the Tile App in March 2024 and using the Scan and Secure feature in attempting to locate her alleged stalker’s Tile Tracker….

Broad also unambiguously manifested assent to the Oct. 2023 Terms by using the Tile App in January 2024 and periodically opening the Tile App to check location-sharing settings—including, according to Tile’s records, in April 2024.

The court treats these users’ actions as occurring after the users had “inquiry notice.” Thus, the October 2023 TOS controls, and the court sends the case to arbitration.

* * *

Consider some of the wackiest aspects of this opinion:

• the court doesn’t distinguish between TOS formation and TOS amendment.
• the court doesn’t address what Tile’s TOS said about how the TOS could be amended. Did the TOS even authorize email amendment? The TOS terms would have substantial bearing on what a reasonable consumer might have thought. [Note: The court discusses the prior TOS’s arbitration language that said Tile couldn’t materially change the arbitration provisions “unless you expressly agree to them” but treats the October 2023 as sufficient “express agreement.”]
• the court doesn’t engage many of the precedents involving attempts to form TOSes by email, especially post-transaction emails (like this one).
• the court assumes that providing an email address during account registration means that the users should assume they will be getting TOS amendment notifications via email.
• the court didn’t address the many reasons why a TOS amendment email might never reach a user, such as the user’s email address having gone defunct or server-level blocking. If the user never received the email, does the court still think they are on inquiry notice? The court also doesn’t address the implications of the email going into a folder other than the user’s primary inbox, such as showing up in the spam folder. Are users on inquiry notice for everything in their spam folder? I wonder how often the judges carefully check their spam folder…
• the court created and applied a weird multi-factor test for inquiry notice.

FWIW, the court does acknowledge that some of the underlying issues are empirical questions, but it dodges those questions by citing Sellers, which said “there is very little empirical evidence regarding” Internet users’ expectations. If the data is hard to get, I guess we don’t need it?

So, what should we make of this opinion? Is this an example of the characteristically wild-‘n’-wooly jurisprudence in the Ninth Circuit’s non-precedential cases? Or perhaps an indicator the Ninth Circuit’s TOS formation jurisprudence is a mess and there is no logical or defensible through line from case to case?

Case Citation: Ireland-Gordy v. Tile, Inc., No. 25-403 (9th Cir. March 3, 2026). The CourtListener page.

The post Ninth Circuit Allows TOS Amendment by Email–Ireland-Gordy v. Tile appeared first on Technology & Marketing Law Blog.

Here is a chart of the various TOS formation timings and modalities:

The court starts by establishing what evidence it can consider.

2015 TOS Formation Evidence. Paypal apparently doesn’t have a copy. It pointed to the Wayback Machine version but didn’t submit a screenshot of that. Arbitration denied.

2019 TOS Formation Evidence. Paypal only has a screenshot of the email TOS formation from Wayback Machine, but none of the plaintiffs apparently signed up via email. Arbitration denied.

2021 & 2022 TOS Formation Evidence. More Wayback Machine screenshots. “The screenshot does not show any language notifying users about terms of service or show what users would have seen after selecting the button for how they would like to join….The Court cannot consider whether notice of any terms was reasonably conspicuous, let alone legible, without knowing what the website looked like.” Arbitration denied.

2016–2018, 2020, and 2023–2024 TOS Formation Evidence. The court says Paypal provided sufficient Wayback Machine screenshots for all but one of the plaintiffs in these periods. (The other plaintiff used the browser extension and may not have created an account). The court accepts the Wayback Machine screenshots because “plaintiffs’ failure to provide competent evidence directly rebutting defendants’ evidence fails to create a genuine issue as to the sign-up process that was presented to those plaintiffs when they created their accounts.”

* * *

Having identified the competent evidence, the court then discusses the screenshots (but it only shows one; the rest it describes textually):

2016-18 TOS Formation Process.

• “The text stating “By joining, I agree to Honey’s TOS & Privacy Policy” was of a size sufficiently smaller than the text on the rest of the screen that many users would likely have had to squint to read it.” Squinting is bad, but I always say that the offer language should never be the smallest font on the screen.
• “The small font size was exacerbated by the color of the text, which was light gray against a white background and in contrast to the two large and colorful buttons on the screen.”
• “the sign-up page told users that by joining, they agreed to Honey’s “TOS.”…the Court cannot conclude that a reasonable user in 2016 or 2017 would have known what TOS meant….Even if a reasonable user might have understood TOS to mean terms of service, Honey’s use of the acronym required an extra mental step for a user moving quickly through the sign-up page.”
• “the very small and faded nature of the text did not render the hyperlinks “readily apparent.””

Arbitration denied.

2020 TOS Formation Process.

Defendants’ declaration states, “The Wayback Machine reflects that in 2020, a user would affirmatively check a box to agree to the Terms of Service.” Nowhere does the declaration aver that a user had to check the box to continue signing up for Honey. Defendants ask the Court to recognize that it is “self-evident” that a user would have had to check the box. But where the Court must draw all inferences in favor of the non-moving party, it cannot conclude that a user was required to check the box and indicate their agreement to Honey’s terms rather than that it was merely optional for a user to do so. This is particularly true given that the box next to the second statement, through which users could choose to “[r]eceive news and offers from Honey by email,” was most likely optional. Nothing in the text of the page states that checking one of the boxes is mandatory while checking the other is not, and in the absence of evidence specifically establishing that users were required to check the first box, the Court cannot conclude that defendants have satisfied their burden to produce evidence of Cruz’s unambiguous assent to Honey’s terms of service.

Ugh. A great reminder that a screenshot doesn’t capture any animation or kinetic elements. So avoidable. A video of the UI, showing that the checkbox was mandatory, would have made this obvious.

Arbitration denied.

2023-24 TOS Formation Process.

Finally, the court shows a screenshot, which the court labels a “clickwrap agreement”:

The court explains why this works:

First, the notice was placed above the button to sign up and in the “user’s natural flow.” Second, although the text was relatively small and gray against a white background, the surrounding text was not much larger and was the same gray or black. The pages thus did not distract or draw the user’s eye away from the notice. Third, the hyperlinks are in a slightly different color than the rest of the notice and are underlined to indicate their presence to a reasonable user. Although the terms of service are mentioned in the fourth line of the notice, its placement is not fatal to its otherwise conspicuous disclosure; the first line of the notice indicates that users “agree to the following terms,” and the button to complete sign-up says, “Agree.”

Note that the Godun case might actually reject this process, despite its clarity, because the checkbox lacks an if/then grammar that links the offer language to the button. The court responds: “the button to complete sign-up itself indicated that the user “Agree[d]” to the text above.” But is that clear? Could the user just be agreeing to the sentence to right of the checkbox? The court responds: “the first line of the notice states that users agree to the “following terms,” signaling that multiple terms are included in the notice and correspond to the checkbox. And even if a user might not have understood that the checkbox referred to all of the terms within the notice, the “Agree” in the text of the button provided a further backstop.”

Arbitration granted for these two plaintiffs.

Implications

Courts are being stricter about TOS formation. I continue to believe that Chabolla and Godun were a substantial break with prior TOS formation law, so courts are being much pickier and the bar for TOS formation has gone way up. Here, the court rejects TOS formation for 10 of the 12 named plaintiffs (and for the other two, I believe the court disregarded the Godun precedent). This is the new math of TOS formation.

Watch out for jargon. It was interesting seeing the court reject the TOS term as unclear to consumers at the relevant time. Perhaps that’s true, though with the proper offer language, it shouldn’t matter so long as consumers otherwise understood that terms applied.

(The court dodges the nature of Honey’s relationship with consumers, even though it seems pretty obvious to me that consumers would expect a long-term relationship with Honey and that terms would apply to Honey’s software. If so, Ninth Circuit law might say that consumers were likely to presume that terms applied somewhere).

Similarly, it’s interesting how the court didn’t assume the TOS checkbox was mandatory, but textual references to its mandatory nature (or maybe a red asterisk?) would have helped. I saw this as a cautionary indicator that a screenshot may not be enough to establish a clickwrap, in which case either testimony from an engineer or a video will be required to establish the checkbox’s mandatory nature.

It’s the lawyer’s job to keep the right evidence. I wince every time I see a TOS formation case where the website operator (usually the defendant) relies on Wayback Machine evidence. The Wayback Machine is awesome and I love it, but it’s often not a complete rendering of the page, it doesn’t capture app interfaces, it doesn’t capture screens behind registration walls or paywalls, and it usually doesn’t capture animation or kinetic elements. In other words, submitting Wayback Machine evidence should be your last-ditch failsafe, not your Plan A. You can see how the judge was repeatedly underwhelmed with the Wayback Machine screenshots–almost certainly snatching defeat from the jaws of victory, as least for some of the plaintiffs in this case. The solution is simple: when you’re updating your TOS terms or your TOS interface, capture screenshots and videos to show how the pages look and work.

What’s next? The court’s split decision is a bummer for both sides, because it multiplies the litigation into parallel court and arbitration proceedings. Simultaneous litigation efforts jack up the costs and increase the risk of inconsistent outcomes. As an outsider to the litigation, the Solomonic approach would be to stay the arbitration for now, proceed with the in-court litigation, and then revisit the arbitration piece after the court decisions. That would allow the bulk of the case to proceed, save the duplicative costs, and avoid the risk of inconsistent outcomes. Indeed, it’s entirely possible the parties will know how to settle the arbitrated cases after getting the in-court results, in which case arbitration may never be needed. But Paypal could try to negotiate around this result, weaponizing the threat of litigation multiplication and the associated costs to goad the plaintiffs into arbitration first. An interesting game theory scenario.

Case Citation: White v. Paypal Holdings Inc., 2026 WL 496712 (N.D. Cal. Feb. 23, 2026)

The post If You Don’t Keep Good Records, Don’t Be Surprised if Your TOS Formation Fails in Court–White v. PayPal appeared first on Technology & Marketing Law Blog.

* * *

I previously summarized the case:

McGucken is a professional photographer who has appeared on the blog before. He claims that third party “contributors” uploaded his copyrighted photos to ShutterStock as part of ShutterStock’s licensing program. Specifically, McGucken claims that a total of 337 images were uploaded, of which 165 were downloaded and that led to 938 licenses. In total, those licenses generated $2,131 in revenues, split between the contributor and ShutterStock.

The court summarizes ShutterStock’s prescreening efforts:

Shutterstock reviews every image before it appears in the online marketplace. It claims that it does this to weed out images that contain “hallmarks of spamming,” “visible watermarks,” technical quality issues, or material like “pornography, hateful imagery, trademarks, copyrighted materials, [or] people’s names and likenesses without a model release.” Technical quality issues that, according to Shutterstock, could prevent an image from appearing on the platform include poor focus, composition, lighting, and blurriness. Shutterstock’s reviewers examine each image for an average of 10 to 20 seconds and typically each image is reviewed by only one person. Prior to review, Shutterstock automatically removes all metadata associated with the file and allows users to supply their preferred display name and metadata. Shutterstock’s reviewers examine that new user-created metadata, which includes an image title, keywords, and a description.

512(c)

The district court ruled on summary judgment for ShutterStock on all 512(c) elements. The Second Circuit reverses that conclusion on two elements, likely positioning those issues for trial.

Service Provider. The “broad definition…covers any online platform designed to assist users in doing something that benefits those users.”

Repeat Infringer Policy.

all McGucken has shown is that Shutterstock failed to terminate one repeat infringer. Considering that Shutterstock hosts hundreds of millions of images and videos, uploaded by millions of contributors, the failure to terminate one repeat infringer, standing alone, cannot establish unreasonable implementation. To hold otherwise would require a standard of perfection not contemplated by the statute.

Standard Technical Measures. Metadata doesn’t meet the statutory definition of STMs (nothing does).

Actual/Red Flags Knowledge. “McGucken cites nothing in the record suggesting that any Shutterstock employee ever reviewed the metadata (or lack thereof) associated with his images that were uploaded to the platform.”

Expeditious Removal. “Shutterstock’s removal of the noticed images within four days of McGucken’s DMCA compliant takedown notice was sufficient.”

Storage at User’s Direction. So far, the Second Circuit’s opinion is going smoothly. Now, it takes a dramatic turn for the worse.

The Second Circuit questions if ShutterStock stores its users’ uploads at their direction because it manually prescreens uploads applying its editorial standards:

The task for courts applying § 512(c)(1) is to decide whether a given service provider plays a sufficiently active role in the process by which material appears on its platform such that, as a result, its storage and display of infringing material is no longer meaningfully at the user’s direction….

functions like transcoding, copying, and playback of user-uploaded materials have fallen within the ambit of the safe harbor…

Our caselaw also makes clear that under § 512(c), service providers can review and screen user content before they store it on their platform without becoming ineligible for safe harbor, particularly where the ability to exert control over the content that appears on the platform is necessarily limited by the sheer volume of uploaded user content. [cite to Capitol Record v. Vimeo]…

A service provider may engage in rote and mechanical content screening, like excluding unlawful material, enforcing terms of service, or limiting uploads “to selected categories of consumer preferences,” without falling outside the ambit of § 512(c)(1). On the other hand, a service provider is likely to run afoul of § 512(c)(1) if it is applying its aesthetic, editorial, or marketing judgment to determine which user uploads it accepts….

we adopt the following general rule: if a service provider engages in manual, substantive, and discretionary review of user content—if, on a case-by-case basis, it imposes its own aesthetic, editorial, or marketing judgment on the content that appears on its platform—then its storage of infringing material is no longer “at the direction of a user.” In other words, “extensive, manual, and substantive” front-end screening of user content is not “accessibility-enhancing” and is not protected by the § 512(c) safe harbor.

Boom. Yet another notorious Second Circuit line-drawing exercise that ratchets up defense costs and undermines predictability for both sides.

So what evidence will show that a service is making “aesthetic, editorial, or marketing judgments”? You know this is going to be maddeningly talismanic…and trigger expensive discovery…

the duration of review—that is, how long each piece of user content is under review before it is approved or rejected—and the proportion of user uploads that the service provider accepts are relevant factors to resolving the inquiry. Likewise, the fact that a service provider conducts human review rather than screening images with software may indicate that its content review is more substantive than cursory. But none of these factors is dispositive, and they cannot substitute for the ultimate factual inquiry into the nature of the service provider’s screening of user uploads.

Seriously? Restated: using humans to prescreen increases the service’s legal risk, but only if the humans take too long to review each image (and how long is too long???). FFS.

The court continues reciting the evidence that indicates if the service is making aesthetic, editorial, or marketing judgments:

There is evidence in the record that suggests Shutterstock’s review of user images is neither cursory nor automatic. To begin, when a user submits an image to Shutterstock, the image does not immediately appear on the website; rather, the contributor must wait, sometimes for hours, until they receive an email from Shutterstock letting them know which of their images were accepted. That fact is not dispositive, but it suggests some intervention by Shutterstock between a user upload and the appearance of material on the platform. Moreover, Shutterstock’s website states that it “has high standards and only accepts a portion of the images submitted to be included in [its] collection.”…There are “30-odd” reasons that an image might be rejected by a Shutterstock reviewer, which include focus, exposure, lighting, and noise.

The record also contains evidence that Shutterstock’s reviewers exercise some subjective discretion even when applying seemingly rote and straightforward criteria. For instance, when considering an image’s focus, Shutterstock reviewers are “trained to know the difference between something that’s just out of focus and something that’s more intentional.” And according to Shutterstock, a reviewer may still accept an image that has focus issues if it is “a really unique shot” or a “hard shot to get.”…In the end, as Shutterstock itself concedes, “photography is an art . . . you can’t just say, ‘This is yes, this is no.’” Together, these statements could lead a factfinder to conclude that Shutterstock’s reviewers exercise a considerable degree of case-by-case aesthetic or editorial judgment when determining which images to allow on the platform.

What does the court expect ShutterStock to do here? If it doesn’t screen for image quality, its database becomes cluttered with junk–exactly what successful uploaders don’t want. Maintaining the database’s integrity keeps the credible uploaders from competing with AI slop, and a higher quality database is more likely to draw potential licensees because they can rely on the quality standards so they don’t waste their time. Perhaps the court thinks that running a paywalled licensing database is fundamentally inconsistent with 512(c).

And the idea that a few hours delay for prescreening may be disqualifying? Plaintiffs know what to do with musings like that.

The court continues:

Shutterstock counters that its front-end screening is rote and mechanical—that its reviewers consider only “apparent technical issues or policy violations.” And indeed, there is evidence in the record that supports that characterization. For one, as Shutterstock emphasizes, a reviewer typically spends no more than 10 to 20 seconds examining an image. Further, there is evidence in the record that approximately 93 percent of submitted images are approved for the platform. A factfinder might conclude that such a high “success” rate supports an inference that it is the users, and not Shutterstock’s reviewers, who dictate the images that appear on the site….

Of course, approving a high rate of submitted images could indicate that Shutterstock’s image screening is limited and permissive. Alternatively, a high image acceptance rate could suggest that Shutterstock’s contributors know what types of images are likely to be approved and proactively curate their own submissions. Indeed, the record suggests that one reason Shutterstock gives its contributors guidance on the images to submit is to reduce the likelihood that an image will be rejected. Similarly, a platform that successfully coaches its contributors on the types of images it prefers to display may generally have to spend less time reviewing each individual image. Therefore, while a low acceptance rate may indicate that a platform is selective in the content it accepts, a relatively high acceptance rate does not invariably establish the opposite.

As the old adage goes, if you’re explaining, you’re losing. Any service that has to haggle with plaintiffs over whether their content moderation is sufficiently “rote and mechanical”–e.g., whether their reviewers are lingering too long over a particular upload or rejecting too many uploads–has already lost the game.

Also…what’s the difference between (1) articulating content editorial standards in your TOS (which many regulators are now demanding, though those edicts may be unconstitutional), and (2) “coaching” users about what uploads are proper?

Right and Ability to Control the Infringements.

[Reminder: courts have redefined this factor to turn on whether the service exercises “substantial influence” over users’ activities. That redefinition clarified nothing, so we’re back to epistimological inquiries.]

Citing Vimeo, the court says “a service provider does not necessarily exercise substantial influence over user activities merely because it screens every upload before it appears on its platform.” In Vimeo, the court said a video-sharing platform could permissibly impose content gatekeeping criteria that “were in the nature of (i) avoiding illegality and the risk of offending viewers and (ii) designing a website that would be appealing to users with particular interests.” In Viacom, the court said substantial influence exists “where the service provider instituted a monitoring program by which user websites received ‘detailed instructions regard[ing] issues of layout, appearance, and content.’”

Here, the court says: “the relevant inquiry here is whether the image pipeline Shutterstock has constructed—which begins with its lengthy guidelines for successful submissions and ends with manual image review—enables Shutterstock to exercise substantial control over the images that appear on its platform.”

An “image pipeline”? Are we reinvigorating 1990s metaphors about surfing the Internet?

The court identifies the relevant evidence to this standard:

Shutterstock screens every image before it appears on the platform—this screening determines whether an image ever gets on the platform….there is evidence here that Shutterstock’s image review goes beyond the limited purposes of restricting the site to “selected categories of consumer preferences” and excluding unlawful images. Rather than engaging in categorical content screening—like accepting only holiday-themed images, or images that feature animals—Shutterstock appears to screen user images for their overall aesthetic quality. Curating a “collection” of high-quality images is not the same as designing a website “that would be appealing to users with particular interests.”…

Shutterstock extensively advises potential contributors on the types of images it is likely to accept. That is unlike the service provider in Vimeo II, which “encouraged users to create certain types of content,” but did not condition their ability to post material on whether they created the provider’s preferred types of content….a reasonable factfinder might conclude that the advice and instruction Shutterstock provides its contributors, coupled with its image screening process, are sufficiently coercive to constitute substantial influence….

the duration of Shutterstock’s image review and its 93 percent approval rate are relevant facts, but they are not dispositive

One way of reading this is that the Second Circuit is collapsing the distinctions between the “stored at a user’s direction” and “right and ability to supervise” factors, because apparently they both depend on the same evidence?

1202 CMI

ShutterStock automatically strips out the metadata of uploaded images and adds its own watermark to every image in its database. The court says the 1202 claims fail:

McGucken points to no evidence suggesting that Shutterstock affixed its watermark to his images—or, indeed, to any images—with knowledge that it constituted false CMI and for the purpose of concealing copyright infringement…

While Shutterstock concededly knows that it removes CMI from every image ingested into its system, Shutterstock explained—and McGucken failed to refute—that it removes metadata from all images primarily to avoid computer viruses and the dissemination of personally identifiable information, and not for any reasons related to infringement.

This ruling reinforces that 1202 has a “double scienter” requirement, which should help curb other 1202 cases–especially the cases against generative AI model-makers.

Implications

Second Circuit Walks Back the Vimeo Case. Last year’s Vimeo opinion was written as if it was a watershed Section 512(c) defense win, but it didn’t draw much attention. Why? First, I viewed it as a Pyrrhic defense victory because it added yet more details that plaintiffs could attack to disqualify 512(c) defenses. Second, I think no one really believed other Second Circuit panels would defend the 512(c) safe harbor the way Judge Leval tried to do. And here we are. A year after the Vimeo opinion, and the next Second Circuit panel to address Section 512(c) compounds Section 512(c)’s complexity and undermines 512(c) for any service that prescreens content.

(Note: the Second Circuit did the same thing a decade ago. The EMI v. MP3Tunes decision walked back a defense-favorable Vimeo ruling that had come out not that long beforehand).

The Incoherent Standard for User-Directed Storage. The Second Circuit says: “A service provider may engage in rote and mechanical content screening, like…enforcing terms of service” and still qualify for 512(c). However, the service loses 512(c) if it “imposes its own aesthetic, editorial, or marketing judgment on the content.”

Hello…does anyone else see the intractable conflict? A service can always claim it is “enforcing its terms of service” when moderating content, so this legal standard sets up an obviously false dichotomy. The opinion then suggests there are right and wrong kinds of TOS terms, such as its discussion about impermissible “coaching” to secure the right kinds of uploads. At minimum, this ensures more expensive discovery and fights over how the Second Circuit purported to thread this needle.

Bonus conceptual dilemma: the court says 512(c) disqualification occurs if a service “imposes its own aesthetic, editorial, or marketing judgment on the content that appears on its platform,” and then it says that the evidence for this is if the service does “manual, substantive, and discretionary review of user content.” These are not the same thing! Content moderation always involves difficult judgment calls and line-drawing exercises, so it’s possible to do “manual, substantive, and discretionary review of user content” for reasons other than imposing “its own aesthetic, editorial, or marketing judgment on the content that appears on its platform.”

Then again, the inclusion of the word “editorial” makes the court’s standard a non-standard. Every content moderation judgment is an editorial decision of some sort. Thus, the phrase “rote and mechanical content screening” is incoherent.

This Opinion is an Attack on Content Moderation. Restated, this court says that some pre-posting content moderation disqualifies defendants from 512(c). But which content moderation techniques should defendants avoid if they care about 512(c)? No idea. The court puts every content moderation decision in play. Reviewers took too long. Reviewers tried to screen out junk submissions. Reviewers made judgment calls about how to apply standards (which every content moderator must do with every decision). The services’ rejection rates are too high. The service did too much “coaching” of what uploads it wanted. In other words, there is no safe harbor for content moderation that ensures the safe harbor for user-caused copyright infringement. Plaintiffs can attack everything.

The court’s “guidance” to services is to do less content moderation if they want toincrease their eligibility for 512(c). This is a terrible message to send, especially now. As a reminder, Section 230 was written because Congress wanted to encourage, not discourage, content moderation. Further, it’s tone-deaf about what’s going on in the real world right now. We desperately NEED more content moderation, not less; we need more efforts to identify or screen out AI slop; we need more efforts by services to encourage civility and discourage rage. The Second Circuit, instead, wants to trigger liability if content reviewers maybe think a few extra seconds about whether something should go live or not. The Second Circuit really needs to read the room.

I will also add that this opinion implicitly encourages services to impose stricter time limits on content reviewers’ average review times, even though such time limits will likely increase the overall stress and burnout of content reviewers. This is a decidedly human-unfriendly opinion at every level. Or maybe the Second Circuit thinks services should shift more content review to the algorithms???

Case citation: McGucken v. Shutterstock, Inc., 2026 WL 364412 (2d Cir. Feb. 10, 2026)

This ruling might inspire you to revisit my essay, How the DMCA’s Online Copyright Safe Harbor Failed.

Want more? See my follow-on post, A First-Hand Look at the Messy Underbelly of DMCA 512(c) Takedowns

The post Pre-Publication Content Moderation Can Disqualify Services from the DMCA 512(c) Safe Harbor–McGucken v. ShutterStock appeared first on Technology & Marketing Law Blog.

LowerMyBills.com refers internet users who are interested in refinancing their home mortgages to affiliated lending partners, including Rocket Mortgage. The website tells users that they will agree to its hyperlinked “Terms of Use”—including a mandatory arbitration provision—if they click on a particular button. Michael Dahdah visited this website three times, inputted his information, and clicked the critical buttons. LowerMyBills referred him to Rocket. When Dahdah later received calls from Rocket that he did not want, he sued the company in federal court. Rocket responded by invoking LowerMyBills’ arbitration provision. But the district court held that Dahdah’s “click” did not create an enforceable agreement. We disagree. Under the significant body of circuit precedent interpreting California law, LowerMyBills gave Dahdah sufficiently conspicuous notice that he would accept the proposed terms by clicking the button. So his decision to take this action qualified as a valid “acceptance” of LowerMyBills’ “offer” to contract. The district court thus should have granted Rocket’s motion to compel arbitration.

* * *

Let’s dig into the details, starting with the relevant screens. The plaintiff went to LowerMyBills’ site and requested information about mortgages. The court focuses on the following two screens (the fourth and fifth pages in a 5-page sequence). A screenshot of the bottom of the fourth screen:

A screenshot of the bottom of the fifth screen:

[By redacting the screenshots to only show the page bottoms, the court removed the TOS formation process from the full context. This supports the court’s pro-formation bias by making the pages look simpler than they actually were.]

As you can see, these screenshots look like pretty standard “sign-in-wraps.” The court characterizes them as “a hybrid offer (not a clickwrap or browsewrap offer).” The court prefers the hybrid language because the same methodology applies to sign-in-wraps and other formation processes that aren’t clickwrap/scrollwraps or browsewraps. The court rejects the plaintiff’s argument that this was a browsewrap:

Browsewrap offers seek to create contracts when users simply browse a webpage (hence, their name). LowerMyBills did not propose that type of offer. It required users to take a specific step to accept its offer: click the relevant buttons.

The Sixth Circuit applies California law to these screenshots (both parties agreed on that choice), which is a little dicey because the Sixth Circuit isn’t a repeat player with California TOS formation law. As an example, the Sixth Circuit completely ignores the Godun decision even though I think Chabolla and Godun can’t be understood without reference to the other.

[Personnel notes:

• The opinion was written by a TAFS judge (TAFS = Trump-Appointed Federalist Society). TAFS judges’ opinions routinely are distinctive compared to non-TAFS opinions (not necessarily in a good way). I thought this opinion was disorganized (my blog post merges related topics that were confusingly addressed in disjointed locations throughout the opinion) and overrelied on cherrypicked precedent (a hallmark of TAFS opinions).
• For a court applying California law outside of California, it was conspicuous that none of the lawyers listed on the opinion caption are based in California…]

The Court’s Description of TOS Formation Law

The Wrap Taxonomy

• “any reasonable person would conclude that so-called scrollwrap or clickwrap offers objectively convey the website operator’s “manifestation of [a] willingness to enter into a bargain” with website users”
• “So-called browsewrap proposals fall on “the other end” of potential offers….courts often hold that these offers cannot create valid agreements because they leave users “unaware” that the operator has even proposed an offer”
• “many proposals fall in between these extremes. These “hybrid” offers (what some courts have called “sign-in wrap” offers) present the trickiest cases.”

Sign-In Wrap (“Hybrid”) Requirements

In determining if an offer is reasonably conspicuous, this court asks Four Questions (no, not those questions):

Q1: “Did the website display the offer on an “uncluttered” page, or on a page filled with items that will “draw the user’s attention away from” the proposal?” “Simple streamlined designs” are more likely enforceable than “a page with lots of distractions.”

Q2: “Did the website operator place the proposed offer close to—or away from—the button that a user must click to signal the user’s acceptance of the proposal?” The closer the offer is to the action button, the more conspicuous it is.

Q3: “Did the website operator use a font size or color that would draw attention to the proposal?” The court says that it’s more likely conspicuous when sites use “a larger font or at least colored hyperlinks.” This is not a faithful characterization of Chabolla/Godun, which had exacting requirements for both fonts AND hyperlink presentations. It’s telling that the court favorably cites Selden v. Airbnb, a DC Circuit case (i.e., not a California case) that predates Chabolla/Godun, to support its summary rather than any Ninth Circuit case.

Q4: “Did the website operator and users engage in the kind of interaction that one would expect to include contractual terms?” Users expect terms with continuing relationships and not for one-off interactions.

These Four Questions are similar–but not identical–to the Ninth Circuit standards. Here’s how I summarize those standards in my Internet Law course:

Who Decides

The court says that if the facts about what happened aren’t in dispute, the court can rule on the formation process as a matter of law rather than send the formation question to the jury.

Application to This Case

Reasonably Conspicuous Notice

The court says the conspicuousness of the notice is a “close question.” Here’s why the court concludes that the notice was reasonably conspicuous:

the proposal on the fourth page followed a “simple design” that did not contain much clutter (other than a logo for Quicken Loans as the “Featured Provider”). Selden, 4 F.4th at 156. [Reminder: Selden is a DC Circuit opinion that predates Chabolla/Godun] In this respect, then, this page resembles the simple sign-up pages for Uber or Airbnb. And it differs from Fluent’s webpages in Berman, which contained other eye-catching images and information. Admittedly, the fifth page had far more terms than the fourth page. It also identified Dahdah’s consent to the specific “Terms of Use” in the second of four paragraphs of details. But we view this page as serving a belt-and-suspenders role for the fourth page’s proposal. And we resolve this case based on the notice that consumers would have received across the pages in combination….

LowerMyBills placed the proposal “directly” “below the action button” on each of the pages. And it used a “dynamic scrolling function” in which these pages automatically scrolled down as users inputted information in the boxes. So users would always see the offer on the same screen as the action buttons.

The plaintiff pointed out that the 5-screen formation process was confusing because the prior screens had a similar “calculate” button without terms. The court says that multi-screen processes are OK, noting that Uber’s process had two screens. But I also note (which the court didn’t) that Chabolla said: “three faulty notices do not equal a proper one.” I think the court would say that the fourth and fifth screens are each independently sufficient, but I wanted to see more thoughtful discussion about how the multiple screens reinforce or conflict with each other.

The court notes that LowerMyBills used a “very small font,” which calls it “a legitimate concern.” As I teach my students, the offer language should never be in the smallest font on the page. In Chabolla, a TOS formation failed in part because the offer language’s font was “notably timid in both size and color” (a critique that could apply here). In response, the court cherrypicks the precedent and says that the font size might be comparable to the font sizes used by Uber or LiveNation (both are pre-Chabolla cases, and Uber is a 2nd Circuit case). Also, the hyperlink was in “bright blue” on a white background, so “LowerMyBills did not hide the critical hyperlink using the same font color as the other text.” (The Ninth Circuit would treat a different font color for the links as mandatory, not a plus factor).

The court also struggles with whether the interactions with LowerMyBills was a one-off or ongoing relationship given that they were largely acting as a referral service (the court says this is also a close call). The court makes this empirical claim without a scintilla of empirical support: “reasonable users also would expect that the free referral service comes with some contractual strings attached….given that the site matches users with potential lenders, we cannot say the objective user would fail to anticipate some sort of continuing relationship.” [Insert goose meme: relationship with WHO?]

The court says that it’s OK the offer language was below the action button rather than above because “Other courts have enforced these offers when placed below rather than above the button that signaled the user’s assent.”

Manifestation of Assent

The court says concluding “that Dahdah took actions showing his assent to LowerMyBills’ offer becomes “straightforward” once we conclude that the offer was reasonably conspicuous.” The plaintiff clicked on the green “calculate” and “calculate your free results” buttons.

The plaintiff weakly attacked the call-to-action language, which lets the court skirt any serious analysis. But look back at the text: it says “by clicking the button above,” which we could assume refers to the green button right above that text. But there are surely other “buttons” on the screen above the text (remember, the court clipped the screenshot, improperly IMO), which would make the cross-reference ambiguous. If there are more “buttons” “above,” what should have happened?

Also, the Chabolla opinion rejected a TOS formation when the offer language said “by signing up” and the action button said “continue.” Would it matter to Chabolla that the offer language didn’t precisely describe the action button?

Arbitration Terms

The court acknowledges that LowerMyBills’ TOS was silent on many key provisions about the arbitration, such as selecting an arbitration service. However, the provision says that the Federal Arbitration Act applies, and the court says that’s good enough to gap-fill all missing arbitration terms.

Implications

Would this case have turned out differently if it had actually been in a California court? I believe Chabolla and Godun changed a lot about TOS formation, and this court mostly disregarded those cases to rely on pre-Chabolla cases, some of them from courts outside California. So, I believe this ruling is not consistent with California courts. But really, who knows? TOS formation remains another Calvinball area of Internet law.

To be fair, LowerMyBills’ TOS formation process might not be condemnable despite their sloppiness. Obviously it could be easily improved (2 clicks, please), but it’s pretty consistent with the old standards for TOS formation. However, I think it’s disingenuous to treat this opinion as consistent with California law without wrestling more thoughtfully with the effects of Chabolla and Godun.

Case Citation: Dahdah v. Rocket Mortgage, LLC, 2026 WL 194455 (6th Cir. Jan. 26, 2026)

The post The Sixth Circuit Wades Into Online TOS Formation (and Leaves Me More Confused Than Ever)–Dahdah v. LowerMyBills appeared first on Technology & Marketing Law Blog.

A series of prominent web-scraping lawsuits are revisiting the fundamentals of public data access. And in so doing, with a slight reframing of a relatively settled legal issue, major platforms are challenging the presumption that collecting and using public data at scale is legal.

In September 2019, the Ninth Circuit in hiQ v. LinkedIn wrote:

Although there are significant public interests on both sides, the district court properly determined that, on balance, the public interest favors hiQ’s position. We agree with the district court that giving companies like LinkedIn free rein to decide, on any basis, who can collect and use data—data that the companies do not own, that they otherwise make publicly available to viewers, and that the companies themselves collect and use—risks the possible creation of information monopolies that would disserve the public interest.

hiQ Labs, Inc. v. LinkedIn Corporation, 938 F.3d 985, 1004 (9th Cir. 2019) (vacated by SCOTUS, but this language was later re-affirmed verbatim by the Ninth Circuit in 2022).

It’s hard to overstate the importance of this language for the web-scraping industry. For the first time, there was a court taking a public-policy stand in favor of web scraping. This was not just an instance where a court said that scraping did not constitute a crime. This was a circuit court taking a stand on policy grounds that it was in the public interest for public data on private fora to remain publicly available for public consumption. The Ninth Circuit seemed to fully embrace the idea that allowing public use of public data was vital for a functioning digital information ecosystem.

For those that operate in data access, broadly defined, hiQ v. LinkedIn became shorthand for a simple proposition: Scraping publicly accessible web pages was legal. And while the truth was always a bit more nuanced, and hiQ ultimately capitulated in the case and went under, the legality of public data access was never questioned by industry insiders after the decision.

The last six years have been an absolute boon for the web-scraping industry. And it is not hyperbole to say that the AI revolution might not have come, or at least not have come as fast, had it not been for strong policy presumption in favor of legal data access to public content after hiQ Labs.

Fast-forward six years, and data-access questions are more critical than ever. All the world’s information is there for the taking and there is no shortage of people and companies doing the taking.

In just a few years, AI has become an integral component of almost all knowledge work. And it is arguably the single biggest engine driving economic growth right now.

And the fuel that powers that engine is data—usually public data collected at scale. And with that, there are dozens of lawsuits percolating over the legalities of when it is and is not permissible to copy and reuse public data.

But with CFAA questions about publicly available data now largely resolved (except at the margins), and with terms of use often preempted by copyright, those looking to build walled gardens have been angling for new arguments to restrict access to public data.

In a recent wave of disputes over AI and “public data,” a new pattern has emerged. Plaintiffs are trying to rerun the hiQ fact pattern under a different federal statute.

That statute is the Digital Millennium Copyright Act (DMCA), specifically Section 1201.

While hiQ mostly resolved the CFAA-era battle over whether “public” means “authorized,” Section 1201 is the new battlefield over whether antibot tech is a technological measure that “effectively controls access” to a copyrighted work.

Created by ChatGPT Dec. 2025

But make no mistake, from the data monopolist’s perspective (or oligopolist, if we’re being more precise here), the goal is the exact same as it was in 2019, to restrict data collectors’ access to public data. The largest incumbent platforms such as Google want “free rein to decide, on any basis, who can collect and use data—data that the companies do not own, that they otherwise make publicly available to viewers, and that the companies themselves collect and use.” Companies like Google want to control the data. Many companies (like Reddit, Yahoo, X, and others) want to license the data (even to the extent that the data is generated by their users). But almost all the major platforms are making renewed legal pushes to keep startups off their digital lawns (while at the exact same time gobbling up the same type of content from others).

Section 1201 as an alternative to copyright, the CFAA, and terms of use claims

There are a few different reasons why 1201 is attractive to plaintiffs in scraping and AI-data cases.

First, in some circuits, plaintiffs are trying to use 1201 to avoid (dare I say, circumvent?) the copyright fair use fight. There is a circuit split on the issue, but in the major circuits where this gets litigated (notably, the Second and Ninth), plaintiffs often argue that fair use is no defense to a Section 1201 anti-circumvention claim. In some jurisdictions, defendants may not be able to rely on fair use as a categorical defense to a §1201 claim, because courts treat §1201 as analytically distinct from infringement. And there are many situations where that distinction might be dispositive. Well-designed AI systems that train on large datasets are often going to be deemed fair use because they are highly transformative. Under the DMCA, though, that might not matter.

Second, plaintiffs may be able to avoid the copyright registration prerequisite that constrains many copyright claims. At least as alleged in the recent YouTube-scraping cases, plaintiffs emphasize that DMCA anti-circumvention claims do not depend on copyright registration in the same way copyright infringement claims do.

Third, the DMCA allows plaintiffs to allege that the tech itself is inherently unlawful. 1201(a)(2) lets plaintiffs target the tooling layer (Captcha solvers, challenge tools, proxy services, and other antibot solution tech) as “trafficking” in circumvention tech. Google’s new case leans heavily into that line of argumentation.

Courts have been wary of turning Section 1201 into a general-purpose “keep out” sign, as Eric recently noted in the Ziff-Davis case. But this new line of cases will test those limits once again. Older doctrine around “effective” technological measures and the relationship between circumvention and copyright protection shows up repeatedly in the case law discussions (think Lexmark and Chamberlain). But those were not Second or Ninth Circuit cases. And those cases were not resolved in the modern era of high-volume data access.

Google v. SerpApi and the SearchGuard blueprint (ND Cal, Dec. 2025)

Google’s recent lawsuit against SerpApi is the most on-the-nose “DMCA-first” pleading to date.

Google sued SerpApi in the Northern District of California, alleging SerpApi used massive volumes of fake search requests to bypass Google protections and resell content from search results. Google also publicly framed the suit as targeting “circumventing security measures protecting others’ copyrighted content that appears in Google search results.”

The complaint is explicit. It is a DMCA case from page one, asserting claims for circumvention (17 U.S.C. § 1201(a)(1)(A)) and trafficking in circumvention tech (17 U.S.C. § 1201(a)(2))

And it provides a detailed narrative about the technological measure itself. Google alleges it built SearchGuard, a system designed to block automated access without breaking normal user experience, including a JavaScript “challenge” that automated systems typically cannot solve at scale.

SerpApi’s public response is the classic hiQ-adjacent argument. We provide the same information any person can see in a browser without signing in.

Google’s complaint tries to make that defense irrelevant by focusing on: (1) the presence of licensed copyrighted material in SERPs, and (2) the alleged circumvention of SearchGuard to access it at scale.

That framing matters because it tries to make the “public vs. private” question less central. Instead, the center becomes: “was there an access-control measure, and did defendants circumvent it?”

I’ll give Google’s lawyers credit. They did a good sales job on this.

But don’t get it twisted: Google’s 1201(a) pitch that SearchGuard is a TPM stinks like two-month-old garbage in the Texas summer heat. A TPM, as Congress imagined it, is a lock on access to a copyrighted work, a measure that actually gates entry to protected expression. SearchGuard, by Google’s own framing, is a traffic-cop. It’s a system for managing how you reach pages, at what rate, with which client, under which terms. That’s not controlling access in any meaningful copyright sense; it’s controlling conduct. Conflating those two isn’t a clever reading. It’s a category error dressed up as inevitability. If SearchGuard is a TPM, then literally every site that throws up a speed bump can build an impenetrable copyright perimeter around almost any content whatsoever, and the statute becomes a magic spell. Add friction, say TPM, and now you can replace copyright law with your own proprietary preferences and they become federally enforceable.

That’s the crazy part. Google’s argument doesn’t just misread 1201(a). It turns the anti-circumvention statute into an anti-competition superweapon that will destroy existing copyright protections.

If Google pulls this off, they will have reshaped copyright law as a form of property rights in interfaces, where circumventing a company’s desire is treated like circumventing encryption. That doesn’t protect creators. It protects incumbents. It chills security research, accessibility work, archiving, interoperability, independent auditing, and every weird-but-legitimate tool that makes the internet function like it should rather than merely consumable on platform-approved terms.

Let’s be honest: This isn’t Google vs. circumvention, so much as Google wanting to build a DMCA moat around its own monopoly in search. And if successful, it will provide a handy playbook for any other platform looking to build or defend any online monopoly in any other vertical.

Tech writer Mike Masnick explains the potential consequences:

Google’s argument, if accepted, provides a roadmap for any website operator who wants to lock down their content: slap on a trivial TPM—a CAPTCHA, an IP check, anything—and suddenly you can invoke federal law against anyone who figures out how to get around it, even if their purpose has nothing to do with copyright infringement.

The implications spiral outward quickly. If Google succeeds here, what stops every major website from deciding they want licensing revenue from the largest scrapers? Cloudflare could put bot detection on the huge swath of the internet it serves and demand Google pay up. WordPress could do the same across its massive network. The open web—built on the assumption that published content is publicly accessible for indexing and analysis—becomes a patchwork of licensing requirements, each enforced through 1201 threats.

That doesn’t seem good for the prospects of a continued open web.

This is the “relitigating hiQ” move. If accessing a public page is a CFAA non-starter, then plaintiffs try to win by arguing the defendant defeated a technological control to access the same public page, even if the end use is not infringing.

Nvidia, Ziff-Davis, Reddit, and a host of class-action cases are pursuing similar claims along similar themes.

DMCA 1201 as the new anti-scraping front

If you zoom out, these new complaints share a single strategic philosophical theme.

Plaintiffs allege that it does not matter whether content is public and available to anyone with a web-browser. If antibot tech is designed to make certain content inaccessible at scale to automation, anyone who accesses it at scale through is violating the DMCA.

hiQ mostly put an end to hyper-aggressive CFAA allegations for public web access. But the current litigation wave shows a sophisticated and equally aggressive platform response. Swap the CFAA question (“authorized?”) for the DMCA question (“circumvented?”). That is the simple reframing at the center of the most important fights over public data.

Does this change the underlying public policy concerns described in hiQ Labs? And will those concerns highlighted in hiQ Labs inform the interpretation of the DMCA in this context? Only time will tell.

The post Relitigating hiQ Labs and Scraping Through the Lens of DMCA 1201 Anti-Circumvention (Guest Blog Post) appeared first on Technology & Marketing Law Blog.

Created by ChatGPT Dec. 2025

By guest blogger Kieran McCarthy

If you have ever wondered why big incumbents keep running to the Northern District of Texas the moment someone builds a tool that makes switching easier, comparing prices easier, or generally makes the internet work like the internet, AT&T Services, Inc. v. T-Mobile US Inc. should help you understand why.

On December 18, 2025, Judge Karen Gren Scholer entered a temporary restraining order blocking T-Mobile from implementing the original “Easy Switch” feature in its T-Life app, and blocking “any substantially similar version” that “accesses or obtains” information from AT&T’s “protected computer systems,” unless T-Mobile gets permission of the Court.

This opinion builds on the case law the N.D. Tex has been generating for years in the Southwest Airlines “don’t you dare build a useful layer on top of our website” cases.

The facts of the case are pretty simple. T-Mobile marketed a feature that let customers log into their current carrier account (AT&T or Verizon) and pull information to help them compare plans and switch. Customers made the decision to switch, and T-Mobile, for obvious reasons, automated the process. The horror!

AT&T sued, saying this was not “customer convenience.” It was unauthorized automated access and scraping of data from password-protected AT&T pages, with allegations of repeated bypassing of AT&T’s blocks, and “over 100” fields of customer data per user.

Over 100 fields? Dang! That’s, like, so many fields! And I suppose there are a few different lenses through which one could analyze that fact. One approach might be to say that automating a process with over 100 fields might be precisely the kind of thing that makes the internet useful, and that saves everyone time, money, and mental headaches.

Another way to view this fact is as evidence of “soooooo much computer fraud” even when T-Mobile is simply automating a process that consumers are choosing to automate. But that is how things work in the Northern District of Texas.

By the time the TRO issued, T-Mobile had already changed the tool so AT&T and Verizon customers could upload a bill PDF or manually enter information.

The court found AT&T likely to succeed because the Easy Switch tool, and its iterations before the November 26 change to PDF upload, accessed AT&T’s systems without authorization, pulled “over 100 fields” of customer data, and transmitted the data back to T-Mobile. It also found irreparable harm to AT&T’s control over its systems and data, plus reputation, goodwill and ‘customer privacy,’ without any inclination to grapple with the awkward fact that the customers were the ones asking to move their own information around. How the court concluded that customer privacy was at issue when the customers themselves initiated the switch .

Even though T-Mobile deactivated the challenged version, the court found the threat remained because T-Mobile wanted to retain the ability to use something “very similar” later.

T-Mobile is enjoined from implementing the original version or any “substantially similar” version, and “substantially similar” is defined basically as anything that accesses or obtains information from AT&T’s protected systems.

Perhaps, learned reader, you might be wondering if there was any discussion of user empowerment, lower lock-in costs, increased innovation and competition, added product development, interoperability, improved price discovery, or any other known policy benefits associated with data portability in the policy section of the TRO?

No. There was not. This is the entire policy discussion of the opinion: “This temporary restraining order will serve the public interest. The enforcement of state and federal laws serves the public interest.”

See how easy this judging stuff is?

To be clear, this is not a case where you would expect someone like T-Mobile to prevail in Texas. But the lack of analysis or consideration for the broader issues at stake is always a bit startling. A big incumbent takes a dispute that is at least partly about competition and consumer switching, recasts it as “computer trespass,” and asks a court to shut the product down quickly. And the N.D. Texas always obliges, especially when the plaintiff is a household-name company with a website and Terms of Use, and the defendant is building a tool that rides on top of it.

That posture matters historically because it reflects an early willingness to treat “automation + Terms + notice” as a path into computer-access liability, even when what is being accessed is, functionally, consumer-facing information.

AT&T’s complaint is explicit that this case is “not about competition for customers,” but about “unauthorized” intrusion into its systems, using automated bots “disguised as an AT&T customer,” scraping “over 100 categories” of data, and bypassing AT&T’s security measures. And that is what is what I like to call “bullshit.”

Either way, the N.D. Texas proves once again why it is the preferred venue and forum for those looking to build walled gardens.

* * *

Interestingly, Texas does have a mandatory data portability law, the TDPSA, or the Texas Data Privacy and Security Act. But the reality is that these laws have very little utility for consumers.

A portability right on paper like the TDPSA is little more than a slow and functionally useless export option. The reality is that laws like this don’t help consumers move with their data.

For one, TDPSA only mandates that companies return the “data you provided,” not the data you actually need to switch. Second, the time, frequency, and authentication friction make it useless for “I want to switch today.” Under TDPSA, controllers generally have up to 45 days (plus a possible 45-day extension) to respond. Waiting 45-90 days for data is so unhelpful that most consumers don’t see any value in requesting it. Next, a .pdf copy of data does not equal “interoperable.” Without shared schemas, APIs, and validation rules, the receiving service cannot reliably ingest the data—and certainly not at scale.

In a case like this one, the consumer-facing promise is “we’ll read your bill and account and recommend the right plan fast.” A statutory portability right typically gives you a dataset, not the transformation, normalization, and comparison workflow that makes switching easy. And when a competitor tries to fill that gap by automating access into the incumbent’s systems, you collide with the CFAA, terms of service, and state computer access statutes (exactly what the TRO discusses). Which is why, without meaningful analysis of the real value of automation for consumers in cases like this one, mandatory portability statutes are functionally useless for consumers.

[Eric’s comment: data portability mandates are generally quite popular, at least in academic circles. But I haven’t seen any evidence indicating that the mandates actually improve anything for anyone. I welcome pointers to academic studies on this topic.]

The post AT&T Blocks T-Mobile’s Data Portability Efforts (Guest Blog Post) appeared first on Technology & Marketing Law Blog.

10. Are Websites Legally Equivalent to Exploding Coke Bottles?

Traditionally, tort law distinguishes between tangible items (chattels) and intangible services. Several doctrines impose additional liability for chattels, such as strict products liability and specialized forms of negligence.

Plaintiffs are trying to extend these chattel-based tort doctrines to intangible activities like publishing content. This raises the venerable Internet Law exceptionalism question: when should physical-space laws extend to online activity? In other words, is a user-generated content website the legal equivalent of an exploding Coke bottle?

In 2025, more lower-court judges applied strict liability and negligence doctrines to social media. It remains to be seen if these opinions will be upheld on appeal. Meanwhile, emboldened plaintiffs are now proliferating chattel-based theories against other online content publishers, including Generative AI model-makers and videogames.

9. A Swiss-Cheesed Section 230 Survived 2025

Section 230 survived 2025, and it will likely reach its 30th birthday. But will it survive beyond that? Section 230 looks more like Logan’s Run than Yoda.

Several Section 230 repeal bills are pending. Why tho? Section 230 is already shrinking and being swiss-cheesed even if Congress does nothing.

In particular, Section 230 took major hits last year in the Calise and YOLO opinions, which encouraged courts to create a virtually infinite number of common law exceptions to Section 230. This year, Doe v. Twitter added two new 230 exceptions for alleged breaches of a “reporting mechanism architecture” duty and NCMEC reporting.

8. TOS Formation Is More Difficult in the Ninth Circuit

The Ninth Circuit dramatically raised the bar on online TOS formation law in Chabolla and Godun. Together, these rulings provide several more reasons for courts to reject TOS formation. View all pre-Chabolla rulings upholding TOS formation with suspicion. And if you haven’t reassessed your TOS formation process after Chabolla and Godun, why not?

7. The SAD Scheme Takes Some Huge Hits

Prof. Fackrell posted a 2025 SAD Scheme year-in-review. Two standouts:

• Judge Kness said the SAD Scheme “should no longer be perpetuated in its present form.”
• Judge Ranjan (WDPa) and the District of New Jersey functionally banned the SAD Scheme in their courts.

6. Silicon Valley Execs Embrace Trump

Traditionally, Silicon Valley entrepreneurs have viewed regulators with suspicion and preferred technology solutions over legal ones. That stereotype is partially outdated. Many Silicon Valley leaders–such as Musk, Zuckerberg, Ellison, Benioff, and toss in Bezos for good measure–have enthusiastically embraced crony capitalism and anticipatory compliance with MAGA expectations (when it personally benefits them). [See also “How the Bay Area’s tech billionaires behaved in 2025.”] The oligarchs’ subservience to Trump diverges from mainstream Silicon Valley views, but those with the gold make the rules.

5. Internet Censorship Rolls Out Globally 

2025 global censorship lowlights include the UK Online Safety Act and Australia’s ban of under-16s from social media. We are well-past the high water mark of online free speech globally.

4. New Notice-and-Takedown Scheme for “Visual Intimate Depictions”

The Take It Down Act combines CSAM, non-synthetic non-consensual pornography, synthetic AI-generated pornography, and other “visual intimate depictions” into a single regulated content category. This lazy drafting ensures that the law confusingly overlaps and supplements existing law–and regulates constitutionally protected content.

The law creates a new notice-and-takedown scheme for intimate visual images (this mechanism goes into effect this summer). Services must resolve all of the following issues within 48 hours of receiving each takedown notice about intimate visual depictions:

• Can the service find the targeted item?
• Is anyone identifiable in the targeted item?
• Is the person submitting the takedown notice identifiable in the targeted item?
• Does the targeted item contain an intimate visual depiction of the submitter?
• Did the submitting person consent to the depiction?
• Is the depiction otherwise subject to some privilege? (For example, the First Amendment)
• Can the service find other copies of the targeted item?
• [repeat each step for each duplicate. Note the copies may be subject to a different conclusion; for example, a copy may be in a different context, like embedded in a larger item of content (e.g., a still image in a documentary) where the analysis might be different]

As you can imagine, this process will lead to many unwarranted removals, especially after vigilantes and trolls start weaponizing the process.

3. Can Anything Stop the Tidal Wave of AI Regulations?

State legislatures are in a regulatory frenzy over Generative AI. In response, Congressional Republicans unsuccessfully proposed a moratorium on state AI laws. When that failed, Trump issued a performative executive order discouraging some state AI laws.

Eventually, the Supreme Court will decide if Generative AI outputs qualify for First Amendment protection. If so, many of the state AI regulations are unconstitutional. If not, Generative AI is doomed.

2. The TikTok Divest-or-Ban Calvinball

In January, the Supreme Court upheld Congress’ TikTok divest-or-ban law. Shortly thereafter, the TikTok divest-or-ban deadline arrived on Biden’s last day in office. He took no action. President Trump then unilaterally extended the deadline without satisfying the statutory preconditions for an extension. Trump has since purportedly issued several more extensions without any statutory authority to do so. Trump also (without any authority to do so) had the DOJ tell app stores to keep TikTok available despite the law.

As a result, an undivested TikTok has remained publicly available throughout 2025 despite Congress’ ban. This outcome mocked the Supreme Court and Congress:

• The Supreme Court accepted Congress’ pretextual claims that TikTok threatened national security and consumer privacy. Trump’s defiance exposed that no one, including Congress, actually cared about these purported harms.
• Congress passively watched Trump disregard a valid enacted and alleged constitutional law.

Also, Congress intended the divest/ban to combat Chinese authoritarianism, but it actually facilitated Trump’s domestic authoritarianism. Trump used the law to broker a kleptocratic divestment to his buddies who will keep TikTok’s algorithm friendly to Trump.

I teach the TikTok ban in week 1 of my Internet Law course as Exhibit A of how Internet Law is Calvinball.

1. Supreme Court Upholds Mandatory Online Age Authentication (FSC v. Paxton)

I was wrapping up a 2-week China trip when the Supreme Court issued its opinion in Free Speech Coalition v. Paxton. I was eager to return to a country that has a First Amendment–so I could access most websites without a VPN; I wouldn’t have to show my passport to enter every museum; and I could freely criticize the government without fearing for my liberty. And then the Supreme Court’s FSC v. Paxton opinion made me question everything.

As just one example of the court’s wrecking ball to American principles: the majority adopted intermediate scrutiny to evaluate the law, even though neither party argued for that standard, and then the court analyzed intermediate scrutiny without giving either side the chance to argue the standard. Pure Calvinball.

By overturning 30-year-old precedent, the opinion newly opened the floodgates on mandatory online age authentication. The majority opinion claimed it was limited to children’s access to online pornography, but the opinion repeatedly and gratuitously went much further. Emboldened regulators around the country are proliferating age authentication mandates on a diverse range of topics. The constitutional battles over those laws will rage for years. Here’s a roundup of NetChoice’s 2025 efforts.

Regardless of how the legal battles turn out, Internet publishers are already deploying age authentication solutions to manage their legal risks, and they won’t be quick to rip out these implementations. Thus, the FSC opinion let the age authentication genie out of the bottle, and it will never go back in–regardless of what the courts or the Constitution say in the future.

FSC v. Paxton has locked us into an age-authenticated Internet, very different from the one we have today, with less privacy and security, less free speech, less content, and less resiliency. Everyone will be poorer for it.

Well, almost everyone. The censors are giddy–as are the age authentication vendors, who celebrating their good fortune with a black tie industry awards gala. See you there.

__

(Dis)Honorable Mentions

Other 2025 items of note:

• The first batch of district court rulings regarding copyright and Generative AI have been a mixed bag. A few courts have rejected copyright claims over training data, except when the source files were obtained via file sharing. We’ll see how these opinions fare on appeal. Amidst this uncertainty, Anthropic agreed to a massive $1.5B settlement.
• The Meta Pixels cases keep chugging along. There are now hundreds of rulings in Westlaw, and the plaintiffs are doubling-down against other unique identifiers. However, the pixel cases aren’t always doing well on appeal. Could the Meta Pixel litigation frenzy flame out when the appellate court speak up?
• The US State Department has threatened to ban content moderators and actually banned five Europeans associated with the DSA. US government censorship will continue until free speech improves.
• Many people have celebrated the GDPR as the gold standard of global privacy laws. But…it’s also stifling the EU and needs reworking (e.g., 1, 2).
• It’s the 5 year anniversary of Meta’s Oversight Board. How’s that been working out?
• It’s also the 5 year anniversary of the Copyright Claims Board. How’s that been working out? Reminder: Congress created the Copyright Claims Board in December 2020, when perhaps it should have had other priorities.

* * *

Previous year-in-review lists from 2024, 2023, 2022, 2021, 2020, 2019, 2018, 2017, 2016, 2015, 2014, 2013, 2012, 2011, 2010, 2009, 2008, 2007, and 2006. John Ottaviani and I previously listed the top Internet IP cases for 2005, 2004 and 2003.

* * *

Generated by ChatGPT Oct. 2025

My publications in 2025:

• The “Segregate-and-Suppress” Approach to Regulating Child Safety Online
• Thirteen Objections to Mandatory Online Age Authentication
• Generative AI is Doomed
• The United States’ Approach to ‘Platform’ Regulation
• Internet Law casebook

The post 2025 Internet Law Year-in-Review appeared first on Technology & Marketing Law Blog.