In a split opinion, a majority says this TOS formation failed:

Zeus chose to bury the page containing that agreement behind a hyperlink that itself was written in small, gray text that Tejon did not have to click. This text was located beneath large, red action buttons that Tejon did have to click. Was the hyperlink text enough to put Tejon on notice that clicking on the large, red buttons would subject him to binding arbitration? We find that it was not.

* * *

As usual, the majority starts with the wrap taxonomy. The majority says that there are only two wrap options: clickwrap or browsewrap. I wish there were zero nodes on the wrap taxonomy, but if we’re going to have a taxonomy, two nodes is too few to capture the diversity of TOS formation practices. Importantly, the majority doesn’t leave room to categorize the screen as a “sign-in-wrap,” which is how I think it would be how other circuits characterize it.

With only two choices, the majority says this TOS formation process is a “browsewrap.” (The dissent says the “parties agree that Zeus’s subscription page is a browsewrap agreement,” so the problem may lie in Florida/11th Circuit law forcing the binary choice). Once that wrap characterization is made, it’s pretty well accepted that browsewraps aren’t enforceable. In practice, the majority closely followed the Berman opinion from California, which was a sign-in-wrap opinion, and the majority had many other sign-in-wrap precedents to consider if it went looking. #EndTheWrapTaxonomy.

Despite the wrap tangent, the majority proceeds with the standard approach of reviewing whether the TOS disclosure was sufficiently conspicuous. The majority says no.

• “Zeus placed [the hyperlink] beneath two large, red action buttons that were prominently featured at the center of the page.”
• “Zeus’s terms of service hyperlink is printed in a small font on the bottom half of the page. It is easy to overlook given the larger font sizes and bolder colors of other elements on the page.”
• “all the text below the red action buttons, including the hyperlinked terms, appears in a dim, gray color.” The “dim” color phrase reminds me of the Chabolla reference to “timid” fonts.
• The underlined text was indistinguishable from the other text, and “Zeus’s hyperlink is not highlighted in a different color and is not in all capital letters.” CAPITAL LETTERS…SERIOUSLY?
• “Zeus’s terms of service notice simply does not say anything about arbitration. It would have been simple enough for Zeus to state plainly that clicking on one of the red buttons would subject any dispute between the user and Zeus to binding arbitration….Zeus chose instead to place the provision on a separate terms of service page. Having made that choice, it was required to design its website to ensure that a reasonable user would know to click to view the terms of service page, and it failed to do so.” Ugh, I’ve complained many times about this problem with layered notice. A court can always second-guess that the layered notice should have included the thing that is being contested by the plaintiff. This makes layered notices impossible because the top layer has to reference every possibly challengable term, which is all of them.

Notice that the majority doesn’t engage with the transaction context, another key part of the Ninth Circuit Chabolla/Godun tests. In general, the Ninth Circuit presumes that consumers signing up for a subscription will expect terms to govern their ongoing relationship. The majority doesn’t consider that possibility.

The majority summarizes:

None of the things that we have discussed—location on the page, font size, contrasting color, capital letters, underlining, informational content, and so forth—is individually required to pass a conspicuousness assessment. The point of these design elements is to place a reasonably prudent internet user on notice of the agreement at issue. The internet site owner may utilize some combination of these elements, or perhaps something else entirely, to bring attention to the agreement. Even better, the owner could use a clickwrap agreement. But Zeus chose to do none of this.

Judge Branch, a TAFS judge, dissented. She says the “hyperlink was centrally positioned directly beneath the action buttons, where the user’s attention is easily drawn; colored in light gray to contrast with the black background; underlined; appeared the same size as most of the text on the page; and set apart from a block of text below. A reasonably prudent person would not have missed it.”

(As usual, there was zero empirical support from either the majority or dissent for any assessment of what a reasonable consumer would think).

* * *

This ruling brings to mind the lament of Judge Bybee in the Chabolla decision: “Our decision today will drive websites to the only safe harbors available to them, the clickwrap or scrollwrap agreements.” You’ve been warned (repeatedly).

Case Citation: Tejon v. Zeus Networks, LLC, Case No. 24-11114 (11th Cir. May 1, 2026)

BONUS: U.S. v. Blocker, No. 25-1536 (7th Cir. May 5, 2026)

the fact that a contract is lengthy and poorly understood does not justify reading it with a thumb on the scale. The language of this contract unambiguously permits Dropbox to scan all files at its option and reveal the contents for five specified purposes—and Blocker does not deny that, having discovered child porn, one or more of these purposes applies.

The post 11th Circuit Rejects TOS Formation–Tejon v. Zeus appeared first on Technology & Marketing Law Blog.

Embed/in bed

The central question in the case is whether embedding is infringing. We don’t get an answer to that question. XXL chose to defend the case on other grounds at the district court, so it’s not at issue in the appeal. As a result, the panel assumes “for the purposes of this appeal, that embedding constitutes actionable use.”

[Note: normally my blog coverage would include a screengrab of one of the videos in question so you could see the content at issue in this dispute. Given this ruling, I worry I’ll join the defendant list if I do so. More chilling effects from legal uncertainty.]

Fair Use of Jordan Video

Nature of Use–Transformativeness

The court questions the transformativeness of XXL’s embedding:

Townsquare republished the Jordan Video in a news article describing a controversy surrounding the video, Townsquare’s reporting at times appears more focused on the mere existence and presentation of the video itself. No place is that more evident than in the article’s headline. Instead of referring to any of the article’s commentary, the headline presents the video as the article’s primary draw: “Michael Jordan Intervenes in Heated Confrontation Involving Wack 100 in Viral Video from 2015 —Watch.” The article then opens by explaining that the DailyLoud had posted the video on X just one day prior. That is the extent of the article’s discussion of the video’s online circulation. It moves on to describe the incident depicted in the video, but that portion of the article simply describes what viewers of the video can see for themselves….

there is a difference between gesturing towards a transformative message and actually communicating that message. Here, Townsquare’s commentary was limited to a few sentences explaining that a third party had republished the video and opined that an individual who does not appear in it was Charleston White. Notably, the article does not identify anything in the video that would corroborate that speculation for the viewer; instead it relies on the unexplained say-so of the DailyLoud’s post. It is therefore debatable whether the article meaningfully communicated any new commentary about the video (which could justify its copying) or instead merely summarized commentary about the fight depicted and relied on the video solely as an illustrative aid (in which case the copying served little transformative function)

Despite these musings, the court doesn’t definitively resolve the transformativeness question, saying the other factors negate fair use.

Nature of Use–Commerciality

“Townsquare is a for-profit entity, a fact that weighs against fair use….Townsquare ran advertising alongside its embedded depiction of the Jordan Video, but classic legacy news media such as newspapers, news magazines, and commercial television stations did, and do, the same.”

The court decides the nature of use factor is at best neutral.

Nature of Work

“The Jordan Video was largely factual, and, as Richardson concedes, did not involve meaningful creative choices. That Richardson was fortunate to be in the right place at the right time to record Jordan’s unexpected intervention does not make the work creative.” The court says this factor weighs in favor of fair use but “plays a minimal role in the fair-use assessment.”

Amount Taken

XXL republished the entire video, which it said was required by the embedding. The panel questions the necessity:

Townsquare could have, for example, republished the text of the post along with a portion of the video. Or it could have taken a screenshot of the post with a still of the video (as Townsquare did for the article’s headline). Or it could have simply reported on the controversy and included a hyperlink to the post, forgoing any reproduction of the video. While embedding the post may have been more expedient for Townsquare, nothing compels a conclusion (and certainly not at this stage) that embedding the post and, with it, the entire video was reasonable in relation to Townsquare’s limited news reporting.

I guess the panel is really that willing to second-guess XXL’s editorial processes? And the court says XXL could have taken a video screengrab instead of embedding the whole video, but later in the opinion it doesn’t resolve whether that screengrab would itself be infringing, so…is that a non-infringing option or not?

XXL also argued that viewers needed to see the entire video to evaluate its hypothesis about who’s in the video. The court responds that the person at issue never appears in the video (only off-camera).

XXL also argued that embedding allowed its audience to see the original comments. The court responds that XXL could have just done summary reporting of that information.

Instead, the court says “Perhaps discovery may offer further editorial or technological justification for Townsquare’s decision to use the entirety of the video.” Sounds expensive.

Market Effect

The court says this is the “most important” fair use factor.

The court says Richardson’s complaint didn’t make clear what the market for the video is. The court rewards this pleading omission: “Townsquare cannot decisively demonstrate the absence of an effect of its use of the Jordan Video on the market for the original video based on the allegations in a complaint that say little or nothing about the nature of that market.” It’s true that the defense has the burden to establish fair use, but the panel also rewards plaintiff drafting gamesmanship.

Without any guidance from the complaint, the panel then veers into speculation-land:

It is entirely unclear that a viewer of Townsquare’s story would gain anything from watching a version of the Jordan Video unencumbered by Townsquare’s reporting, advertising, and the X post text and border. And if viewers are unlikely to gain anything, they would have little reason to seek out the Jordan Video from Richardson. And without viewers, Richardson would experience market harm either by lost advertising revenue (if, like Townsquare, he had published the video online) or lost rental or purchase revenue (if he provided the video directly to consumers).

I can’t tell if the initial X poster (DailyLoud) was authorized or not. If it was an authorized post to X, then odds are that the X posting wouldn’t generate any of these revenues, in which case the court’s discussion is both hypothetical and wrong.

The court summarizes its view on the market effect at early litigation stages: “because Townsquare has not shown that its use of the Jordan Video is not a market substitute for the Jordan Video itself, the fourth statutory factor weighs against fair use.”

Summary of Fair Use

To whatever extent Townsquare’s use of the Jordan Video is transformative (if at all), that fact is outweighed by Townsquare’s decision to republish the entire video. That choice rendered its use of the video a plausible market substitute for the video itself. Discovery may further explicate the relevant market factors, and thus demonstrate that Townsquare’s use of the full video was reasonably justified or that customers interested in watching the video would still seek out the original to avoid the article’s text and advertising

As this passage indicates, XXL could still win fair use–it will just take more time and money to find out. But notice how the court had to twist the factors to make them (other than the amount taken) actually weigh against fair use. Perhaps reflecting the pleading burdens, the court was extraordinarily charitable to the plaintiff–almost certainly more than the plaintiff deserved. This is how bad cases survive in court longer than they should.

Screenshots as Infringement

The lower court said the screengrabs were de minimis copying. The court says that doctrine doesn’t apply because “By taking screenshots, Townsquare made literal copies of video “frames” and incorporated those copies into its articles.” The court sees the de minimis exception quite narrowly: “we have typically found de minimis use where the defendant’s inclusion of the copyrighted work was incidental or unidentifiable in the secondary work.” In contrast, “Townsquare prominently displayed the screenshots, which are clearly recognizable as taken from the embedded videos (as Townsquare intended them to be), to communicate the subject matter of its articles.”

The court doesn’t address fair use for the screengrabs because the lower court didn’t rule on that topic. Nevertheless, the court cautions the lower court that “fair-use analysis is generally ill-suited to the pleading stage.”

It’s truly mind-blowing to believe that it could be infringing to display a screengrab from a video when discussing the video. I expect courts will bless the republication of screengrabs eventually, but not using the de minimis doctrine.

Permission to Embed the Melle Mel Video

Art of Dialogue uploaded the Melle Mel video to YouTube. YouTube’s upload TOS expressly authorizes third-party embedding, which seemingly extends permission to XXL. Richardson said the court couldn’t consider these facts, but the court responds that Richardson:

does not, for example, assert that the Melle Mel Video was uploaded onto YouTube without his consent or that the version of the Terms that Townsquare attached was in any way inaccurate. Had he done so, the resulting factual dispute would have rendered the Terms premature for consideration at the pleading stage. But his failure to do so confirms that he sought to rely on “clever drafting” to render his complaint “invulnerable to Rule 12[c].”

A reminder that the court just accepted similar “clever” drafting in the fair use considerations…so I guess pleading cleverness only works sometimes? Also, the court saying that all Richardson had to do was contest the initial upload authorization or the TOS terms (which they would only do in good faith per Rule 11–wink wink) and the court would survive the case to summary judgment provides plaintiffs with yet more leverage.

To the extent that XXL didn’t comply with any conditions from YouTube’s TOS embedding license, the court says that’s YouTube’s issue to enforce, not Richardson’s.

Implications

I could recapitulate this decision:

• The Second Circuit doesn’t like to decide fair use on motions to dismiss. (XXL requested judgment on the pleadings, but the court sidestepped the difference in stages by collapsing the two into a single “pleading stage”).
• The de minimis defense is a niche exception.
• Social media TOSes authorize third-party embedding. If the uploader had the permission to upload, then downstream embedders aren’t liable.

Stated this way, perhaps this opinion doesn’t look so bad.

However, the court’s reticence to resolve fair use early is problematic in light of Richard Liebowitz’s recent litigation rampage in Second Circuit-governed courts, where courts had to resolve fair use early to clear out his trash lawsuits. Rulings like this help copyright trolls and other copyright owners weaponize the litigation process and increase defense costs. Even if the lower court rules for Townsquare/XXL on remand, significant damage is done simply by letting unmeritorious cases get that far.

All of these litigation efforts could be avoided if the Second Circuit followed the Ninth Circuit’s approach to embedding, a question that wasn’t before this panel. In the 9th Circuit, embedding isn’t copyright infringement, so defendants don’t need to justify fair use or try to make the de minimis doctrine something more than it is. We’ve been waiting a long time for the Second Circuit to clarify its stance on embedding. Until then, we get rulings like this and expensive litigation cycles.

Similarly, we need stronger judicial pronouncements that screengrabs aren’t infringing. The entire meme and GIF ecosystem is riding on that issue.

Case Citation: Richardson v. Townsquare Media, Inc., 2026 WL 1097502 (2d Cir. April 23, 2026)

The post We Still Don’t Know the Second Circuit’s Position on Embedding and Copyright Infringement–Richardson v. Townsquare appeared first on Technology & Marketing Law Blog.

After the Supreme Court’s first and only CFAA decision in Van Buren v. US in 2021, I wrote that the Court “could have done 10% more work here and provided clarity on very key questions….[but SCOTUS] declined the opportunity to do so. In the end, there are remarkably few clear, declarative sentences in this opinion that provide guidance for future cases.”

The Court intentionally left open many key questions. And so it should come as no surprise that there has been an emerging doctrinal divergence related to key concepts with the CFAA. Perhaps most notably, Courts have been applying the concept of “technological harm” in the CFAA differently in different circuits.

In Van Buren, Justice Barrett wrote:

…§1030(a)(2) also gives rise to civil liability, §1030(g), with the statute defining ‘damage’ and ‘loss’ to specify what a plaintiff in a civil suit can recover. ‘[D]amage,’ the statute provides, means ‘any impairment to the integrity or availability of data, a program, a system, or information.’ §1030(e)(8). The term ‘loss’ likewise relates to costs caused by harm to computer data, programs, systems, or information services. §1030(e)(11). The statutory definitions of ‘damage’ and ‘loss’ thus focus on technological harms—such as the corruption of files—of the type unauthorized users cause to computer systems and data. Limiting ‘damage’ and ‘loss’ in this way makes sense in a scheme ‘aimed at preventing the typical consequences of hacking.’ Royal Truck, 974 F. 3d, at 760. The term’s definitions are ill fitted, however, to remediating ‘misuse’ of sensitive information that employees may permissibly access using their computers.

Van Buren v. United States, 141 S. Ct. 1648, 1659–60 (2021) (quoting 18 U.S.C. § 1030(e)(8), § 1030(e)(11)).

Multiple district courts, especially in SDNY and the Northern District of California, began to interpret Van Buren to demand that any CFAA “loss” be tethered to technological harm. Meanwhile, some other district courts read the statute to allow any claim to proceed that included an allegation that a plaintiff had investigated an offense and incurred $5,000 in so doing.

Where this comes up most consistently is in the context of an internal investigation related to alleged unauthorized access. Courts increasingly have disagreed about whether an internal investigation, untethered to “technological harm,” meets the standard for a qualifying loss under §1030(e)(11). While not quite rising to the level of a circuit split, lower courts in the 2d, 3d, and 9th Circuits have increasingly required specific pleading at the motion to dismiss stage to allege that the internal investigation posited as a “loss” was tethered to “harm to computer data, programs, systems, or information services.” In the 5th, 7th, and 11th circuits, courts were much less inclined to require that specific pleading.

—

On Jan. 21, 2026, the Tenth Circuit became the first circuit court to squarely reject the CFAA interpretation that investigations must be tethered to technological harm. It did so with Moxie Pest Control (Utah), LLC v. Nielsen, and it concluded that investigative costs qualify as a CFAA “loss” even when the plaintiff does not show or even allege “technological harm” like corrupted data or damage to systems.

According to the Tenth Circuit, under § 1030(e)(11)’s plain text, any reasonable cost of responding to an offense qualifies.

—

This was the general divide that had emerged around the country pre-Moxie.

The first camp suggests that costs must be tethered to clear evidence of technological harm to qualify as a loss.

The courts in this camp do not reject investigative costs as a category. But conclusory pleadings related to investigations in the absence of technological harm often get dismissed. These courts have demanded specifics about what was done, why the investigation was necessary, how it ties to the intrusion, and evidence that the “loss” was tethered to “harm to computer data, programs, systems, or information services.”

Many recent decisions have been pushing in that direction:

• CoStar Group, Inc. v. Leon Capital Group, LLC (D.D.C. 2022) dismissed where the claimed loss was time and money spent “identifying, investigating, and attempting to block and otherwise respond,” but the allegations did not adequately plead cognizable CFAA loss.
• The Phoenix Co., Inc. v. Castro-Badillo (D.P.R. Aug. 9, 2024) dismissed where the plaintiff relied on “investigation” but did not plead what investigative measures were taken and what damage, if any, was actually caused.
• Sylabs Inc. v. Rose (N.D. Cal. Sep. 26, 2024) dismissed where “loss” was pegged to forensic analysis but the allegations were essentially conclusory and failed Rule 12(b)(6) specificity expectations.
• William Gottlieb Mgmt. Co., LLC v. Carlin (S.D.N.Y. Mar. 26, 2024) dismissed where the “investigation” just confirmed what the plaintiff already knew and did not involve analyzing effects on computer systems.
• X Corp. v. Center for Countering Digital Hate (N.D. Cal. 2024) dismissed X Corp.’s CFAA claim at the motion-to-dismiss stage because the court found that X failed to allege technological harm necessary under § 1030’s loss definition, and that internal costs and reputational advertising revenue losses tied to CCDH’s reports and investigations did not allege harm to computer data, systems, or programs as contemplated by the statute. Also, the broader complaint was treated as a SLAPP aimed at punishing criticism rather than bona fide CFAA conduct.

If you read those cases as a group, you find situations where courts are skeptical of internal investigations because they seem pretextual. According to these cases, an alleged investigation is not a blank check to proceed with a CFAA claim. Courts want to see that the investigation was a response to an access violation causing technological harm and not just a litigation prep exercise.

The second camp is more of a magic words approach. If there’s alleged unauthorized access, and you say there was an investigation that cost $5k, the case moves to discovery.

This was pretty much the consensus around the country pre-Van Buren. But lower courts were fairly evenly divided about that concept of loss post-Van Buren.

The Tenth Circuit in Moxie is now a clean appellate-level entry for this camp.

According to Moxie, the CFAA’s definition of “loss” explicitly includes response and damage-assessment costs. So district courts should not treat Van Buren as silently rewriting the civil-remedies threshold into limiting investigations to those tethered to technological harm.

Moxie is now the most prominent post-Van Buren statement on this question, and because it is a circuit court opinion, and not a one-off district court order, it will carry significant weight, and may permanently tip the scales in favor of this camp.

—

The facts of Moxie are as follows:

The plaintiffs were a group of affiliated pest-control companies that alleged employees of their competitor, Aptive Environmental, bribed current and former Moxie representatives to turn over confidential, password-protected sales data (including leaderboards) stored in Moxie’s system, which Aptive then allegedly used to recruit door-to-door sales representatives. Moxie sued Aptive and several individuals under the Computer Fraud and Abuse Act (CFAA), RICO, the Defend Trade Secrets Act (DTSA), and Utah’s Uniform Trade Secrets Act (UTSA).

The district court dismissed Moxie’s CFAA claim for failure to plead a qualifying “loss” post-Van Buren, denied motions to compel broad damages discovery, and granted summary judgment on the other claims for lack of causation. On appeal, the Tenth Circuit reversed the dismissal of the CFAA claim, holding that Moxie’s allegations of over $5,000 in investigative costs incurred in response to unauthorized access plausibly satisfied the CFAA’s “loss” definition even absent technological harm, affirmed the discovery ruling, affirmed summary judgment on RICO, and reversed in part the DTSA/UTSA rulings on remedies and remanded for further proceedings.

—

For practitioners in this space, it isn’t hard to see how Moxie could be problematic.

There is a chicken-or-the-egg conundrum with the statutory language cited by the Tenth Circuit. While § 1030(e)(11)’s definition of loss includes any reasonable cost of responding to an offense, the statute itself does not offer any guidance on what the *offense* must be that provokes the investigation. By the Tenth Circuit’s definition, it doesn’t matter. Any conduct associated with unwanted access will do. And so, activity that does not cause technological harm can give rise to a CFAA claim if a plaintiff investigates it and incurs $5,000 in expenses.

The problem is twofold: (1) It lets plaintiffs convert a whole range of non-technological harms into federal computer crimes, thus seemingly contradicting the guidance of the Supreme Court and the statute itself, which requires harm to computer data, programs, systems, or information services; and (2) The $5,000 threshold becomes nigh-meaningless. Any plaintiff with a lawyer and an incident-response vendor can hit $5,000 by lunchtime. Indeed, a recent case found that a pro se plaintiff spending 25 hours of his own time was sufficient to establish a “loss” under the CFAA. Karcz v. Mezouak, 2026 WL 622679 (D.N.J. March 5, 2026).

In other words, conduct that would not give rise to a CFAA violation because the alleged harm is not technological in nature under the Supreme Court’s definition of a “loss” can easily become a CFAA “loss” as long as a plaintiff alleges that they investigated it.

That’s a deeply circular definition of “loss”. But Moxie didn’t grapple with that deeper circularity head-on.

Making benign integrations and free speech criminal

Let me lay out a couple of different fact patterns where this often plays out.

Even though the defendants here are highly unsympathetic, that’s not always the case. The alleged conduct was plainly wrongful. It involved alleged bribery, misuse of credentials, and copying confidential information from a protected account. But the CFAA should be reserved for technological harms, not merely unauthorized taking of information. That distinction matters. The opinion blurs the line between digital trespass and ordinary misuse of access, even though the real injury alleged was the taking of valuable business information, not damage to the integrity or functioning of the computer system itself. If the system still worked as designed, was not impaired, and suffered no meaningful technological disruption, then this looks much more like a trade secrets or unfair competition case, not a CFAA claim.

That overexpansion matters beyond these bad facts. Once courts allow the CFAA to reach conduct that does not cause technological harm, the statute becomes a much more flexible weapon for private plaintiffs and platforms seeking to recharacterize disfavored access as computer intrusion.  There are countless software integrations whose primary business purpose is to integrate some sort of useful activity within another company’s platform. Lots of companies build these useful layers into and on top of other companies’ software. Most of the time, the purpose of these integrations is to provide something of value to end users, but of course, large platforms are often reluctant to cooperate with third parties.

Created by ChatGPT Dec. 2025

The panel says, almost in passing, that “we need not decide whether the conduct Moxie alleged violates the CFAA. It does,” because Nielsen used a pilfered password, and then goes on to hold that investigative costs alone can satisfy CFAA loss without any technological impairment. The problem is not that the defendants should win. They should not. The problem is that the opinion does nothing to distinguish credential theft from the far more ordinary reality of delegated access and platform integrations, where a user intentionally lets a third-party tool access an account through stored credentials, session continuity, or other account-linked mechanisms. In a world full of CRM plug-ins, analytics layers, scheduling tools, and middleware, courts should be careful not to let “access by someone other than the nominal account holder” plus “investigation” equal a federal crime. The “loss” element needs to be a meaningful filter. If it isn’t, lots of benign conduct becomes illegal.

If investigative expenses are enough, regardless of whether tethered to a technological harm, then a platform that objects to a researcher, watchdog, journalist, or advocacy group can more readily plead its way past dismissal by alleging unauthorized access plus the cost of figuring out what happened. Moxie sits uneasily beside X Corp. v. Center for Countering Digital Hate, where Judge Breyer recognized the basic danger directly, writing that the case was “about punishing the Defendants for their speech” and that X sued “in order to punish CCDH” for publications criticizing the platform.

To be clear, Moxie did not involve public-interest criticism. It involved commercial espionage. But doctrine built in hard cases does not stay in hard cases. Once courts make it easier to plead CFAA claims based on contested access and post hoc investigation costs, that logic can be repurposed by platforms seeking to suppress unfavorable reporting, auditing, or accountability research. The right lesson from Moxie should have been narrow, but instead it was unequivocal and unqualified.

Don’t get it twisted: If self-motivated, sponsored investigations untethered to technological harm qualify as losses under the CFAA, then any integration disfavored by a platform can be made illegal, regardless of how valuable or pro-social it may be. And any “access” that’s disfavored by a platform can be made illegal, too. Regardless of how benign or pro-social it may be.

That’s the legal landscape that Moxie creates.

In the coming months, the Ninth Circuit is likely to revisit this issue with Perplexity AI’s appeal of the preliminary injunction issued by the Northern District of California in its case against Amazon. When that case is decided, we can expect to get a clearer picture of whether there will be a consensus on this issue or a true circuit split.

The post Tenth Circuit Broadens CFAA ‘Loss’ Beyond Technological Harm–Moxie v. Nielsen (Guest Blog Post) appeared first on Technology & Marketing Law Blog.

The court starts off with this broad proposition:

Section 230 compels dismissal of claims seeking to hold platforms liable for activity amounting to sexual exploitation of one user by another when the factual predicate is that the two users engaged in messaging using the platform’s service” [cites to Doe v. Grindr, Doe v. MySpace, Doe v. Snap, Doe 1 v. Backpage, Doe II v. MySpace, In re Facebook, LW v. Snap, Doe v. Grindr (S.D. Fla.), Doe v. Kik.]

Negligence

The plaintiff tried the standard set of arguments that Discord was defectively designed because it didn’t adhere to the plaintiff lawyers’ vision of how services should operate:

Plaintiff’s “Negligence” claims seek to impose liability on Discord for (i) designing its messaging service to facilitate harmful private communications; (ii) allowing “unsupervised” messaging between users; (iii) failing to require phone number verification or otherwise “screen users”; (iv) failing to “implement … parent controls” and “parental notifications” that would monitor and supervise messages; (v) failing to remove user profiles and block messages from adults who message teens; (vi) failing to set default safety settings that would block messages between unconnected users; (vii) offering an “open chat function” without sufficient moderation; and (viii) failing to monitor for, report and prevent the use of [its] app[ ] by sexual predators.”

The court says all of those configuration choices are editorial choices protected by Section 230:

These claims each amount to Plaintiff seeking to impose a duty on Discord to monitor, screen, and block Plaintiff’s communications with other Discord users. All of these duties would require Discord to alter or amend how it publishes, monitors, screens, flags, blocks, or removes users’ messages and profiles, including how it offers to its users “neutral tools” that allow users to communicate in different chat forums and formats. [cite to Jones v. Dirty World (6th Circuit)]

Notice how this court implicitly veers away from the social media addiction rulings in California and numerous other precedents saying that design choices can be agnostic about what content they apply to and therefore are not based on third party content.

Strict Liability

The court treats the products liability claim the same as the negligence claim. The plaintiff complained about the following practices:

The Complaint faults Discord for providing a service that “allow[s] children to come into contact with child predators, and asserts that Discord should provide “[e]ffective parental controls” to stop harmful message exchanges; reconfigure features to “block[ ] direct messaging between child and adult users”; block content from “known abusers”; and offer a more restrictive “[c]ontrolled chat” option.

The court responds that these claims “would require Discord to more perfectly screen for and block harmful messages and alter the operation of the neutral tools it provides users to send messages,” which Section 230 does not permit.

Concealment/Failure to Warn

The court says the concealment/failure to warn claims also second-guess Discord’s editorial decisions. The court says:

Courts cannot accept attempts to repackage what is in actuality “publisher” actions as “torts of omission” to evade Section 230

Thus, “these allegations appear to be simply a restatement of Plaintiff’s negligence claims and product liability claims already found to be barred by Section 230. Put another way, the only way that Discord could address these aspects of its platform would be “to take certain moderation actions” that would eliminate the alleged discrepancy between Discord’s description of its moderation efforts and the “reality” of its moderation – again, “publishing” actions.” [cite to Bride v. YOLO]

Failing to warn users that Discord is a “dangerous” app “is at root a claim based on “publication” choices related to moderation efforts, which fall within the immunity provided by Section 230.” Cites to Bride v. YOLO, Doe v. Grindr, Wozniak v. YouTube.

The court also questions if there was any actual omission: “Discord does disclose and issue transparency reports that – as is the case with any platform that handles an immensely high volume of messages each day – do show that its content moderation efforts are imperfect.”

Misrepresentation

Plaintiff’s claims seek to hold Discord liable for alleged “misrepresentations” by failing to conform its content moderation standards – based on what amounts to its general “aspirational” standards of seeking to provide a platform “safe for minors” – to a level defined by Plaintiff. [The Grindr court distinguished] claims based on actual specific and defined contractual promises [from] general aspirational goals regarding platform content moderation

The litigation over “safe” content moderation is decades-old and completely confused.

Third-Party Content

Nowhere in Plaintiff’s Complaint does it accuse Discord of creating the offensive messaging, but rather the Complaint seeks to hold Discord liable for facilitating – or failing to moderate – sexually exploitative offensive messaging created by others. The fact that Discord may have provided the “tools” by which Plaintiff and her alleged abusers exchanged messages, to “carry out what may be unlawful or illicit” does not make Discord a “content provider,” but rather treats Discord as a “publisher” of (offensive) messaging created by third parties.

Implications

A reminder that sexual predation cases involve heartbreaking facts. Section 230 often arises in tragic circumstances.

The Section 230 jurisprudence is coming apart at the seams, as illustrated by this ruling. I think this court got it right and disagreeing courts got it wrong. However, there is now enough precedent on both sides of every issue to vex everyone. This opinion carefully prioritized appellate rulings, which have largely rejected the design defect workarounds to Section 230. However, many more design defect cases are heading to appellate courts across the country, and any appellate deviation in any one of those cases will tear Section 230 even further apart.

Case Citation: Jane Doe v. Discord Inc., 2026 WL 1067574 (N.D. Ohio April 20, 2026). The complaint.

The post Section 230 Helps Discord Defeat “Defective Design” Claims Regarding Sexual Predation–Jane Doe v. Discord appeared first on Technology & Marketing Law Blog.

This case is a different lawsuit against Classpass, this time over unredeemable Classpass credits. Despite the unmistakable message from the Ninth Circuit that TOS formation screens should be reviewed exactingly, Judge Orrick of the N.D. Cal. district seems to be living in the past. He surprisingly holds that Classpass successfully formed its TOS and sends the case to arbitration. Why did Classpass succeed here when it failed last year at the Ninth Circuit? (If you expect a logical and sensible answer to that question, you must be new to the blog).

* * *

The named plaintiff, Blackburn, navigated through three relevant TOS formation screens. The opinion never precisely identifies which one successfully formed the TOS. It seems like all three did?

(The TOS contained an arbitration clause that everyone agrees applies to this lawsuit if the TOS was properly formed).

Blackburn created her Classpass account in 2019 by navigating this screen and choosing the option to continue with her Facebook credentials (the 2019 Sign Up Screen):

A few days later, in the next screen, she acquired her subscription membership through Classpass’ refer-a-friend program (which entitled her to additional credits) (the 2019 Checkout Screen):

In 2023, Blackburn reactivated her Classpass membership by navigating this screen (the 2023 Reactivation Checkout Screen):

Everyone seems to accept the court’s characterization that all three screens are “sign-in-wraps.” That turns us over to the now-familiar three-part test for evaluating sign-in-wrap formation.

Element 1: Reasonably Conspicuous Notice

Blackburn challenged the 2019 Login Screen’s visibility on three grounds:

• It was part of a 5-screen signup sequence. The court responds “the screens are not cluttered and follow a logical flow.”
• The TOS offer was the smallest font size on the screen. The court says it was the same size as other fonts on the screen.
• The TOS offer language was below the “Continue with Facebook” button she clicked. The court says “the “Terms of Use” is bolded, underlined, and in traditional hyperlink blue. That offsets any real concern that a reasonably prudent Internet user would not know or be aware that those hyperlinks existed just below the “Continue with Facebook” button.”

The court is also OK with the 2019 Checkout Screen visibility. The court acknowledges the TOS offer language in grey font, but says the:

text is still visually set apart from the other font that appears on the screen, despite the fact that it does not appear in blue font….

the hyperlinks are denoted by a bolded light grey font and underline, sufficiently contrasting the white background. Further, the “large text block[]” to which Blackburn refers is actually a two-sentence paragraph separated in space by the one-sentence paragraph denoting the Terms of Use, which makes the presentation of the Terms of Use hyperlink even more noticeable

The court is similarly OK with the 2023 Reactivation Checkout Screen visibility:

The text referring to the Terms of Use is once again just above the commitment button, written in light grey, but bolded font, and while not denoted in traditional hyperlink blue, is set apart from the rest of the text on the screen such that its presence draws the eye. The primary difference between the 2023 Reactivation Checkout Screen and the 2019 Checkout Screen, as Blackburn points out, is that the 2023 Reactivation Checkout Screen includes a black and bolded pronouncement to the user that “you’ll automatically be charged for a full-priced monthly credit plan subscription” and includes, in blue and underlined hyperlinked font, access to information about which Fees may apply. Those decisions to add additional notice of specific terms do not take away from ClassPass’s efforts to make the Terms of Use conspicuous by setting them apart in bolded, underlined font, in a separate paragraph with font color that contrasts the white background.

Element 2: Transaction Context

The Ninth Circuit punted on this factor in Chabolla (wrongly, IMO, because it’s clearly intended to create a long-term subscription), so this court does too. This court adds: “unlike in Chabolla, Blackburn took the additional step and created a ClassPass account by logging in with her Facebook account.”

Element 3: Manifestation of Assent

“Blackburn clicked a button after being presented with a hyperlink to the Terms of Use.”

The court distinguishes Chabolla:

in Chabolla, there was no indication that a user was ever signing up. Here, at the top of the 2019 Sign Up Screen there is a heading that unambiguously reads in bold lettering: Sign up

Blackburn pointed out that in the 2019 Signup Screen, the disclosures inconsistently and ambiguously refer to both “the” TOS and “our” TOS. The court responds that the argument “makes no sense. If a user is signing up through a preexisting Facebook account, that user must have necessarily already agreed to be bound to any Terms of Use or other terms of Facebook. It is not ambiguous to a reasonable Internet user signing up for an account or membership with ClassPass, even by way of Facebook, that any newly presented Terms of Use are those of ClassPass, not Facebook.”

With respect to the 2023 Reactivation Checkout Screen, Blackburn pointed out that the TOS offer language referred to “the” button but there were two buttons below it. The court responds:

“the” in the context of the 2023 Reactivation Screen must mean “either,” because a user attempting to access the 45 free Credits can only click one button to do so, or as the 2023 Reactivation Screen denotes, “the button.”

Normally, “the” connotes a singular reference. Here, the court reads it to connote plural references.  ¯\_(ツ)_/¯

In a footnote, the court says: “I do agree with Blackburn that the 2019 Checkout Screen’s language (“By clicking the Redeem now button, I agree to the Offer Terms and Terms of Use . . .”) is curious because it leaves out whether a user who chooses to pay using G Pay is likewise bound. But a reasonable Internet user would likely understand that payment using either method would bind the user to the visibly hyperlinked Terms of Use and it is clear that Blackburn manifested assent via the 2019 Sign Up Screen and 2023 Reactivation Screen in any event.”

Implications

I view the Chabolla and Godun opinions as companion cases. They came out just a couple of months apart, and they both took highly skeptical approaches to online TOS formation. Remarkably, this court doesn’t cite Godun even once. That is a conspicuous omission.

To me, this ruling is another reminder of how TOS formation analysis has descended into Calvinball. As Judge Bybee warned in dissent in the 9th Circuit Chabolla case: “minor differences between websites will yield opposite results….That sows great uncertainty in this area.” Here, comparing this lawsuit to Chabolla, we have the exact same defendant and similar formation processes from around the same historical time period, yet Classpass gets TOS formation when the Ninth Circuit denied it last year. The outcome appears to flip based on tiny differences.

I will also note how many of the court’s assessments turn fundamentally on consumer expectations, except the court doesn’t cite a shred of empirical evidence about what consumers think. The missing empiricism plays a major role in the Calvinball phenomenon.

If the court had been inclined to do so, it could have picked apart each screen and found deficiencies in each. After all, that’s what the Ninth Circuit did in its Chabolla case. Some examples:

• In the 2019 Signup Screen, the TOS offer language refers to “sign up with Facebook” and the button says “continue with Facebook.” Plus, there is a second “sign up” button lower on the screen that the court ignores even though it matches the TOS offer language. All of this may sound ticky-tack, but…in the Chabolla case, the court rejected a screen where the TOS offer said “I agree to” and the button said “redeem now,” and in the Godun case, one of the screens failed because the TOS offer said “I agree” and the button said “connect now.”
• In the 2019 Checkout Screen, the TOS offer language is stacked below a large paragraph of offer terms, and it appears to be a slightly smaller or lighter font than those. The court could say that reasonable consumers would spot it anyway, but that’s an empirical question without empirical support. Many other courts would have treated the text block as so monolithic that no sentence stood out.
• The 2023 Reactivation Confirmation Screen had the text block problem plus (as the court discussed) the imprecision of a reference to “the” button when there were two button options.

To be fair, I don’t necessarily support courts doing this degree of ticky-tack pixel policing. However, that level of exactitude drove the Chabolla and Godun decisions.

The screenshots at issue all predate the Chabolla and Godun decisions. Today, there’s no excuse for weak sign-in-wraps like this. I expect you to do better. The courts will expect that too.

As Judge Bybee said in dissent in Chabolla, “Our decision today will drive websites to the only safe harbors available to them, the clickwrap or scrollwrap agreements.” Want to opt-out of the TOS formation Calvinball? Take the certainty of clickwraps over the chaos of sign-in-wraps.

Case Citation: Blackburn v. Classpass USA Inc., 2026 WL 962734 (N.D. Cal. April 9, 2026)

The post Remember When the Ninth Circuit Rejected Classpass’ TOS Formation? About That…–Blackburn v. Classpass appeared first on Technology & Marketing Law Blog.

Weiss v. Google LLC, 2026 WL 733788 (Cal. App. Ct. March 16, 2026)

Weiss’ business started running financial services ads on Google in 2015. Google suspended the ads multiple times, until Google issued a final suspension in 2024. The court says Section 230 protects Google’s suspension decisions.

The court starts with standard context-setting: “California’s appellate courts and federal courts have also generally interpreted section 230 to confer broad immunity on interactive computer services.”

The court continues:

Weiss seeks to adjudicate Google’s characterization of his business and its decision to suspend its ads. However, this conduct, i.e., Google’s “refusal to allow certain content on its platform,” is “typical publisher conduct protected by section 230” regardless of the reason for that refusal….

even if Google’s characterization of Weiss’s advertisements does not align with Weiss’s characterization, section 230 still affords Google immunity from liability for its decision to suspend his content…

all the content Weiss claims Google wrongfully suspended was admittedly created by Weiss, not Google…

Google’s determination that Weiss’s ads violated its general policies is not equivalent to contributing to the ads’ content.

In a footnote, the court adds: “Weiss seeks to hold Google liable for its enforcement of its own general policies, rather than a breach of a specific promise.”

When the dust settles, this becomes just another failed lawsuit over account terminations and content removals.

A reminder of the content moderation dilemma Google faces here. A few courts have said that Facebook doesn’t qualify for Section 230 protection for running scammy ads (e.g., Forrest v. Facebook). As a result, Google has good reason to suspend Weiss’ ads to manage its own liability exposure. At the same time, if Weiss succeeded with his claims here, then Google would have been potentially liable for removing ads based on Google’s fears that they are scammy. This would force Google to deploy a Goldilocks version of content moderation: Google would have to get its ad removal policy “just right,” with potential liability for mistakes in either direction. An impossible challenge.

Thompson v. The Meet Group, 2026 WL 730134 (E.D. Pa. March 16, 2026)

Thompson said Tagged deactivated his livestreaming account and stole $10k from him.

For reasons that aren’t obvious to me, Tagged defended on Section 230(c)(2)(A) grounds instead of 230(c)(1). Maybe this has something to do with trying to navigate around the abysmal Anderson v. TikTok case? EDPa courts are bound by that decision.

The court says Tagged can’t establish the 230(c)(2)(A) defense elements on a motion to dismiss: “application of CDA immunity in this case requires assessment of facts that are not in the pleadings—such as the reason why Thompson’s account was disabled and the content of Thompson’s posts.” Also, Thompson’s allegations of theft might defeat 230(c)(2)(A)’s good faith prerequisite. Cites to Smith v. TRUSTe and e-ventures v. Google.

No matter, the case fails anyway. (Another example of Section 230 not being the only reason why lawsuits lose). The court says the plaintiff had no property interest in his social media account that could be converted (cite to Eagle v. Morgan). The plaintiff’s TOS breach claim fails multiple ways, including the TOS’s reservation of termination rights and damages waiver.

So this becomes yet another failed lawsuit over account terminations, just not due to Section 230. You already know this, but if you’re a defendant in these cases, you should be focusing on 230(c)(1), not 230(c)(2)(A).

Gehringer v. Ancestry.com Operations Inc., 2026 WL 734526 (N.D. Cal. March 16, 2026)

Plaintiffs are individuals who have not subscribed to the Ancestry.com service and have not consented to the use of their name or photograph. They allege Ancestry not only includes their yearbook information on a searchable database, but also utilizes their likenesses as part of advertisements for Ancestry.com services…

Plaintiffs contend Ancestry used their likeness in three forms of “advertising”: 1) publication of the yearbook information on a database that contains a paywall for certain features; 2) dissemination of emails to potential Ancestry.com subscribers, noting Ancestry Hints® can expand their family tree, and using the names and images of Plaintiffs as examples; and 3) an Ancestry free trial program that allows potential subscribers to access Plaintiffs’ yearbook information for a limited time.

The court nixes claims over category #1 and #3 ads due to copyright preemption.

As for the category #2 ads:

Plaintiffs allege Ancestry crafted email advertisements that included their likenesses to encourage potential customers to subscribe to Ancestry’s service. The email advertisements were not created by a third-party user of Ancestry.com—Ancestry authored the content, and as such, it is “responsible, in whole or in part, for the creation” of that offending content. To avoid this conclusion, Ancestry attempts to recast the allegations in the First Amended Complaint, asserting Ancestry merely “republish[es] yearbook photos taken and first published by Esperanza High School.” But as the screenshots in the Complaint confirm, the emails sent by Ancestry to prospective users include far more than republished images of Plaintiffs; they incorporate those images into an advertisement for the Ancestry Hints® functionality and Ancestry’s subscription service. Drawing all inferences in Plaintiffs’ favor, Section 230 does not immunize Ancestry against liability for the content of the alleged email advertisements

Notice that Ancestry’s ad creation practices go further than Facebook’s sponsored stories, which also didn’t qualify for Section 230 protection.

State v. Sharak, 2026 WI 4 (Wis. Supreme Ct. Feb. 24, 2026)

Google scanned Sharak’s Google Photo uploads, identified what it thought was CSAM, and submitted a CyberTip. Sharak argued that Google was conducting the search on the state’s behalf. The court disagrees and upholds Sharak’s conviction.

That isn’t unusual. What’s more unusual is the court’s discussion of Section 230. “Rauch Sharak argues that [Section 230(c)(2)’s safe harbor] encourages ESPs to scan for CSAM by granting immunity to ESPs that moderate content and creating civil and criminal liability if ESPs do not scan for CSAM.”

The court responds:

Though § 230(c) may grant immunity to ESPs that choose to scan for CSAM, it does not require, reward, or incentivize scanning for CSAM in the first place. Moreover, § 230(c)(2)(A) grants immunity for “any action voluntarily taken in good faith to restrict access to” obscene material, which sweeps far more broadly than would be required to induce Google’s CSAM scan at issue here….

Even if the statutes encourage Google to scan for CSAM or provide a law-enforcement purpose, Rauch Sharak has not shown that they are enough to turn Google into an instrument or agent of the government.

Alice Rosenblum v. Passes Inc., 2026 WL 711837 (C.D. Cal. Feb. 3, 2026)

[The fact allegations are based on the court’s summary of the complaint.] Passes is a competitor to OnlyFans. Unlike its rivals, Passes allows 15-17 year olds to create accounts with parental consent. Guo is the CEO, and Celestin is a content acquisition specialist. At Guo’s direction, Celestin personally reached out to 17-year-old Alice Rosenblum to create a Passes account. Celestin did a photoshoot of Rosenblum and (with Guo’s help) created a Passes account for her without requiring parental consent.

“Over the next month, while Plaintiff was still 17 years old, Celestin and Ginoza [another Passes employee] allegedly directed Plaintiff to create sexually explicit images and videos of herself….the FAC provides over 14 examples of child sexual abuse material (“CSAM”) involving Plaintiff, being marketed on the Passes platform for $69 to $4,000. Furthermore, Passes agents posing as Plaintiff allegedly communicated via direct message to “big spenders” to continue to market and sell CSAM involving Plaintiff.”

The court rejects Passes’ and Guo’s Section 230 defense:

Section 230 immunity plainly does not apply to Plaintiff’s claims. To be sure, Plaintiff does largely seek to hold Passes Defendants liable as providers of an interactive computer service, and several allegations treat Passes as a publisher, as they involve Passes’ distribution of CSAM involving Plaintiff…Plaintiff alleges that Passes and its agents were directly responsible for the creation and portrayal of the CSAM on the Passes platform: Plaintiff alleges that Celestin, acting as an agent of Passes, personally took at least one photo of Plaintiff which was uploaded to Passes, and further instructed her to create specific photographs and videos and upload them to Passes, which he later marketed under specific captions and sold. Plaintiff further alleges that Passes itself hosted a banner featuring a sexually explicit photo of Plaintiff, which marketed CSAM involving Plaintiff. Plaintiff therefore seeks to hold Passes liable for harm allegedly arising out of its own creation of harmful content.

Passes claimed that Celestin and Ginoza were third parties, but “As alleged, Celestin was
not merely another third-party user of Passes; rather, he acted as an agent and employee of Passes.” Cite to Quinteros.

The court summarizes:

Section 230 immunity does not apply to Passes, a platform which has allegedly, through its agents, deliberately created, marketed, and sold illegal content, acting as an “information content provider” that uses its own “interactive computer service.”

In a footnote, the court adds regarding Guo: “Plaintiff’s allegation that Guo encouraged Plaintiff over the phone to post content, which supports Plaintiff’s claims for IIED and California Civil Code § 52.5, does not hold Guo accountable for Passes’ publishing activity.”

Doe v. X Corp., 2026 WL 772384 (N.D. Tex. Feb. 25, 2026)

“A third party copied commercial pornographic content from Plaintiff’s OnlyFans and studio-based productions and uploaded it to X without his consent, violating the OnlyFans terms and conditions and the studios’ licensing agreements.” He sued pursuant to 15 U.S.C. § 6851(b)(1)(A), a private right of action for nonconsensual production of intimate visual imagery. Doe produced the porn consensually, but he claims the restrictions extended to nonconsensual distribution.

The court says X qualifies for Section 230. Doe responded that he owned the IP in the works, so the IP exception applies. The court says:

The [IP] exception applies only when the claims arise from a law directly implicating intellectual property rights, not merely when intellectual property is involved in the claim. And the statute under which Plaintiff sues—§ 6851—is not an intellectual property law. Rather, it is concerned with “whether the depicted individual consented to a specific disclosure of an intimate visual depiction—regardless who holds the copyright to the image.” Thus, § 6851 creates a privacy-based tort right of action, not an intellectual-property based one.

The boundary between privacy and IP laws remains amorphous–increasingly so with all of the concerns about “deepfakes,” “virtual replicas,” and other AI-related regulations that use privacy framing to create what look like sui generis IP rights. This could be a good student paper topic.

For more discussion of the IP exception to Section 230, see this article.

Teague v. Google, 2026 WL 746996 (D. S.D. March 17, 2026)

Plaintiff claims Google committed defamation based upon the fact that “people think I raped [redacted]. This case (sic) been dismissed in 2021 but it still show (sic) on Google and caused me to (sic) threaten and attacked a few times.” Plaintiff further claims his image is on Google and it is difficult to get a job because the rape charges still appear on Google.”…

Google is not a “publisher or speaker” under the CDA and therefore “cannot be liable under any state-law theory to the persons harmed by the allegedly defamatory material.”

Google is immune from suit for defamation claims arising out of other content providers’ posts on the internet.

The post Section 230’s Application to Account Terminations, CSAM, and More appeared first on Technology & Marketing Law Blog.

In 2024, Photobucket emailed its legacy users, asking if they wanted Photobucket to keep or delete their accounts. Users who clicked on the email’s links–included to delete their accounts–were presented with a new TOS formation process that included a consent to use the photos to derive users’ biometric information for AI purposes. “If users did not opt out of the Biometric Policy within 45 days of July 22, 2024, Photobucket claims the right to sell, lease, trade, or otherwise profit from the users’ biometric information.” (Photobucket claims it hasn’t actually pursued this AI option). The new TOS also contained an arbitration provision that wasn’t in some prior TOS versions. Photobucket invokes the arbitration clause against the plaintiffs’ lawsuit.

Article III Standing. The court says the plaintiffs only have Article III standing for equitable relief, not damages. This narrows the case substantially.

Pierce

Pierce agreed to Photobucket’s 2008 TOS and last logged into Photobucket in 2014. The 2008 TOS informed Pierce that his “continued use” of Photobucket would constitute acceptance to any TOS modifications. Since he didn’t use the site after 2014, he didn’t assent-by-use to the 2024 TOS:

a reasonable person would not understand his failure to take his photos off of
Photobucket, after not logging in for nearly ten years, to constitute “continued use” and thus acceptance of any revised terms.

In other words, a user’s maintenance of a legacy account isn’t “continued use” of the service.

Ms. Hughes

Ms. Hughes agreed to Photobucket’s 2006 TOS and last logged into Photobucket no later than 2011. The 2006 TOS said:

By using the Services you agree to the Terms of Service set forth below as they may be updated from time to time by Photobucket.com, Inc. (“Photobucket.com”). Photobucket.com may modify or terminate the Services from time to time, for any reason, and without notice, including the right to terminate with or without notice, without liability to you, any other user or any third party, provided that when Photobucket.com does so, it will update these Terms of Service. You are advised to periodically check the website for changes in the Terms of Service.

The court says this TOS “told Ms. Hughes that she was “advised to periodically check the website for changes in the Terms of Service.” The 2006 Terms “necessarily inform[ ] how a reasonably prudent user would interact” with Photobucket’s website.”

But…the TOS applicable to Pierce said “It is therefore important that you review this Agreement regularly to ensure you are updated as to any changes.” The court disregarded that language for Pierce. Can you find a difference between the disclosures to Pierce and Hughes? Beyond the (seemingly immaterial) language differences, the court’s different conclusions might be explained by (1) Pierce was governed by Colorado law, Hughes by CA law; or (2) Hughes admitted getting emails telling her about the coming changes, though she didn’t pay attention to them. I don’t find those distinctions persuasive, so I can’t meaningfully distinguish Pierce’s situation from Ms. Hughes’.

The court says Hughes is bound to the 2024 TOS:

the 2006 Terms told Ms. Hughes that she had an obligation to periodically check Photobucket’s website for updates to the Terms. The 2024 Terms and arbitration provision constitute an update to the Terms that Ms. Hughes had an obligation to stay apprised of. Ms. Hughes assented to the 2024 Terms because they informed her that failure to opt out within 45 days of the effective date would constitute acceptance, and Ms. Hughes did not opt out

Whoa. The court is saying that even though Hughes functionally abandoned Photobucket in 2011, a “reasonably prudent user” would have kept checking Photobucket’s TOS 13 years later just in case the terms had changed. Wild.

Because Ms. Hughes “agreed” to the 2024 TOS, she also “agreed” to its jury trial waiver.

However, the arbitration clause excludes IP claims. The plaintiffs alleged 1202(b) claims, which the court says are IP claims and thus not covered by the arbitration provision. This claim stays in court.

Cumming

The parties can’t agree when Cumming created her Photobucket account or when she last used it, but everyone agrees that she agreed to the 2013 TOS and didn’t use the site later than 2013. That TOS version said “so long as you’ve used the Site after the change, regardless of any separate notice, you agree to the current posted version of the Terms.” Similar to the court’s discussion of Pierce, the court says “a reasonable person in Ms. Cumming’s position would not understand her failure to take photos off of Photobucket to mean that she “used” Photobucket after 2010 or 2013 and thus assented to the 2024 Terms.”

Mr. Hughes

He didn’t have a Photobucket account, but Ms. Hughes uploaded photos of him. The court says he’s not a third-party beneficiary of any TOS and not bound by the arbitration clause.

Court Stay

The court stays the litigation until after the arbitration, even though the court held that 3 of the 4 named plaintiffs were not bound by the arbitration and the fourth plaintiff had a claim not subject to arbitration. Because the court will not be bound by the arbitrator’s decisions for the non-arbitrated plaintiffs and claims, I didn’t understand why the court held everything else up. A slightly lucky break for Photobucket, because it avoids the cost of defending the litigation and arbitration simultaneously.

Implications

Here’s where things stand when the dust settled:

• damages are out of the case
• part of one plaintiff’s case is sent to arbitration
• when that’s complete, the court will address the remainder of that plaintiff’s case plus the other three plaintiffs’ cases

A messy outcome…perhaps messy enough to motivate the parties to settle? Without the availability of damages, this case became less interesting to the plaintiffs. Alternatively, I could also see the plaintiffs appealing this ruling.

Though Photobucket nominally got the outcome it wanted (the case sent to arbitration), it does not come out of this ruling looking very good. Some of the lowlights:

• its inital TOS amendment provisions sucked. It had various versions of “you need to come back to the site to check for possibly amended terms,” which has rarely fared well in court. Frankly, it’s shocking to see the judge find this “keep checking the TOS 13 years later” provision worked against Ms. Hughes. I don’t think that’s what a reasonable consumer would do. (As usual, the court cited no empirical basis for its assessment of what a reasonable consumer would do or think).
• the fact that Photobucket’s TOS amendment language kept changing over time. The language differences ensure more litigation work when it’s challenged.
• the fact that Photobucket kept changing its governing law clause. Another decision that increased its defense costs and the risk of inconsistent outcomes.
• the fact that Photobucket couldn’t definitively establish the dates of the users’ account creation or usage.
• its 2017 implosion. How did it misjudge the market so badly?
• its 2024 pivot to potentially engage in AI mining. I guess if you’ve already killed your business, why not try to salvage what’s left of the carcass?
• the attempt to bind legacy users via a TOS that users had to click through even if they wanted to exit Photobucket. Gauche.
• the arbitration provision’s exclusion for IP. Plaintiffs are weaponizing 1202, so IP carveouts have become dangerous. Reminder: every part of the arbitration provision should be carefully vetted for potential plaintiff weaponization.

The result was a messy outcome with different plaintiffs for getting different outcomes. Not what Photobucket was aiming for.

The obvious question: was there a better way for Photobucket to force all legacy users onto its new AI-friendly terms? This judge seemed to believe that the right incantation would let Photobucket put the onus on users to check for TOS amendments, but most judges won’t permit this. Could Photobucket have forced users to the new terms through its emailed notifications? The Ninth Circuit just permitted this, so maybe? The reality is that it’s difficult or impossible to universally bind all legacy users to new terms if they aren’t coming back to the website. I don’t have any clever hacks or tricks to work around this.

Case Citation: Pierce v. Photobucket Inc., 2026 WL 672764 (D. Colo. March 10, 2026). CourtListener page.

Other posts about Photobucket

• Photobucket Qualifies for the 512(c) Safe Harbor (Again)–Wolk v. Kodak
• Photo Hosting Site Gets DMCA 512 Safe Harbor–Wolk v. Photobucket

The post Photobucket’s Attempted TOS Amendment Mostly Fails–Pierce v. Photobucket appeared first on Technology & Marketing Law Blog.

The plaintiffs claim that bad actors misused Tile’s tracking devices to stalk them. The plaintiffs (as a class action) sued Tile for how it designed and sold the trackers. Tile invoked the arbitration clause in its TOS. This sets up a complicated analysis of TOS amendment–though the panel never directly acknowledges that this is an amendment case, not a case about formation in the first instance.

Two plaintiffs agreed to Tile’s TOS in 2021 and early 2023, respectively. Those versions of the TOS contained arbitration clauses that proved ineffective. In October 2023, Tile changed the arbitration provisions to include new language. To step up its existing users to the October 2023 arbitration provisions:

In October 2023, Tile sent to all accountholders the Oct. 2023 Notice—an email with the heading “Updated Terms of Service and Privacy Policy”—advising that Tile was updating its Terms. Sent to the email address provided by accountholders during registration, the Oct. 2023 Notice contained a blue-text and bolded hyperlink to the Oct. 2023 Terms. The email told accountholders that “[i]f you continue to use any of [Life360 and Tile’s] apps, or access our websites (other than to read the new terms) on or after November 26, 2023, you are agreeing to the [Oct. 2023 Terms].”

One plaintiff said the notification email went into the spam folder, but they saw it months later when they went affirmatively looking for it. The other plaintiff said they never saw the email. Both used the Tile service after the purported TOS amendment date. The district court held that neither plaintiff was bound by the October 2023 arbitration provisions, and the arbitration provisions in the earlier TOS versions partially failed due to unconscionability. Tile appealed that ruling, hoping to send these plaintiffs to arbitration.

The Ninth Circuit holds that Tile’s email put both plaintiffs on inquiry notice of the TOS amendment.

Transaction Context. “As Tile users, each Appellee provided an email address during account registration, and should have expected to receive relevant updates there while the account was active.” This is a pretty wild claim. Many services request email addresses during account registration, and yet the initial TOS formation fails. Also, just because I provide an email address during registration doesn’t mean that I assume TOS amendments will be sent via email. That may depend on how the TOS describes the amendment process–an angle this panel remarkably ignores completely.

Reasonable Disclosure. The court says the email disclosures were good enough:

The design and content of the Oct. 2023 Notice provided reasonably conspicuous notice of the Oct. 2023 Terms because the email’s design was “clear and legible,” and it provided the updated Terms through a link with “customary design elements denoting the existence of a hyperlink.” The subject line clearly stated that Tile was updating its Terms. And the body contained a hyperlink to the Oct. 2023 Terms in bold, blue text which contrasted against the white background. Although the email did not say specifically that the arbitration agreement would be updated, reasonable notice does not require the email to discuss every revision.

“Lack of other notices.” The court says “Tile could have done more to ensure that all its users were on inquiry notice of the Oct. 2023 Terms. Tile could, for example, have interrupted users’ next visit to the Tile App with a clickwrap pop-up notice.” The court says the absence of these other notices weighs against inquiry notice.

So, did the TOS amendment work? The court makes a remarkable doctrinal move, something I don’t recall seeing before. The court treats inquiry notice as a multi-factor test and says two factors weigh in favor of notice (transaction context and reasonable disclosures) and one weighs against (lack of other notices). In other words, the two pro-formation factors prevail over the anti-formation factor. But…when did the inquiry notice standards become a multi-factor test with these three factors? This methodology is novel (and dubious). The court might have said that even if other notification procedures would have been more efficacious, the email notice was good enough. This would have reached the same outcome without this weird doctrinal move.

[Hedging its bets, the court says “we do not hold that notice by mass email establishes inquiry notice in every case”].

Manifestations of Assent

Doe unambiguously manifested assent to the Oct. 2023 Terms by downloading the Tile App in March 2024 and using the Scan and Secure feature in attempting to locate her alleged stalker’s Tile Tracker….

Broad also unambiguously manifested assent to the Oct. 2023 Terms by using the Tile App in January 2024 and periodically opening the Tile App to check location-sharing settings—including, according to Tile’s records, in April 2024.

The court treats these users’ actions as occurring after the users had “inquiry notice.” Thus, the October 2023 TOS controls, and the court sends the case to arbitration.

* * *

Consider some of the wackiest aspects of this opinion:

• the court doesn’t distinguish between TOS formation and TOS amendment.
• the court doesn’t address what Tile’s TOS said about how the TOS could be amended. Did the TOS even authorize email amendment? The TOS terms would have substantial bearing on what a reasonable consumer might have thought. [Note: The court discusses the prior TOS’s arbitration language that said Tile couldn’t materially change the arbitration provisions “unless you expressly agree to them” but treats the October 2023 as sufficient “express agreement.”]
• the court doesn’t engage many of the precedents involving attempts to form TOSes by email, especially post-transaction emails (like this one).
• the court assumes that providing an email address during account registration means that the users should assume they will be getting TOS amendment notifications via email.
• the court didn’t address the many reasons why a TOS amendment email might never reach a user, such as the user’s email address having gone defunct or server-level blocking. If the user never received the email, does the court still think they are on inquiry notice? The court also doesn’t address the implications of the email going into a folder other than the user’s primary inbox, such as showing up in the spam folder. Are users on inquiry notice for everything in their spam folder? I wonder how often the judges carefully check their spam folder…
• the court created and applied a weird multi-factor test for inquiry notice.

FWIW, the court does acknowledge that some of the underlying issues are empirical questions, but it dodges those questions by citing Sellers, which said “there is very little empirical evidence regarding” Internet users’ expectations. If the data is hard to get, I guess we don’t need it?

So, what should we make of this opinion? Is this an example of the characteristically wild-‘n’-wooly jurisprudence in the Ninth Circuit’s non-precedential cases? Or perhaps an indicator the Ninth Circuit’s TOS formation jurisprudence is a mess and there is no logical or defensible through line from case to case?

Case Citation: Ireland-Gordy v. Tile, Inc., No. 25-403 (9th Cir. March 3, 2026). The CourtListener page.

The post Ninth Circuit Allows TOS Amendment by Email–Ireland-Gordy v. Tile appeared first on Technology & Marketing Law Blog.

Here is a chart of the various TOS formation timings and modalities:

The court starts by establishing what evidence it can consider.

2015 TOS Formation Evidence. Paypal apparently doesn’t have a copy. It pointed to the Wayback Machine version but didn’t submit a screenshot of that. Arbitration denied.

2019 TOS Formation Evidence. Paypal only has a screenshot of the email TOS formation from Wayback Machine, but none of the plaintiffs apparently signed up via email. Arbitration denied.

2021 & 2022 TOS Formation Evidence. More Wayback Machine screenshots. “The screenshot does not show any language notifying users about terms of service or show what users would have seen after selecting the button for how they would like to join….The Court cannot consider whether notice of any terms was reasonably conspicuous, let alone legible, without knowing what the website looked like.” Arbitration denied.

2016–2018, 2020, and 2023–2024 TOS Formation Evidence. The court says Paypal provided sufficient Wayback Machine screenshots for all but one of the plaintiffs in these periods. (The other plaintiff used the browser extension and may not have created an account). The court accepts the Wayback Machine screenshots because “plaintiffs’ failure to provide competent evidence directly rebutting defendants’ evidence fails to create a genuine issue as to the sign-up process that was presented to those plaintiffs when they created their accounts.”

* * *

Having identified the competent evidence, the court then discusses the screenshots (but it only shows one; the rest it describes textually):

2016-18 TOS Formation Process.

• “The text stating “By joining, I agree to Honey’s TOS & Privacy Policy” was of a size sufficiently smaller than the text on the rest of the screen that many users would likely have had to squint to read it.” Squinting is bad, but I always say that the offer language should never be the smallest font on the screen.
• “The small font size was exacerbated by the color of the text, which was light gray against a white background and in contrast to the two large and colorful buttons on the screen.”
• “the sign-up page told users that by joining, they agreed to Honey’s “TOS.”…the Court cannot conclude that a reasonable user in 2016 or 2017 would have known what TOS meant….Even if a reasonable user might have understood TOS to mean terms of service, Honey’s use of the acronym required an extra mental step for a user moving quickly through the sign-up page.”
• “the very small and faded nature of the text did not render the hyperlinks “readily apparent.””

Arbitration denied.

2020 TOS Formation Process.

Defendants’ declaration states, “The Wayback Machine reflects that in 2020, a user would affirmatively check a box to agree to the Terms of Service.” Nowhere does the declaration aver that a user had to check the box to continue signing up for Honey. Defendants ask the Court to recognize that it is “self-evident” that a user would have had to check the box. But where the Court must draw all inferences in favor of the non-moving party, it cannot conclude that a user was required to check the box and indicate their agreement to Honey’s terms rather than that it was merely optional for a user to do so. This is particularly true given that the box next to the second statement, through which users could choose to “[r]eceive news and offers from Honey by email,” was most likely optional. Nothing in the text of the page states that checking one of the boxes is mandatory while checking the other is not, and in the absence of evidence specifically establishing that users were required to check the first box, the Court cannot conclude that defendants have satisfied their burden to produce evidence of Cruz’s unambiguous assent to Honey’s terms of service.

Ugh. A great reminder that a screenshot doesn’t capture any animation or kinetic elements. So avoidable. A video of the UI, showing that the checkbox was mandatory, would have made this obvious.

Arbitration denied.

2023-24 TOS Formation Process.

Finally, the court shows a screenshot, which the court labels a “clickwrap agreement”:

The court explains why this works:

First, the notice was placed above the button to sign up and in the “user’s natural flow.” Second, although the text was relatively small and gray against a white background, the surrounding text was not much larger and was the same gray or black. The pages thus did not distract or draw the user’s eye away from the notice. Third, the hyperlinks are in a slightly different color than the rest of the notice and are underlined to indicate their presence to a reasonable user. Although the terms of service are mentioned in the fourth line of the notice, its placement is not fatal to its otherwise conspicuous disclosure; the first line of the notice indicates that users “agree to the following terms,” and the button to complete sign-up says, “Agree.”

Note that the Godun case might actually reject this process, despite its clarity, because the checkbox lacks an if/then grammar that links the offer language to the button. The court responds: “the button to complete sign-up itself indicated that the user “Agree[d]” to the text above.” But is that clear? Could the user just be agreeing to the sentence to right of the checkbox? The court responds: “the first line of the notice states that users agree to the “following terms,” signaling that multiple terms are included in the notice and correspond to the checkbox. And even if a user might not have understood that the checkbox referred to all of the terms within the notice, the “Agree” in the text of the button provided a further backstop.”

Arbitration granted for these two plaintiffs.

Implications

Courts are being stricter about TOS formation. I continue to believe that Chabolla and Godun were a substantial break with prior TOS formation law, so courts are being much pickier and the bar for TOS formation has gone way up. Here, the court rejects TOS formation for 10 of the 12 named plaintiffs (and for the other two, I believe the court disregarded the Godun precedent). This is the new math of TOS formation.

Watch out for jargon. It was interesting seeing the court reject the TOS term as unclear to consumers at the relevant time. Perhaps that’s true, though with the proper offer language, it shouldn’t matter so long as consumers otherwise understood that terms applied.

(The court dodges the nature of Honey’s relationship with consumers, even though it seems pretty obvious to me that consumers would expect a long-term relationship with Honey and that terms would apply to Honey’s software. If so, Ninth Circuit law might say that consumers were likely to presume that terms applied somewhere).

Similarly, it’s interesting how the court didn’t assume the TOS checkbox was mandatory, but textual references to its mandatory nature (or maybe a red asterisk?) would have helped. I saw this as a cautionary indicator that a screenshot may not be enough to establish a clickwrap, in which case either testimony from an engineer or a video will be required to establish the checkbox’s mandatory nature.

It’s the lawyer’s job to keep the right evidence. I wince every time I see a TOS formation case where the website operator (usually the defendant) relies on Wayback Machine evidence. The Wayback Machine is awesome and I love it, but it’s often not a complete rendering of the page, it doesn’t capture app interfaces, it doesn’t capture screens behind registration walls or paywalls, and it usually doesn’t capture animation or kinetic elements. In other words, submitting Wayback Machine evidence should be your last-ditch failsafe, not your Plan A. You can see how the judge was repeatedly underwhelmed with the Wayback Machine screenshots–almost certainly snatching defeat from the jaws of victory, as least for some of the plaintiffs in this case. The solution is simple: when you’re updating your TOS terms or your TOS interface, capture screenshots and videos to show how the pages look and work.

What’s next? The court’s split decision is a bummer for both sides, because it multiplies the litigation into parallel court and arbitration proceedings. Simultaneous litigation efforts jack up the costs and increase the risk of inconsistent outcomes. As an outsider to the litigation, the Solomonic approach would be to stay the arbitration for now, proceed with the in-court litigation, and then revisit the arbitration piece after the court decisions. That would allow the bulk of the case to proceed, save the duplicative costs, and avoid the risk of inconsistent outcomes. Indeed, it’s entirely possible the parties will know how to settle the arbitrated cases after getting the in-court results, in which case arbitration may never be needed. But Paypal could try to negotiate around this result, weaponizing the threat of litigation multiplication and the associated costs to goad the plaintiffs into arbitration first. An interesting game theory scenario.

Case Citation: White v. Paypal Holdings Inc., 2026 WL 496712 (N.D. Cal. Feb. 23, 2026)

The post If You Don’t Keep Good Records, Don’t Be Surprised if Your TOS Formation Fails in Court–White v. PayPal appeared first on Technology & Marketing Law Blog.

* * *

I previously summarized the case:

McGucken is a professional photographer who has appeared on the blog before. He claims that third party “contributors” uploaded his copyrighted photos to ShutterStock as part of ShutterStock’s licensing program. Specifically, McGucken claims that a total of 337 images were uploaded, of which 165 were downloaded and that led to 938 licenses. In total, those licenses generated $2,131 in revenues, split between the contributor and ShutterStock.

The court summarizes ShutterStock’s prescreening efforts:

Shutterstock reviews every image before it appears in the online marketplace. It claims that it does this to weed out images that contain “hallmarks of spamming,” “visible watermarks,” technical quality issues, or material like “pornography, hateful imagery, trademarks, copyrighted materials, [or] people’s names and likenesses without a model release.” Technical quality issues that, according to Shutterstock, could prevent an image from appearing on the platform include poor focus, composition, lighting, and blurriness. Shutterstock’s reviewers examine each image for an average of 10 to 20 seconds and typically each image is reviewed by only one person. Prior to review, Shutterstock automatically removes all metadata associated with the file and allows users to supply their preferred display name and metadata. Shutterstock’s reviewers examine that new user-created metadata, which includes an image title, keywords, and a description.

512(c)

The district court ruled on summary judgment for ShutterStock on all 512(c) elements. The Second Circuit reverses that conclusion on two elements, likely positioning those issues for trial.

Service Provider. The “broad definition…covers any online platform designed to assist users in doing something that benefits those users.”

Repeat Infringer Policy.

all McGucken has shown is that Shutterstock failed to terminate one repeat infringer. Considering that Shutterstock hosts hundreds of millions of images and videos, uploaded by millions of contributors, the failure to terminate one repeat infringer, standing alone, cannot establish unreasonable implementation. To hold otherwise would require a standard of perfection not contemplated by the statute.

Standard Technical Measures. Metadata doesn’t meet the statutory definition of STMs (nothing does).

Actual/Red Flags Knowledge. “McGucken cites nothing in the record suggesting that any Shutterstock employee ever reviewed the metadata (or lack thereof) associated with his images that were uploaded to the platform.”

Expeditious Removal. “Shutterstock’s removal of the noticed images within four days of McGucken’s DMCA compliant takedown notice was sufficient.”

Storage at User’s Direction. So far, the Second Circuit’s opinion is going smoothly. Now, it takes a dramatic turn for the worse.

The Second Circuit questions if ShutterStock stores its users’ uploads at their direction because it manually prescreens uploads applying its editorial standards:

The task for courts applying § 512(c)(1) is to decide whether a given service provider plays a sufficiently active role in the process by which material appears on its platform such that, as a result, its storage and display of infringing material is no longer meaningfully at the user’s direction….

functions like transcoding, copying, and playback of user-uploaded materials have fallen within the ambit of the safe harbor…

Our caselaw also makes clear that under § 512(c), service providers can review and screen user content before they store it on their platform without becoming ineligible for safe harbor, particularly where the ability to exert control over the content that appears on the platform is necessarily limited by the sheer volume of uploaded user content. [cite to Capitol Record v. Vimeo]…

A service provider may engage in rote and mechanical content screening, like excluding unlawful material, enforcing terms of service, or limiting uploads “to selected categories of consumer preferences,” without falling outside the ambit of § 512(c)(1). On the other hand, a service provider is likely to run afoul of § 512(c)(1) if it is applying its aesthetic, editorial, or marketing judgment to determine which user uploads it accepts….

we adopt the following general rule: if a service provider engages in manual, substantive, and discretionary review of user content—if, on a case-by-case basis, it imposes its own aesthetic, editorial, or marketing judgment on the content that appears on its platform—then its storage of infringing material is no longer “at the direction of a user.” In other words, “extensive, manual, and substantive” front-end screening of user content is not “accessibility-enhancing” and is not protected by the § 512(c) safe harbor.

Boom. Yet another notorious Second Circuit line-drawing exercise that ratchets up defense costs and undermines predictability for both sides.

So what evidence will show that a service is making “aesthetic, editorial, or marketing judgments”? You know this is going to be maddeningly talismanic…and trigger expensive discovery…

the duration of review—that is, how long each piece of user content is under review before it is approved or rejected—and the proportion of user uploads that the service provider accepts are relevant factors to resolving the inquiry. Likewise, the fact that a service provider conducts human review rather than screening images with software may indicate that its content review is more substantive than cursory. But none of these factors is dispositive, and they cannot substitute for the ultimate factual inquiry into the nature of the service provider’s screening of user uploads.

Seriously? Restated: using humans to prescreen increases the service’s legal risk, but only if the humans take too long to review each image (and how long is too long???). FFS.

The court continues reciting the evidence that indicates if the service is making aesthetic, editorial, or marketing judgments:

There is evidence in the record that suggests Shutterstock’s review of user images is neither cursory nor automatic. To begin, when a user submits an image to Shutterstock, the image does not immediately appear on the website; rather, the contributor must wait, sometimes for hours, until they receive an email from Shutterstock letting them know which of their images were accepted. That fact is not dispositive, but it suggests some intervention by Shutterstock between a user upload and the appearance of material on the platform. Moreover, Shutterstock’s website states that it “has high standards and only accepts a portion of the images submitted to be included in [its] collection.”…There are “30-odd” reasons that an image might be rejected by a Shutterstock reviewer, which include focus, exposure, lighting, and noise.

The record also contains evidence that Shutterstock’s reviewers exercise some subjective discretion even when applying seemingly rote and straightforward criteria. For instance, when considering an image’s focus, Shutterstock reviewers are “trained to know the difference between something that’s just out of focus and something that’s more intentional.” And according to Shutterstock, a reviewer may still accept an image that has focus issues if it is “a really unique shot” or a “hard shot to get.”…In the end, as Shutterstock itself concedes, “photography is an art . . . you can’t just say, ‘This is yes, this is no.’” Together, these statements could lead a factfinder to conclude that Shutterstock’s reviewers exercise a considerable degree of case-by-case aesthetic or editorial judgment when determining which images to allow on the platform.

What does the court expect ShutterStock to do here? If it doesn’t screen for image quality, its database becomes cluttered with junk–exactly what successful uploaders don’t want. Maintaining the database’s integrity keeps the credible uploaders from competing with AI slop, and a higher quality database is more likely to draw potential licensees because they can rely on the quality standards so they don’t waste their time. Perhaps the court thinks that running a paywalled licensing database is fundamentally inconsistent with 512(c).

And the idea that a few hours delay for prescreening may be disqualifying? Plaintiffs know what to do with musings like that.

The court continues:

Shutterstock counters that its front-end screening is rote and mechanical—that its reviewers consider only “apparent technical issues or policy violations.” And indeed, there is evidence in the record that supports that characterization. For one, as Shutterstock emphasizes, a reviewer typically spends no more than 10 to 20 seconds examining an image. Further, there is evidence in the record that approximately 93 percent of submitted images are approved for the platform. A factfinder might conclude that such a high “success” rate supports an inference that it is the users, and not Shutterstock’s reviewers, who dictate the images that appear on the site….

Of course, approving a high rate of submitted images could indicate that Shutterstock’s image screening is limited and permissive. Alternatively, a high image acceptance rate could suggest that Shutterstock’s contributors know what types of images are likely to be approved and proactively curate their own submissions. Indeed, the record suggests that one reason Shutterstock gives its contributors guidance on the images to submit is to reduce the likelihood that an image will be rejected. Similarly, a platform that successfully coaches its contributors on the types of images it prefers to display may generally have to spend less time reviewing each individual image. Therefore, while a low acceptance rate may indicate that a platform is selective in the content it accepts, a relatively high acceptance rate does not invariably establish the opposite.

As the old adage goes, if you’re explaining, you’re losing. Any service that has to haggle with plaintiffs over whether their content moderation is sufficiently “rote and mechanical”–e.g., whether their reviewers are lingering too long over a particular upload or rejecting too many uploads–has already lost the game.

Also…what’s the difference between (1) articulating content editorial standards in your TOS (which many regulators are now demanding, though those edicts may be unconstitutional), and (2) “coaching” users about what uploads are proper?

Right and Ability to Control the Infringements.

[Reminder: courts have redefined this factor to turn on whether the service exercises “substantial influence” over users’ activities. That redefinition clarified nothing, so we’re back to epistimological inquiries.]

Citing Vimeo, the court says “a service provider does not necessarily exercise substantial influence over user activities merely because it screens every upload before it appears on its platform.” In Vimeo, the court said a video-sharing platform could permissibly impose content gatekeeping criteria that “were in the nature of (i) avoiding illegality and the risk of offending viewers and (ii) designing a website that would be appealing to users with particular interests.” In Viacom, the court said substantial influence exists “where the service provider instituted a monitoring program by which user websites received ‘detailed instructions regard[ing] issues of layout, appearance, and content.’”

Here, the court says: “the relevant inquiry here is whether the image pipeline Shutterstock has constructed—which begins with its lengthy guidelines for successful submissions and ends with manual image review—enables Shutterstock to exercise substantial control over the images that appear on its platform.”

An “image pipeline”? Are we reinvigorating 1990s metaphors about surfing the Internet?

The court identifies the relevant evidence to this standard:

Shutterstock screens every image before it appears on the platform—this screening determines whether an image ever gets on the platform….there is evidence here that Shutterstock’s image review goes beyond the limited purposes of restricting the site to “selected categories of consumer preferences” and excluding unlawful images. Rather than engaging in categorical content screening—like accepting only holiday-themed images, or images that feature animals—Shutterstock appears to screen user images for their overall aesthetic quality. Curating a “collection” of high-quality images is not the same as designing a website “that would be appealing to users with particular interests.”…

Shutterstock extensively advises potential contributors on the types of images it is likely to accept. That is unlike the service provider in Vimeo II, which “encouraged users to create certain types of content,” but did not condition their ability to post material on whether they created the provider’s preferred types of content….a reasonable factfinder might conclude that the advice and instruction Shutterstock provides its contributors, coupled with its image screening process, are sufficiently coercive to constitute substantial influence….

the duration of Shutterstock’s image review and its 93 percent approval rate are relevant facts, but they are not dispositive

One way of reading this is that the Second Circuit is collapsing the distinctions between the “stored at a user’s direction” and “right and ability to supervise” factors, because apparently they both depend on the same evidence?

1202 CMI

ShutterStock automatically strips out the metadata of uploaded images and adds its own watermark to every image in its database. The court says the 1202 claims fail:

McGucken points to no evidence suggesting that Shutterstock affixed its watermark to his images—or, indeed, to any images—with knowledge that it constituted false CMI and for the purpose of concealing copyright infringement…

While Shutterstock concededly knows that it removes CMI from every image ingested into its system, Shutterstock explained—and McGucken failed to refute—that it removes metadata from all images primarily to avoid computer viruses and the dissemination of personally identifiable information, and not for any reasons related to infringement.

This ruling reinforces that 1202 has a “double scienter” requirement, which should help curb other 1202 cases–especially the cases against generative AI model-makers.

Implications

Second Circuit Walks Back the Vimeo Case. Last year’s Vimeo opinion was written as if it was a watershed Section 512(c) defense win, but it didn’t draw much attention. Why? First, I viewed it as a Pyrrhic defense victory because it added yet more details that plaintiffs could attack to disqualify 512(c) defenses. Second, I think no one really believed other Second Circuit panels would defend the 512(c) safe harbor the way Judge Leval tried to do. And here we are. A year after the Vimeo opinion, and the next Second Circuit panel to address Section 512(c) compounds Section 512(c)’s complexity and undermines 512(c) for any service that prescreens content.

(Note: the Second Circuit did the same thing a decade ago. The EMI v. MP3Tunes decision walked back a defense-favorable Vimeo ruling that had come out not that long beforehand).

The Incoherent Standard for User-Directed Storage. The Second Circuit says: “A service provider may engage in rote and mechanical content screening, like…enforcing terms of service” and still qualify for 512(c). However, the service loses 512(c) if it “imposes its own aesthetic, editorial, or marketing judgment on the content.”

Hello…does anyone else see the intractable conflict? A service can always claim it is “enforcing its terms of service” when moderating content, so this legal standard sets up an obviously false dichotomy. The opinion then suggests there are right and wrong kinds of TOS terms, such as its discussion about impermissible “coaching” to secure the right kinds of uploads. At minimum, this ensures more expensive discovery and fights over how the Second Circuit purported to thread this needle.

Bonus conceptual dilemma: the court says 512(c) disqualification occurs if a service “imposes its own aesthetic, editorial, or marketing judgment on the content that appears on its platform,” and then it says that the evidence for this is if the service does “manual, substantive, and discretionary review of user content.” These are not the same thing! Content moderation always involves difficult judgment calls and line-drawing exercises, so it’s possible to do “manual, substantive, and discretionary review of user content” for reasons other than imposing “its own aesthetic, editorial, or marketing judgment on the content that appears on its platform.”

Then again, the inclusion of the word “editorial” makes the court’s standard a non-standard. Every content moderation judgment is an editorial decision of some sort. Thus, the phrase “rote and mechanical content screening” is incoherent.

This Opinion is an Attack on Content Moderation. Restated, this court says that some pre-posting content moderation disqualifies defendants from 512(c). But which content moderation techniques should defendants avoid if they care about 512(c)? No idea. The court puts every content moderation decision in play. Reviewers took too long. Reviewers tried to screen out junk submissions. Reviewers made judgment calls about how to apply standards (which every content moderator must do with every decision). The services’ rejection rates are too high. The service did too much “coaching” of what uploads it wanted. In other words, there is no safe harbor for content moderation that ensures the safe harbor for user-caused copyright infringement. Plaintiffs can attack everything.

The court’s “guidance” to services is to do less content moderation if they want toincrease their eligibility for 512(c). This is a terrible message to send, especially now. As a reminder, Section 230 was written because Congress wanted to encourage, not discourage, content moderation. Further, it’s tone-deaf about what’s going on in the real world right now. We desperately NEED more content moderation, not less; we need more efforts to identify or screen out AI slop; we need more efforts by services to encourage civility and discourage rage. The Second Circuit, instead, wants to trigger liability if content reviewers maybe think a few extra seconds about whether something should go live or not. The Second Circuit really needs to read the room.

I will also add that this opinion implicitly encourages services to impose stricter time limits on content reviewers’ average review times, even though such time limits will likely increase the overall stress and burnout of content reviewers. This is a decidedly human-unfriendly opinion at every level. Or maybe the Second Circuit thinks services should shift more content review to the algorithms???

Case citation: McGucken v. Shutterstock, Inc., 2026 WL 364412 (2d Cir. Feb. 10, 2026)

This ruling might inspire you to revisit my essay, How the DMCA’s Online Copyright Safe Harbor Failed.

Want more? See my follow-on post, A First-Hand Look at the Messy Underbelly of DMCA 512(c) Takedowns

The post Pre-Publication Content Moderation Can Disqualify Services from the DMCA 512(c) Safe Harbor–McGucken v. ShutterStock appeared first on Technology & Marketing Law Blog.