Privacy/Security Archives - Technology & Marketing Law Blog

Section 230’s Application to Account Terminations, CSAM, and More

Eric Goldman — Thu, 19 Mar 2026 15:22:14 +0000

The Section 230 cases keep coming faster than I can blog them (the first 3 hit my alerts in a single day).

Weiss v. Google LLC, 2026 WL 733788 (Cal. App. Ct. March 16, 2026)

Weiss’ business started running financial services ads on Google in 2015. Google suspended the ads multiple times, until Google issued a final suspension in 2024. The court says Section 230 protects Google’s suspension decisions.

The court starts with standard context-setting: “California’s appellate courts and federal courts have also generally interpreted section 230 to confer broad immunity on interactive computer services.”

The court continues:

Weiss seeks to adjudicate Google’s characterization of his business and its decision to suspend its ads. However, this conduct, i.e., Google’s “refusal to allow certain content on its platform,” is “typical publisher conduct protected by section 230” regardless of the reason for that refusal….

even if Google’s characterization of Weiss’s advertisements does not align with Weiss’s characterization, section 230 still affords Google immunity from liability for its decision to suspend his content…

all the content Weiss claims Google wrongfully suspended was admittedly created by Weiss, not Google…

Google’s determination that Weiss’s ads violated its general policies is not equivalent to contributing to the ads’ content.

In a footnote, the court adds: “Weiss seeks to hold Google liable for its enforcement of its own general policies, rather than a breach of a specific promise.”

When the dust settles, this becomes just another failed lawsuit over account terminations and content removals.

A reminder of the content moderation dilemma Google faces here. A few courts have said that Facebook doesn’t qualify for Section 230 protection for running scammy ads (e.g., Forrest v. Facebook). As a result, Google has good reason to suspend Weiss’ ads to manage its own liability exposure. At the same time, if Weiss succeeded with his claims here, then Google would have been potentially liable for removing ads based on Google’s fears that they are scammy. This would force Google to deploy a Goldilocks version of content moderation: Google would have to get its ad removal policy “just right,” with potential liability for mistakes in either direction. An impossible challenge.

Thompson v. The Meet Group, 2026 WL 730134 (E.D. Pa. March 16, 2026)

Thompson said Tagged deactivated his livestreaming account and stole $10k from him.

For reasons that aren’t obvious to me, Tagged defended on Section 230(c)(2)(A) grounds instead of 230(c)(1). Maybe this has something to do with trying to navigate around the abysmal Anderson v. TikTok case? EDPa courts are bound by that decision.

The court says Tagged can’t establish the 230(c)(2)(A) defense elements on a motion to dismiss: “application of CDA immunity in this case requires assessment of facts that are not in the pleadings—such as the reason why Thompson’s account was disabled and the content of Thompson’s posts.” Also, Thompson’s allegations of theft might defeat 230(c)(2)(A)’s good faith prerequisite. Cites to Smith v. TRUSTe and e-ventures v. Google.

No matter, the case fails anyway. (Another example of Section 230 not being the only reason why lawsuits lose). The court says the plaintiff had no property interest in his social media account that could be converted (cite to Eagle v. Morgan). The plaintiff’s TOS breach claim fails multiple ways, including the TOS’s reservation of termination rights and damages waiver.

So this becomes yet another failed lawsuit over account terminations, just not due to Section 230. You already know this, but if you’re a defendant in these cases, you should be focusing on 230(c)(1), not 230(c)(2)(A).

Gehringer v. Ancestry.com Operations Inc., 2026 WL 734526 (N.D. Cal. March 16, 2026)

Plaintiffs are individuals who have not subscribed to the Ancestry.com service and have not consented to the use of their name or photograph. They allege Ancestry not only includes their yearbook information on a searchable database, but also utilizes their likenesses as part of advertisements for Ancestry.com services…

Plaintiffs contend Ancestry used their likeness in three forms of “advertising”: 1) publication of the yearbook information on a database that contains a paywall for certain features; 2) dissemination of emails to potential Ancestry.com subscribers, noting Ancestry Hints® can expand their family tree, and using the names and images of Plaintiffs as examples; and 3) an Ancestry free trial program that allows potential subscribers to access Plaintiffs’ yearbook information for a limited time.

The court nixes claims over category #1 and #3 ads due to copyright preemption.

As for the category #2 ads:

Plaintiffs allege Ancestry crafted email advertisements that included their likenesses to encourage potential customers to subscribe to Ancestry’s service. The email advertisements were not created by a third-party user of Ancestry.com—Ancestry authored the content, and as such, it is “responsible, in whole or in part, for the creation” of that offending content. To avoid this conclusion, Ancestry attempts to recast the allegations in the First Amended Complaint, asserting Ancestry merely “republish[es] yearbook photos taken and first published by Esperanza High School.” But as the screenshots in the Complaint confirm, the emails sent by Ancestry to prospective users include far more than republished images of Plaintiffs; they incorporate those images into an advertisement for the Ancestry Hints® functionality and Ancestry’s subscription service. Drawing all inferences in Plaintiffs’ favor, Section 230 does not immunize Ancestry against liability for the content of the alleged email advertisements

Notice that Ancestry’s ad creation practices go further than Facebook’s sponsored stories, which also didn’t qualify for Section 230 protection.

State v. Sharak, 2026 WI 4 (Wis. Supreme Ct. Feb. 24, 2026)

Google scanned Sharak’s Google Photo uploads, identified what it thought was CSAM, and submitted a CyberTip. Sharak argued that Google was conducting the search on the state’s behalf. The court disagrees and upholds Sharak’s conviction.

That isn’t unusual. What’s more unusual is the court’s discussion of Section 230. “Rauch Sharak argues that [Section 230(c)(2)’s safe harbor] encourages ESPs to scan for CSAM by granting immunity to ESPs that moderate content and creating civil and criminal liability if ESPs do not scan for CSAM.”

The court responds:

Though § 230(c) may grant immunity to ESPs that choose to scan for CSAM, it does not require, reward, or incentivize scanning for CSAM in the first place. Moreover, § 230(c)(2)(A) grants immunity for “any action voluntarily taken in good faith to restrict access to” obscene material, which sweeps far more broadly than would be required to induce Google’s CSAM scan at issue here….

Even if the statutes encourage Google to scan for CSAM or provide a law-enforcement purpose, Rauch Sharak has not shown that they are enough to turn Google into an instrument or agent of the government.

Alice Rosenblum v. Passes Inc., 2026 WL 711837 (C.D. Cal. Feb. 3, 2026)

[The fact allegations are based on the court’s summary of the complaint.] Passes is a competitor to OnlyFans. Unlike its rivals, Passes allows 15-17 year olds to create accounts with parental consent. Guo is the CEO, and Celestin is a content acquisition specialist. At Guo’s direction, Celestin personally reached out to 17-year-old Alice Rosenblum to create a Passes account. Celestin did a photoshoot of Rosenblum and (with Guo’s help) created a Passes account for her without requiring parental consent.

“Over the next month, while Plaintiff was still 17 years old, Celestin and Ginoza [another Passes employee] allegedly directed Plaintiff to create sexually explicit images and videos of herself….the FAC provides over 14 examples of child sexual abuse material (“CSAM”) involving Plaintiff, being marketed on the Passes platform for $69 to $4,000. Furthermore, Passes agents posing as Plaintiff allegedly communicated via direct message to “big spenders” to continue to market and sell CSAM involving Plaintiff.”

The court rejects Passes’ and Guo’s Section 230 defense:

Section 230 immunity plainly does not apply to Plaintiff’s claims. To be sure, Plaintiff does largely seek to hold Passes Defendants liable as providers of an interactive computer service, and several allegations treat Passes as a publisher, as they involve Passes’ distribution of CSAM involving Plaintiff…Plaintiff alleges that Passes and its agents were directly responsible for the creation and portrayal of the CSAM on the Passes platform: Plaintiff alleges that Celestin, acting as an agent of Passes, personally took at least one photo of Plaintiff which was uploaded to Passes, and further instructed her to create specific photographs and videos and upload them to Passes, which he later marketed under specific captions and sold. Plaintiff further alleges that Passes itself hosted a banner featuring a sexually explicit photo of Plaintiff, which marketed CSAM involving Plaintiff. Plaintiff therefore seeks to hold Passes liable for harm allegedly arising out of its own creation of harmful content.

Passes claimed that Celestin and Ginoza were third parties, but “As alleged, Celestin was
not merely another third-party user of Passes; rather, he acted as an agent and employee of Passes.” Cite to Quinteros.

The court summarizes:

Section 230 immunity does not apply to Passes, a platform which has allegedly, through its agents, deliberately created, marketed, and sold illegal content, acting as an “information content provider” that uses its own “interactive computer service.”

In a footnote, the court adds regarding Guo: “Plaintiff’s allegation that Guo encouraged Plaintiff over the phone to post content, which supports Plaintiff’s claims for IIED and California Civil Code § 52.5, does not hold Guo accountable for Passes’ publishing activity.”

Doe v. X Corp., 2026 WL 772384 (N.D. Tex. Feb. 25, 2026)

“A third party copied commercial pornographic content from Plaintiff’s OnlyFans and studio-based productions and uploaded it to X without his consent, violating the OnlyFans terms and conditions and the studios’ licensing agreements.” He sued pursuant to 15 U.S.C. § 6851(b)(1)(A), a private right of action for nonconsensual production of intimate visual imagery. Doe produced the porn consensually, but he claims the restrictions extended to nonconsensual distribution.

The court says X qualifies for Section 230. Doe responded that he owned the IP in the works, so the IP exception applies. The court says:

The [IP] exception applies only when the claims arise from a law directly implicating intellectual property rights, not merely when intellectual property is involved in the claim. And the statute under which Plaintiff sues—§ 6851—is not an intellectual property law. Rather, it is concerned with “whether the depicted individual consented to a specific disclosure of an intimate visual depiction—regardless who holds the copyright to the image.” Thus, § 6851 creates a privacy-based tort right of action, not an intellectual-property based one.

The boundary between privacy and IP laws remains amorphous–increasingly so with all of the concerns about “deepfakes,” “virtual replicas,” and other AI-related regulations that use privacy framing to create what look like sui generis IP rights. This could be a good student paper topic.

For more discussion of the IP exception to Section 230, see this article.

Teague v. Google, 2026 WL 746996 (D. S.D. March 17, 2026)

Plaintiff claims Google committed defamation based upon the fact that “people think I raped [redacted]. This case (sic) been dismissed in 2021 but it still show (sic) on Google and caused me to (sic) threaten and attacked a few times.” Plaintiff further claims his image is on Google and it is difficult to get a job because the rape charges still appear on Google.”…

Google is not a “publisher or speaker” under the CDA and therefore “cannot be liable under any state-law theory to the persons harmed by the allegedly defamatory material.”

Google is immune from suit for defamation claims arising out of other content providers’ posts on the internet.

The post Section 230’s Application to Account Terminations, CSAM, and More appeared first on Technology & Marketing Law Blog.

Photobucket’s Attempted TOS Amendment Mostly Fails–Pierce v. Photobucket

Eric Goldman — Sat, 14 Mar 2026 16:54:18 +0000

Photobucket is a venerable photo hosting service whose best days are far behind it. In 2017, its management imploded the service by imposing above-market hosting fees. Most users stopped using Photobucket, but Photobucket kept their photos.

In 2024, Photobucket emailed its legacy users, asking if they wanted Photobucket to keep or delete their accounts. Users who clicked on the email’s links–included to delete their accounts–were presented with a new TOS formation process that included a consent to use the photos to derive users’ biometric information for AI purposes. “If users did not opt out of the Biometric Policy within 45 days of July 22, 2024, Photobucket claims the right to sell, lease, trade, or otherwise profit from the users’ biometric information.” (Photobucket claims it hasn’t actually pursued this AI option). The new TOS also contained an arbitration provision that wasn’t in some prior TOS versions. Photobucket invokes the arbitration clause against the plaintiffs’ lawsuit.

Article III Standing. The court says the plaintiffs only have Article III standing for equitable relief, not damages. This narrows the case substantially.

Pierce

Pierce agreed to Photobucket’s 2008 TOS and last logged into Photobucket in 2014. The 2008 TOS informed Pierce that his “continued use” of Photobucket would constitute acceptance to any TOS modifications. Since he didn’t use the site after 2014, he didn’t assent-by-use to the 2024 TOS:

a reasonable person would not understand his failure to take his photos off of
Photobucket, after not logging in for nearly ten years, to constitute “continued use” and thus acceptance of any revised terms.

In other words, a user’s maintenance of a legacy account isn’t “continued use” of the service.

Ms. Hughes

Ms. Hughes agreed to Photobucket’s 2006 TOS and last logged into Photobucket no later than 2011. The 2006 TOS said:

By using the Services you agree to the Terms of Service set forth below as they may be updated from time to time by Photobucket.com, Inc. (“Photobucket.com”). Photobucket.com may modify or terminate the Services from time to time, for any reason, and without notice, including the right to terminate with or without notice, without liability to you, any other user or any third party, provided that when Photobucket.com does so, it will update these Terms of Service. You are advised to periodically check the website for changes in the Terms of Service.

The court says this TOS “told Ms. Hughes that she was “advised to periodically check the website for changes in the Terms of Service.” The 2006 Terms “necessarily inform[ ] how a reasonably prudent user would interact” with Photobucket’s website.”

But…the TOS applicable to Pierce said “It is therefore important that you review this Agreement regularly to ensure you are updated as to any changes.” The court disregarded that language for Pierce. Can you find a difference between the disclosures to Pierce and Hughes? Beyond the (seemingly immaterial) language differences, the court’s different conclusions might be explained by (1) Pierce was governed by Colorado law, Hughes by CA law; or (2) Hughes admitted getting emails telling her about the coming changes, though she didn’t pay attention to them. I don’t find those distinctions persuasive, so I can’t meaningfully distinguish Pierce’s situation from Ms. Hughes’.

The court says Hughes is bound to the 2024 TOS:

the 2006 Terms told Ms. Hughes that she had an obligation to periodically check Photobucket’s website for updates to the Terms. The 2024 Terms and arbitration provision constitute an update to the Terms that Ms. Hughes had an obligation to stay apprised of. Ms. Hughes assented to the 2024 Terms because they informed her that failure to opt out within 45 days of the effective date would constitute acceptance, and Ms. Hughes did not opt out

Whoa. The court is saying that even though Hughes functionally abandoned Photobucket in 2011, a “reasonably prudent user” would have kept checking Photobucket’s TOS 13 years later just in case the terms had changed. Wild.

Because Ms. Hughes “agreed” to the 2024 TOS, she also “agreed” to its jury trial waiver.

However, the arbitration clause excludes IP claims. The plaintiffs alleged 1202(b) claims, which the court says are IP claims and thus not covered by the arbitration provision. This claim stays in court.

Cumming

The parties can’t agree when Cumming created her Photobucket account or when she last used it, but everyone agrees that she agreed to the 2013 TOS and didn’t use the site later than 2013. That TOS version said “so long as you’ve used the Site after the change, regardless of any separate notice, you agree to the current posted version of the Terms.” Similar to the court’s discussion of Pierce, the court says “a reasonable person in Ms. Cumming’s position would not understand her failure to take photos off of Photobucket to mean that she “used” Photobucket after 2010 or 2013 and thus assented to the 2024 Terms.”

Mr. Hughes

He didn’t have a Photobucket account, but Ms. Hughes uploaded photos of him. The court says he’s not a third-party beneficiary of any TOS and not bound by the arbitration clause.

Court Stay

The court stays the litigation until after the arbitration, even though the court held that 3 of the 4 named plaintiffs were not bound by the arbitration and the fourth plaintiff had a claim not subject to arbitration. Because the court will not be bound by the arbitrator’s decisions for the non-arbitrated plaintiffs and claims, I didn’t understand why the court held everything else up. A slightly lucky break for Photobucket, because it avoids the cost of defending the litigation and arbitration simultaneously.

Implications

Here’s where things stand when the dust settled:

damages are out of the case
part of one plaintiff’s case is sent to arbitration
when that’s complete, the court will address the remainder of that plaintiff’s case plus the other three plaintiffs’ cases

A messy outcome…perhaps messy enough to motivate the parties to settle? Without the availability of damages, this case became less interesting to the plaintiffs. Alternatively, I could also see the plaintiffs appealing this ruling.

Though Photobucket nominally got the outcome it wanted (the case sent to arbitration), it does not come out of this ruling looking very good. Some of the lowlights:

its inital TOS amendment provisions sucked. It had various versions of “you need to come back to the site to check for possibly amended terms,” which has rarely fared well in court. Frankly, it’s shocking to see the judge find this “keep checking the TOS 13 years later” provision worked against Ms. Hughes. I don’t think that’s what a reasonable consumer would do. (As usual, the court cited no empirical basis for its assessment of what a reasonable consumer would do or think).
the fact that Photobucket’s TOS amendment language kept changing over time. The language differences ensure more litigation work when it’s challenged.
the fact that Photobucket kept changing its governing law clause. Another decision that increased its defense costs and the risk of inconsistent outcomes.
the fact that Photobucket couldn’t definitively establish the dates of the users’ account creation or usage.
its 2017 implosion. How did it misjudge the market so badly?
its 2024 pivot to potentially engage in AI mining. I guess if you’ve already killed your business, why not try to salvage what’s left of the carcass?
the attempt to bind legacy users via a TOS that users had to click through even if they wanted to exit Photobucket. Gauche.
the arbitration provision’s exclusion for IP. Plaintiffs are weaponizing 1202, so IP carveouts have become dangerous. Reminder: every part of the arbitration provision should be carefully vetted for potential plaintiff weaponization.

The result was a messy outcome with different plaintiffs for getting different outcomes. Not what Photobucket was aiming for.

The obvious question: was there a better way for Photobucket to force all legacy users onto its new AI-friendly terms? This judge seemed to believe that the right incantation would let Photobucket put the onus on users to check for TOS amendments, but most judges won’t permit this. Could Photobucket have forced users to the new terms through its emailed notifications? The Ninth Circuit just permitted this, so maybe? The reality is that it’s difficult or impossible to universally bind all legacy users to new terms if they aren’t coming back to the website. I don’t have any clever hacks or tricks to work around this.

Case Citation: Pierce v. Photobucket Inc., 2026 WL 672764 (D. Colo. March 10, 2026). CourtListener page.

Other posts about Photobucket

The post Photobucket’s Attempted TOS Amendment Mostly Fails–Pierce v. Photobucket appeared first on Technology & Marketing Law Blog.

Fair Use Blocks Privacy-Motivated Copyright Lawsuit–MCM v. Perry

Eric Goldman — Mon, 16 Feb 2026 17:14:50 +0000

The case involves a Twitter user, Perry (a/k/a “I, Hypocrite”), who tweet-critiqued a crypto company Celsius Networks. The first tweet in the sequence referenced a business setback for Celsius. The second tweet in the sequence contained a collage of two images with the caption “Same company btw” (i.e., Celsius).

The first collaged image shows Jessica Khater’s, a Celsius executive, listing in Forbes 30 Under 30. The second collaged image is a screenshot from an unnamed video that depicted “Jessica” with the transcription that she studied marketing and business. The juxtaposition implied that Jessica and the Forbes 30 Under 30 executive were the same person.

The court is as baffled by this tweet thread as you are (“This Court makes no finding as to what Defendant subjectively intended to communicate through the Tweet, as the Defendant’s intentions are not alleged within the complaint or obvious from the Tweet itself”). Connecting the dots, perhaps the inference is that the Forbes 30 Under 30 executive studied business and marketing, worked for Celsius, and thus might be responsible for Celsius’ downfall. Or perhaps the inference is that the Forbes 30 Under 30 executive chose to make porn earlier in their life (which, as discussed in a moment, would not be true) and that choice relates to their competence or reputation. If either inferential chain seems illogical or shaky, recall this is a social media tweetstorm about crypto, a notoriously chaotic corner of the information ecosystem. The court never expressly resolves if the video Jessica and the Forbes 30 Under 30 executive are the same person.

The screenshot is included in the court filings, and the similarities of the two faces is directly relevant to the tweet sequence’s meaning. Nevertheless, I’m covering up “Jessica’s” face because she is a sex trafficking victim:

The screenshot was extracted from an unnamed sexually explicit video produced by Girls Do Porn (GDP). As you can see, the screenshot isn’t sexually explicit (Jessica is depicted on a bed fully clothed). In prior proceedings, another court held that GDP was “a criminal sex trafficking enterprise” and awarded restitution by transferring the IP rights in the videos to the victims–presumably to give the victims additional legal tools to suppress further disseminations of the video. (I didn’t work through the 17 USC 201(e) implications of the prior restitution order).

“Jessica” received the copyright to the video from which the screenshot was extracted and assigned the rights to an enforcement agent. Jessica’s enforcement agent sent a 512 takedown notice to Twitter targeting the screenshot. Twitter removed the tweet.

Despite the removal, Jessica’s enforcement agent also sued Perry for copyright infringement for posting the screenshot in the first place. The court dismisses the claim due to fair use–on a motion to dismiss.

Nature of the Use

the Tweet utilized the still frame for a transformative purpose. The Video is a pornographic film with the express purpose of displaying explicit sexual content. Conversely, the Tweet does not contain any nudity or sexually explicit imagery and is framed as a commentary on Celsius….

The Defendant’s reproduction of the still frame in the composite image is in service of this commentary….By arranging the images of two women, both identified as being named Jessica, side by side, the composite image vaguely implies that a Celsius executive appeared in a pornographic film. The still frame’s accompanying text stating that Jane Doe was studying business and marketing further supports this implication.

In short, a reasonable observer would understand the Tweet as a commentary on Celsius with a markedly different purpose from the original pornographic video. Further, as a commentary on a “subject of public interest” (i.e., Celsius’ decision to pause its customer’s transfers and withdrawals), the Tweet’s transformative use of the still frame justifies its copying.

Nature of the Work. The court says this factor is neutral and not important.

Amount Taken

the Tweet reproduced a single frame of a forty-six-minute video….The Tweet does not capture the central expression of the Video and is not a substitute for the original. The heart, or core, of the Video is its sexually explicit imagery. The Tweet is not pornographically explicit and shows a fully clothed woman describing her career interests.

Market Effect

Defendant’s use of a single still frame from the Video was a transformative secondary use intended as a form of commentary on Celsius. Further, the Defendant’s use of a single frame from the video did not include any sexually explicit imagery. In short, a person in the market for a sexually explicit, pornographic film would not turn to the Tweet. Because Defendant’s use of the still frame would not, and could not, usurp the market for the Video…

Plaintiff admits that the Tweet would not harm the market for the Video.

Implications

Do Screenshots Extracted from Videos Infringe? In general, I think that single images extracted from videos should routinely qualify as fair use. This case involved more complicated facts, because the video’s screenshot compared the depicted individual to the Forbes 30 Under 30 segment in service of a larger critique of Celsius. Many extracted screenshots from videos won’t similarly engage in social commentary or need to present the screenshot as visual evidence to support the commentary.

Even so, if the extracted screenshot merely illustrate the video or the person depicted, or provides the foundation for a meme, the republication of a screenshot is a trivial fraction of the source work and poses no threat to the market for the originating video. In other words, the last two fair use factors should always weigh in the defendant’s favor. This case may not be definitive precedent to establish that other screenshot publications should routinely qualify as fair use, but it shows a roadmap to that conclusion.

Copyright and Overremovals. Twitter honored to Jessica’s enforcement agent’s 512 takedown notice by removing the tweet. However, this court opinion confirms that the tweet was never infringing. As a result, Twitter’s response appears to be yet another unwarranted 512-induced overremoval (I have another post about DMCA overremovals coming soon).

When Takedowns Don’t Satisfy the Copyright Owner. We don’t often see copyright owners sue uploaders after a successful 512 takedown. 512 doesn’t eliminate those lawsuits; instead, 512(h) facilitates such lawsuits by helping copyright owners unmask the uploader. Nevertheless, the incremental value of a copyright infringement lawsuit after a successful takedown is typically small. The need for an injunction has essentially evaporated; lawsuits take a long time chronologically and cost more money; the damages at issue might be trivial (especially if the takedown was effectuated quickly); and the copyright owner runs the risk of a Streisand Effect (an especially acute risk here given the privacy motivation of this lawsuit). I’m not sure what the plaintiff hoped to accomplish with this post-takedown lawsuit.

Copyright as a Silencing Mechanism. This lawsuit seemed to be motivated more by privacy concerns than copyright. The plaintiff admitted as much: “Plaintiff wishes to depress the demand for the Video and use the Federal Copyright Law to control further dissemination of the Video, or any portion thereof” (cleaned up).

While copyright law can act as a doctrinal tool for suppressing content, it’s ill-suited as a privacy tool for reasons that Prof. Silbey and I discussed in our Copyright’s Memory Hole paper. As we wrote there, “treating copyright law as a general-purpose privacy and reputation tort harms us all.”

I’ll note that the complaint only alleged copyright infringement–no defamation, false light, or privacy claims. I wonder if any of those alternative claims would have been more appropriate to address the underlying privacy concerns?

* * *

I feel sympathy for Jessica’s sex trafficking victimization. However, especially after Twitter’s takedown of the screenshot, this copyright lawsuit was also problematic. I still believe that any time a court grants fair use on a motion to dismiss, a 505 fee shift to the defense should usually follow because the legal claims weren’t close.

Case Citation: MCM Group 22 v. Perry, 2026 WL 279525 (S.D.N.Y. Feb. 3, 2026). The complaint. Defense counsel’s writeup of the case.

The post Fair Use Blocks Privacy-Motivated Copyright Lawsuit–MCM v. Perry appeared first on Technology & Marketing Law Blog.

California’s Consumer Privacy Act (CCPA) Assists a Private Right of Action–Shah v. MyFitnessPal

Eric Goldman — Sun, 15 Feb 2026 15:56:35 +0000

It’s been years since I blogged about the California Consumer Privacy Act (CCPA). Have you missed the dumpster fire meme?

* * *

This is one of an ever-growing number of cases alleging that a website purported to let users decline cookies but then disregarded those instructions and placed the cookies anyway.

Among other claims, the plaintiffs alleged that the unconsented cookie placements and resulting consumer tracking violated the common law invasion of privacy and intrusion upon seclusion doctrine. The court says that the CCPA’s statutory provisions bolster these common law claims:

The California Consumer Privacy Act (CCPA) further supports the conclusion that plaintiffs Shah and Wiley had a reasonable expectation of privacy in the information that was collected by cookies they had attempted to reject. As the California Attorney general’s website explains, the CCPA requires that companies give users the choice to opt out of any collection of personal information for “cross-context behavioral advertising, which is the targeting of advertising to a consumer based on the consumer’s personal information obtained from the consumer’s online activity across numerous websites.”

Two obvious points. First, CA AG’s website explanations aren’t binding interpretations of the CCPA. As the Dude might say, that’s just like, uh, their opinion, man. (Though this AG quote is just trying to summarize the overwhelmingly complex CPRA).

Second, the CPRA’s cross-context behavioral advertising restriction doesn’t implicate all cookie placements. In other words, there are many reasons why a website might place a cookie that have nothing to do with that awkward statutory construct. In this case, some of the defendants’ activity at issue would not be related to the AG’s guidance.

The court continues:

When evaluating Californians’ reasonable expectations of privacy, the CCPA’s provisions are highly relevant “customs, practices, and circumstances,” because they provide Californians with the reasonable expectation that they will have some control over their data and necessarily shape users’ expectations about their ability to opt out of websites’ collection of data for profit.

Say what? The CCPA expressly precludes private rights of action for violations of its privacy provisions (there’s an unrelated limited private right of action for some data breaches). However, if courts will treat the CCPA’s statutory text as norm-shaping in a way that strengthens common law privacy claims, the CCPA’s text nevertheless facilitates a private right of action workaround despite its clear and contrary statutory intent. Nice.

Some courts have already been mangling the CCPA’s data breach private right of action to apply to any data disclosures, not just those we’d consider to be a result of a “breach.” Now, if the CCPA further turbocharges common law-based private rights of action, plaintiffs are getting an expanding toolkit of options to bypass the CCPA’s clear, express, and very-much-intended prohibition on private rights of action.

To be fair, I don’t think the court needs the CCPA’s norm-setting to establish the problems with asking users for their cookie preferences and then (allegedly) disregarding those instructions. If the website says X and then does not-X, consumers have a pretty reasonable expectation of X–no need for any statutory backup to legitimize that expectation. At the same time, I think of cases, like the old In re JetBlue case, where there’s a “no harm/no foul” realpolitik outcome when a privacy violation is inconsequential. If the plaintiffs don’t like a website’s data collection, but suffer no adverse consequence from it, what are we even doing?

Case Citation: Shah v. MyFitnessPal, Inc., 2026 WL 216334 (N.D. Cal. Jan. 27, 2026)

Because this case involves both the CCPA and CPRA, I might as well include the CPRA meme too:

Prior CCPA/CPRA Posts

The post California’s Consumer Privacy Act (CCPA) Assists a Private Right of Action–Shah v. MyFitnessPal appeared first on Technology & Marketing Law Blog.

The Sixth Circuit Wades Into Online TOS Formation (and Leaves Me More Confused Than Ever)–Dahdah v. LowerMyBills

Eric Goldman — Thu, 12 Feb 2026 23:40:25 +0000

TL;DR: The court provides this overview:

LowerMyBills.com refers internet users who are interested in refinancing their home mortgages to affiliated lending partners, including Rocket Mortgage. The website tells users that they will agree to its hyperlinked “Terms of Use”—including a mandatory arbitration provision—if they click on a particular button. Michael Dahdah visited this website three times, inputted his information, and clicked the critical buttons. LowerMyBills referred him to Rocket. When Dahdah later received calls from Rocket that he did not want, he sued the company in federal court. Rocket responded by invoking LowerMyBills’ arbitration provision. But the district court held that Dahdah’s “click” did not create an enforceable agreement. We disagree. Under the significant body of circuit precedent interpreting California law, LowerMyBills gave Dahdah sufficiently conspicuous notice that he would accept the proposed terms by clicking the button. So his decision to take this action qualified as a valid “acceptance” of LowerMyBills’ “offer” to contract. The district court thus should have granted Rocket’s motion to compel arbitration.

* * *

Let’s dig into the details, starting with the relevant screens. The plaintiff went to LowerMyBills’ site and requested information about mortgages. The court focuses on the following two screens (the fourth and fifth pages in a 5-page sequence). A screenshot of the bottom of the fourth screen:

A screenshot of the bottom of the fifth screen:

[By redacting the screenshots to only show the page bottoms, the court removed the TOS formation process from the full context. This supports the court’s pro-formation bias by making the pages look simpler than they actually were.]

As you can see, these screenshots look like pretty standard “sign-in-wraps.” The court characterizes them as “a hybrid offer (not a clickwrap or browsewrap offer).” The court prefers the hybrid language because the same methodology applies to sign-in-wraps and other formation processes that aren’t clickwrap/scrollwraps or browsewraps. The court rejects the plaintiff’s argument that this was a browsewrap:

Browsewrap offers seek to create contracts when users simply browse a webpage (hence, their name). LowerMyBills did not propose that type of offer. It required users to take a specific step to accept its offer: click the relevant buttons.

The Sixth Circuit applies California law to these screenshots (both parties agreed on that choice), which is a little dicey because the Sixth Circuit isn’t a repeat player with California TOS formation law. As an example, the Sixth Circuit completely ignores the Godun decision even though I think Chabolla and Godun can’t be understood without reference to the other.

[Personnel notes:

The opinion was written by a TAFS judge (TAFS = Trump-Appointed Federalist Society). TAFS judges’ opinions routinely are distinctive compared to non-TAFS opinions (not necessarily in a good way). I thought this opinion was disorganized (my blog post merges related topics that were confusingly addressed in disjointed locations throughout the opinion) and overrelied on cherrypicked precedent (a hallmark of TAFS opinions).
For a court applying California law outside of California, it was conspicuous that none of the lawyers listed on the opinion caption are based in California…]

The Court’s Description of TOS Formation Law

The Wrap Taxonomy

“any reasonable person would conclude that so-called scrollwrap or clickwrap offers objectively convey the website operator’s “manifestation of [a] willingness to enter into a bargain” with website users”
“So-called browsewrap proposals fall on “the other end” of potential offers….courts often hold that these offers cannot create valid agreements because they leave users “unaware” that the operator has even proposed an offer”
“many proposals fall in between these extremes. These “hybrid” offers (what some courts have called “sign-in wrap” offers) present the trickiest cases.”

Sign-In Wrap (“Hybrid”) Requirements

In determining if an offer is reasonably conspicuous, this court asks Four Questions (no, not those questions):

Q1: “Did the website display the offer on an “uncluttered” page, or on a page filled with items that will “draw the user’s attention away from” the proposal?” “Simple streamlined designs” are more likely enforceable than “a page with lots of distractions.”

Q2: “Did the website operator place the proposed offer close to—or away from—the button that a user must click to signal the user’s acceptance of the proposal?” The closer the offer is to the action button, the more conspicuous it is.

Q3: “Did the website operator use a font size or color that would draw attention to the proposal?” The court says that it’s more likely conspicuous when sites use “a larger font or at least colored hyperlinks.” This is not a faithful characterization of Chabolla/Godun, which had exacting requirements for both fonts AND hyperlink presentations. It’s telling that the court favorably cites Selden v. Airbnb, a DC Circuit case (i.e., not a California case) that predates Chabolla/Godun, to support its summary rather than any Ninth Circuit case.

Q4: “Did the website operator and users engage in the kind of interaction that one would expect to include contractual terms?” Users expect terms with continuing relationships and not for one-off interactions.

These Four Questions are similar–but not identical–to the Ninth Circuit standards. Here’s how I summarize those standards in my Internet Law course:

Who Decides

The court says that if the facts about what happened aren’t in dispute, the court can rule on the formation process as a matter of law rather than send the formation question to the jury.

Application to This Case

Reasonably Conspicuous Notice

The court says the conspicuousness of the notice is a “close question.” Here’s why the court concludes that the notice was reasonably conspicuous:

the proposal on the fourth page followed a “simple design” that did not contain much clutter (other than a logo for Quicken Loans as the “Featured Provider”). Selden, 4 F.4th at 156. [Reminder: Selden is a DC Circuit opinion that predates Chabolla/Godun] In this respect, then, this page resembles the simple sign-up pages for Uber or Airbnb. And it differs from Fluent’s webpages in Berman, which contained other eye-catching images and information. Admittedly, the fifth page had far more terms than the fourth page. It also identified Dahdah’s consent to the specific “Terms of Use” in the second of four paragraphs of details. But we view this page as serving a belt-and-suspenders role for the fourth page’s proposal. And we resolve this case based on the notice that consumers would have received across the pages in combination….

LowerMyBills placed the proposal “directly” “below the action button” on each of the pages. And it used a “dynamic scrolling function” in which these pages automatically scrolled down as users inputted information in the boxes. So users would always see the offer on the same screen as the action buttons.

The plaintiff pointed out that the 5-screen formation process was confusing because the prior screens had a similar “calculate” button without terms. The court says that multi-screen processes are OK, noting that Uber’s process had two screens. But I also note (which the court didn’t) that Chabolla said: “three faulty notices do not equal a proper one.” I think the court would say that the fourth and fifth screens are each independently sufficient, but I wanted to see more thoughtful discussion about how the multiple screens reinforce or conflict with each other.

The court notes that LowerMyBills used a “very small font,” which calls it “a legitimate concern.” As I teach my students, the offer language should never be in the smallest font on the page. In Chabolla, a TOS formation failed in part because the offer language’s font was “notably timid in both size and color” (a critique that could apply here). In response, the court cherrypicks the precedent and says that the font size might be comparable to the font sizes used by Uber or LiveNation (both are pre-Chabolla cases, and Uber is a 2nd Circuit case). Also, the hyperlink was in “bright blue” on a white background, so “LowerMyBills did not hide the critical hyperlink using the same font color as the other text.” (The Ninth Circuit would treat a different font color for the links as mandatory, not a plus factor).

The court also struggles with whether the interactions with LowerMyBills was a one-off or ongoing relationship given that they were largely acting as a referral service (the court says this is also a close call). The court makes this empirical claim without a scintilla of empirical support: “reasonable users also would expect that the free referral service comes with some contractual strings attached….given that the site matches users with potential lenders, we cannot say the objective user would fail to anticipate some sort of continuing relationship.” [Insert goose meme: relationship with WHO?]

The court says that it’s OK the offer language was below the action button rather than above because “Other courts have enforced these offers when placed below rather than above the button that signaled the user’s assent.”

Manifestation of Assent

The court says concluding “that Dahdah took actions showing his assent to LowerMyBills’ offer becomes “straightforward” once we conclude that the offer was reasonably conspicuous.” The plaintiff clicked on the green “calculate” and “calculate your free results” buttons.

The plaintiff weakly attacked the call-to-action language, which lets the court skirt any serious analysis. But look back at the text: it says “by clicking the button above,” which we could assume refers to the green button right above that text. But there are surely other “buttons” on the screen above the text (remember, the court clipped the screenshot, improperly IMO), which would make the cross-reference ambiguous. If there are more “buttons” “above,” what should have happened?

Also, the Chabolla opinion rejected a TOS formation when the offer language said “by signing up” and the action button said “continue.” Would it matter to Chabolla that the offer language didn’t precisely describe the action button?

Arbitration Terms

The court acknowledges that LowerMyBills’ TOS was silent on many key provisions about the arbitration, such as selecting an arbitration service. However, the provision says that the Federal Arbitration Act applies, and the court says that’s good enough to gap-fill all missing arbitration terms.

Implications

Would this case have turned out differently if it had actually been in a California court? I believe Chabolla and Godun changed a lot about TOS formation, and this court mostly disregarded those cases to rely on pre-Chabolla cases, some of them from courts outside California. So, I believe this ruling is not consistent with California courts. But really, who knows? TOS formation remains another Calvinball area of Internet law.

To be fair, LowerMyBills’ TOS formation process might not be condemnable despite their sloppiness. Obviously it could be easily improved (2 clicks, please), but it’s pretty consistent with the old standards for TOS formation. However, I think it’s disingenuous to treat this opinion as consistent with California law without wrestling more thoughtfully with the effects of Chabolla and Godun.

Case Citation: Dahdah v. Rocket Mortgage, LLC, 2026 WL 194455 (6th Cir. Jan. 26, 2026)

The post The Sixth Circuit Wades Into Online TOS Formation (and Leaves Me More Confused Than Ever)–Dahdah v. LowerMyBills appeared first on Technology & Marketing Law Blog.

The Ninth Circuit Wrecked Internet Jurisdiction Law…And For What?–Briskin v. Shopify

Eric Goldman — Tue, 27 Jan 2026 15:19:03 +0000

I added the Ninth Circuit Briskin v. Shopify en banc ruling to my 2025 Internet Law casebook, and I taught it for the first time in Fall 2025. Wow, that did not go well at all. The opinion is absolutely unteachable. Here are some of the questions I highlighted in class that I couldn’t answer:

How did Shopify “know” that web browsers were in CA?
Did Shopify “know” CA law restricted its conduct? [flag this point in particular]
Is there a difference between aiming everywhere and aiming nowhere?
Is Briskin consistent with Zippo?
How can Shopify avoid jurisdiction in CA?

Maybe someday we’ll get a teachable Internet jurisdiction case, but not today.

Because the opinion is a mess, I will be further reducing my coverage of the Internet jurisdiction topic in my Fall 2026 Internet Law course until I get better teaching tools. In the interim, I will keep emphasizing my Calvinball meme slide.

* * *

Here is the big takeaway holding from the Ninth Circuit’s Briskin ruling: “Shopify expressly aimed its conduct at California through its extraction, maintenance, and commercial distribution of the California consumers’ personal data in violation of California laws.”

But…what if Shopify never violated California law at all? On remand, that’s exactly what the court said. In other words, the Ninth Circuit credulously accepted the plaintiff’s allegations, but now we find out the allegations were false. Does California still have jurisdiction in this case??? ¯\_(ツ)_/¯

* * *

Shopify provides backend merchant services to online retailers. In this case, the plaintiff claims he purchased fitness apparel from IABMFG, with Shopify as the backend e-commerce provider. “Plaintiff alleges that he, like other consumers, was uninformed of [Shopify’s] involvement in the transaction, and without consent, defendants collected his sensitive private information, including full name, address, email address, credit card number, IP address, the items purchased, and geolocation.”

Crappy Pleadings

The plaintiff transacted with IABMFG in 2019, but he says he learned about Shopify’s allegedly shady privacy practices only in 2021. He then assumed Shopify’s 2021 practices were in place in 2019, but the complaint didn’t present any evidence to support that assumption:

The issue is not that plaintiff obtained factual support about Shopify’s 2019 conduct and then waited too long to file a complaint, the issue is that plaintiff has still not provided adequate factual support that the conduct disclosed in 2021 actually took place in 2019 as well. Accordingly, all of plaintiffs’ claims must be dismissed for want of factual support

Reminder: the Ninth Circuit found the plaintiffs’ allegations credible enough to justify breaking Internet jurisdiction law.

Shopify’s Lack of Intent

“Shopify’s policies required merchants to obtain consent for Shopify’s access.” Whether or not the merchant honored this requirement, the court says that the policies demonstrate that Shopify didn’t willfully listen into the conversation between the retailer and plaintiff. This lack of intent negates the state wiretapping, common law privacy, and computer crime claims.

So, to recap: the plaintiff’s claims all failed because the complaint assumed the key facts about Shopify’s conduct; and several claims ALSO failed for lack of Shopify’s intent. Great job, Ninth Circuit.

The court provides some additional guidance for the amended complaints, some points of which are a little more plaintiff-favorable:

The wiretap claim can’t be dismissed on the grounds that Shopify was just a service provider.
Credit card information isn’t “record information” and is capable of being intercepted. However, the court questions if Shopify intercepted that information while in transit.
The court says that Shopify isn’t eavesdropping equipment.
The court couldn’t decide yet if Shopify’s behavior was “highly offensive” for the common law privacy claims.
The state computer crimes trespass claim can be supported on the theory that the plaintiff suffered actual damages when he seeks disgorgement of his personal information.

We’ll see if the plaintiff can turn this case around with an amended complaint. For now, the collapse of the case on remand sharpens my skepticism about the Ninth Circuit’s acquiescence in its jurisdictional ruling.

Case Citation: Briskin v. Shopify Inc., 2026 WL 161441 (N.D. Cal. Jan. 21, 2026). CourtListener page.

The post The Ninth Circuit Wrecked Internet Jurisdiction Law…And For What?–Briskin v. Shopify appeared first on Technology & Marketing Law Blog.

AT&T Blocks T-Mobile’s Data Portability Efforts (Guest Blog Post)

Eric Goldman — Fri, 09 Jan 2026 18:09:32 +0000

Created by ChatGPT Dec. 2025

By guest blogger Kieran McCarthy

If you have ever wondered why big incumbents keep running to the Northern District of Texas the moment someone builds a tool that makes switching easier, comparing prices easier, or generally makes the internet work like the internet, AT&T Services, Inc. v. T-Mobile US Inc. should help you understand why.

On December 18, 2025, Judge Karen Gren Scholer entered a temporary restraining order blocking T-Mobile from implementing the original “Easy Switch” feature in its T-Life app, and blocking “any substantially similar version” that “accesses or obtains” information from AT&T’s “protected computer systems,” unless T-Mobile gets permission of the Court.

This opinion builds on the case law the N.D. Tex has been generating for years in the Southwest Airlines “don’t you dare build a useful layer on top of our website” cases.

The facts of the case are pretty simple. T-Mobile marketed a feature that let customers log into their current carrier account (AT&T or Verizon) and pull information to help them compare plans and switch. Customers made the decision to switch, and T-Mobile, for obvious reasons, automated the process. The horror!

AT&T sued, saying this was not “customer convenience.” It was unauthorized automated access and scraping of data from password-protected AT&T pages, with allegations of repeated bypassing of AT&T’s blocks, and “over 100” fields of customer data per user.

Over 100 fields? Dang! That’s, like, so many fields! And I suppose there are a few different lenses through which one could analyze that fact. One approach might be to say that automating a process with over 100 fields might be precisely the kind of thing that makes the internet useful, and that saves everyone time, money, and mental headaches.

Another way to view this fact is as evidence of “soooooo much computer fraud” even when T-Mobile is simply automating a process that consumers are choosing to automate. But that is how things work in the Northern District of Texas.

By the time the TRO issued, T-Mobile had already changed the tool so AT&T and Verizon customers could upload a bill PDF or manually enter information.

The court found AT&T likely to succeed because the Easy Switch tool, and its iterations before the November 26 change to PDF upload, accessed AT&T’s systems without authorization, pulled “over 100 fields” of customer data, and transmitted the data back to T-Mobile. It also found irreparable harm to AT&T’s control over its systems and data, plus reputation, goodwill and ‘customer privacy,’ without any inclination to grapple with the awkward fact that the customers were the ones asking to move their own information around. How the court concluded that customer privacy was at issue when the customers themselves initiated the switch .

Even though T-Mobile deactivated the challenged version, the court found the threat remained because T-Mobile wanted to retain the ability to use something “very similar” later.

T-Mobile is enjoined from implementing the original version or any “substantially similar” version, and “substantially similar” is defined basically as anything that accesses or obtains information from AT&T’s protected systems.

Perhaps, learned reader, you might be wondering if there was any discussion of user empowerment, lower lock-in costs, increased innovation and competition, added product development, interoperability, improved price discovery, or any other known policy benefits associated with data portability in the policy section of the TRO?

No. There was not. This is the entire policy discussion of the opinion: “This temporary restraining order will serve the public interest. The enforcement of state and federal laws serves the public interest.”

See how easy this judging stuff is?

To be clear, this is not a case where you would expect someone like T-Mobile to prevail in Texas. But the lack of analysis or consideration for the broader issues at stake is always a bit startling. A big incumbent takes a dispute that is at least partly about competition and consumer switching, recasts it as “computer trespass,” and asks a court to shut the product down quickly. And the N.D. Texas always obliges, especially when the plaintiff is a household-name company with a website and Terms of Use, and the defendant is building a tool that rides on top of it.

That posture matters historically because it reflects an early willingness to treat “automation + Terms + notice” as a path into computer-access liability, even when what is being accessed is, functionally, consumer-facing information.

AT&T’s complaint is explicit that this case is “not about competition for customers,” but about “unauthorized” intrusion into its systems, using automated bots “disguised as an AT&T customer,” scraping “over 100 categories” of data, and bypassing AT&T’s security measures. And that is what is what I like to call “bullshit.”

Either way, the N.D. Texas proves once again why it is the preferred venue and forum for those looking to build walled gardens.

* * *

Interestingly, Texas does have a mandatory data portability law, the TDPSA, or the Texas Data Privacy and Security Act. But the reality is that these laws have very little utility for consumers.

A portability right on paper like the TDPSA is little more than a slow and functionally useless export option. The reality is that laws like this don’t help consumers move with their data.

For one, TDPSA only mandates that companies return the “data you provided,” not the data you actually need to switch. Second, the time, frequency, and authentication friction make it useless for “I want to switch today.” Under TDPSA, controllers generally have up to 45 days (plus a possible 45-day extension) to respond. Waiting 45-90 days for data is so unhelpful that most consumers don’t see any value in requesting it. Next, a .pdf copy of data does not equal “interoperable.” Without shared schemas, APIs, and validation rules, the receiving service cannot reliably ingest the data—and certainly not at scale.

In a case like this one, the consumer-facing promise is “we’ll read your bill and account and recommend the right plan fast.” A statutory portability right typically gives you a dataset, not the transformation, normalization, and comparison workflow that makes switching easy. And when a competitor tries to fill that gap by automating access into the incumbent’s systems, you collide with the CFAA, terms of service, and state computer access statutes (exactly what the TRO discusses). Which is why, without meaningful analysis of the real value of automation for consumers in cases like this one, mandatory portability statutes are functionally useless for consumers.

[Eric’s comment: data portability mandates are generally quite popular, at least in academic circles. But I haven’t seen any evidence indicating that the mandates actually improve anything for anyone. I welcome pointers to academic studies on this topic.]

The post AT&T Blocks T-Mobile’s Data Portability Efforts (Guest Blog Post) appeared first on Technology & Marketing Law Blog.

2025 Internet Law Year-in-Review

Eric Goldman — Tue, 06 Jan 2026 19:29:34 +0000

2025 is the Trump 2.0 era, so you won’t find much upbeat news in this Internet Law year-in-review.

10. Are Websites Legally Equivalent to Exploding Coke Bottles?

Traditionally, tort law distinguishes between tangible items (chattels) and intangible services. Several doctrines impose additional liability for chattels, such as strict products liability and specialized forms of negligence.

Plaintiffs are trying to extend these chattel-based tort doctrines to intangible activities like publishing content. This raises the venerable Internet Law exceptionalism question: when should physical-space laws extend to online activity? In other words, is a user-generated content website the legal equivalent of an exploding Coke bottle?

In 2025, more lower-court judges applied strict liability and negligence doctrines to social media. It remains to be seen if these opinions will be upheld on appeal. Meanwhile, emboldened plaintiffs are now proliferating chattel-based theories against other online content publishers, including Generative AI model-makers and videogames.

9. A Swiss-Cheesed Section 230 Survived 2025

Section 230 survived 2025, and it will likely reach its 30th birthday. But will it survive beyond that? Section 230 looks more like Logan’s Run than Yoda.

Several Section 230 repeal bills are pending. Why tho? Section 230 is already shrinking and being swiss-cheesed even if Congress does nothing.

In particular, Section 230 took major hits last year in the Calise and YOLO opinions, which encouraged courts to create a virtually infinite number of common law exceptions to Section 230. This year, Doe v. Twitter added two new 230 exceptions for alleged breaches of a “reporting mechanism architecture” duty and NCMEC reporting.

8. TOS Formation Is More Difficult in the Ninth Circuit

The Ninth Circuit dramatically raised the bar on online TOS formation law in Chabolla and Godun. Together, these rulings provide several more reasons for courts to reject TOS formation. View all pre-Chabolla rulings upholding TOS formation with suspicion. And if you haven’t reassessed your TOS formation process after Chabolla and Godun, why not?

7. The SAD Scheme Takes Some Huge Hits

Prof. Fackrell posted a 2025 SAD Scheme year-in-review. Two standouts:

Judge Kness said the SAD Scheme “should no longer be perpetuated in its present form.”
Judge Ranjan (WDPa) and the District of New Jersey functionally banned the SAD Scheme in their courts.

6. Silicon Valley Execs Embrace Trump

Traditionally, Silicon Valley entrepreneurs have viewed regulators with suspicion and preferred technology solutions over legal ones. That stereotype is partially outdated. Many Silicon Valley leaders–such as Musk, Zuckerberg, Ellison, Benioff, and toss in Bezos for good measure–have enthusiastically embraced crony capitalism and anticipatory compliance with MAGA expectations (when it personally benefits them). [See also “How the Bay Area’s tech billionaires behaved in 2025.”] The oligarchs’ subservience to Trump diverges from mainstream Silicon Valley views, but those with the gold make the rules.

5. Internet Censorship Rolls Out Globally

2025 global censorship lowlights include the UK Online Safety Act and Australia’s ban of under-16s from social media. We are well-past the high water mark of online free speech globally.

4. New Notice-and-Takedown Scheme for “Visual Intimate Depictions”

The Take It Down Act combines CSAM, non-synthetic non-consensual pornography, synthetic AI-generated pornography, and other “visual intimate depictions” into a single regulated content category. This lazy drafting ensures that the law confusingly overlaps and supplements existing law–and regulates constitutionally protected content.

The law creates a new notice-and-takedown scheme for intimate visual images (this mechanism goes into effect this summer). Services must resolve all of the following issues within 48 hours of receiving each takedown notice about intimate visual depictions:

Can the service find the targeted item?
Is anyone identifiable in the targeted item?
Is the person submitting the takedown notice identifiable in the targeted item?
Does the targeted item contain an intimate visual depiction of the submitter?
Did the submitting person consent to the depiction?
Is the depiction otherwise subject to some privilege? (For example, the First Amendment)
Can the service find other copies of the targeted item?
[repeat each step for each duplicate. Note the copies may be subject to a different conclusion; for example, a copy may be in a different context, like embedded in a larger item of content (e.g., a still image in a documentary) where the analysis might be different]

As you can imagine, this process will lead to many unwarranted removals, especially after vigilantes and trolls start weaponizing the process.

3. Can Anything Stop the Tidal Wave of AI Regulations?

State legislatures are in a regulatory frenzy over Generative AI. In response, Congressional Republicans unsuccessfully proposed a moratorium on state AI laws. When that failed, Trump issued a performative executive order discouraging some state AI laws.

Eventually, the Supreme Court will decide if Generative AI outputs qualify for First Amendment protection. If so, many of the state AI regulations are unconstitutional. If not, Generative AI is doomed.

2. The TikTok Divest-or-Ban Calvinball

In January, the Supreme Court upheld Congress’ TikTok divest-or-ban law. Shortly thereafter, the TikTok divest-or-ban deadline arrived on Biden’s last day in office. He took no action. President Trump then unilaterally extended the deadline without satisfying the statutory preconditions for an extension. Trump has since purportedly issued several more extensions without any statutory authority to do so. Trump also (without any authority to do so) had the DOJ tell app stores to keep TikTok available despite the law.

As a result, an undivested TikTok has remained publicly available throughout 2025 despite Congress’ ban. This outcome mocked the Supreme Court and Congress:

The Supreme Court accepted Congress’ pretextual claims that TikTok threatened national security and consumer privacy. Trump’s defiance exposed that no one, including Congress, actually cared about these purported harms.
Congress passively watched Trump disregard a valid enacted and alleged constitutional law.

Also, Congress intended the divest/ban to combat Chinese authoritarianism, but it actually facilitated Trump’s domestic authoritarianism. Trump used the law to broker a kleptocratic divestment to his buddies who will keep TikTok’s algorithm friendly to Trump.

I teach the TikTok ban in week 1 of my Internet Law course as Exhibit A of how Internet Law is Calvinball.

1. Supreme Court Upholds Mandatory Online Age Authentication (FSC v. Paxton)

I was wrapping up a 2-week China trip when the Supreme Court issued its opinion in Free Speech Coalition v. Paxton. I was eager to return to a country that has a First Amendment–so I could access most websites without a VPN; I wouldn’t have to show my passport to enter every museum; and I could freely criticize the government without fearing for my liberty. And then the Supreme Court’s FSC v. Paxton opinion made me question everything.

As just one example of the court’s wrecking ball to American principles: the majority adopted intermediate scrutiny to evaluate the law, even though neither party argued for that standard, and then the court analyzed intermediate scrutiny without giving either side the chance to argue the standard. Pure Calvinball.

By overturning 30-year-old precedent, the opinion newly opened the floodgates on mandatory online age authentication. The majority opinion claimed it was limited to children’s access to online pornography, but the opinion repeatedly and gratuitously went much further. Emboldened regulators around the country are proliferating age authentication mandates on a diverse range of topics. The constitutional battles over those laws will rage for years. Here’s a roundup of NetChoice’s 2025 efforts.

Regardless of how the legal battles turn out, Internet publishers are already deploying age authentication solutions to manage their legal risks, and they won’t be quick to rip out these implementations. Thus, the FSC opinion let the age authentication genie out of the bottle, and it will never go back in–regardless of what the courts or the Constitution say in the future.

FSC v. Paxton has locked us into an age-authenticated Internet, very different from the one we have today, with less privacy and security, less free speech, less content, and less resiliency. Everyone will be poorer for it.

Well, almost everyone. The censors are giddy–as are the age authentication vendors, who celebrating their good fortune with a black tie industry awards gala. See you there.

(Dis)Honorable Mentions

Other 2025 items of note:

The first batch of district court rulings regarding copyright and Generative AI have been a mixed bag. A few courts have rejected copyright claims over training data, except when the source files were obtained via file sharing. We’ll see how these opinions fare on appeal. Amidst this uncertainty, Anthropic agreed to a massive $1.5B settlement.
The Meta Pixels cases keep chugging along. There are now hundreds of rulings in Westlaw, and the plaintiffs are doubling-down against other unique identifiers. However, the pixel cases aren’t always doing well on appeal. Could the Meta Pixel litigation frenzy flame out when the appellate court speak up?
The US State Department has threatened to ban content moderators and actually banned five Europeans associated with the DSA. US government censorship will continue until free speech improves.
Many people have celebrated the GDPR as the gold standard of global privacy laws. But…it’s also stifling the EU and needs reworking (e.g., 1, 2).
It’s the 5 year anniversary of Meta’s Oversight Board. How’s that been working out?
It’s also the 5 year anniversary of the Copyright Claims Board. How’s that been working out? Reminder: Congress created the Copyright Claims Board in December 2020, when perhaps it should have had other priorities.

* * *

Previous year-in-review lists from 2024, 2023, 2022, 2021, 2020, 2019, 2018, 2017, 2016, 2015, 2014, 2013, 2012, 2011, 2010, 2009, 2008, 2007, and 2006. John Ottaviani and I previously listed the top Internet IP cases for 2005, 2004 and 2003.

* * *

Generated by ChatGPT Oct. 2025

My publications in 2025:

The post 2025 Internet Law Year-in-Review appeared first on Technology & Marketing Law Blog.

A Massive Roundup of Section 230 Decisions

Eric Goldman — Fri, 02 Jan 2026 19:11:19 +0000

This post also owes its origins to my 2-week trip to China in June. Section 230 decisions started backing up while I was on the trip and never stopped accruing. In total, this post covers about 30 decisions in 7k+ words. Whew! Some of these decisions are real stinkers, too.

Doe v. City of Warwick, 2025 WL 2197311 (D.R.I. Aug. 1, 2025)

This case involves a third-party service that collects anonymous citizen tips for law enforcement. The service is called Tip411 and is offered by Citizen Observer. The city of Warwick adopted Tip411. Doe claims that Roe anonymously submitted harassing tips to Tip411. All of the tips proved false, but the tips caused law enforcement to confront Doe in an aggressive manner.

Doe sued Citizen Observer for negligently designing its service. Citizen Observer invoked Section 230. The court says that Doe properly stated a products liability claim:

His claims are based on the Tip411 product; that is, he is asserting product liability, negligence, and breach of warranty claims based on Citizen Observer’s own conduct in developing, marketing, and selling an allegedly defective law enforcement tool. His claims are also focused on the absence of adequate warnings to Tip411 users and Citizen Observer’s failure to provide municipal trainings. Reading the allegations in Mr. Doe’s complaint and taking the facts stated as true, the Court finds that Mr. Doe claims against Citizen Observer are product liability claims based on its conduct in defectively designing and failing to warn and/or train foreseeable users and breach of warranty of the Tip411 product.

Hmm…this seems problematic. For example, what “warnings” would have changed Roe’s behavior? And Citizen Observer is supposed to teach law enforcement how to do its policing work?

It goes downhill from there:

Illogically, Citizen Observer also asserts that it acts as a passive message board and/or server host. Mr. Doe agrees with the latter, asserting that Citizen Observer does not take part in any of the communication that is directed through their platform in anyway, as they do not monitor, filter, or address the tips that travel through the application. Because it has been established that a publisher takes part in “reviewing, editing, and deciding whether to publish or to withdraw from publication third-party content[,]” Mr. Doe asserts that it is impossible for Citizen Observer to be immune as a publisher and/or speaker of Mr. Roe’s posts when it acts as a passive message board and does not review, edit, or monitor what posts are published on its platform. The Court finds that Mr. Doe’s claims do not treat Citizen Observer as a publisher and therefore it is not immune from his state-law claims.

No. Just no. Section 230 protects the decision not to edit (a leave-up decision) just as much as the decision to edit (remove). And “conduits” get just as much Section 230 protection as web hosts. For example, IAPs aren’t liable for third-party content flowing through their network (230’s definition of ICS expressly includes IAPs). So this is clearly wrong. Let’s hope the court gets on track in the next round.

Chabot v. Frazier, 2025 WL 2164002 (Tex. Ct. App. July 30, 2025)

Chabot contends Frazier’s claims for defamation relating to Chabot’s republication of the December 2023 DMN and WFAA.com articles are barred by section 230 of the Communications Decency Act (the CDA)….Simply put, the CDA generally bars defamation and libel claims against an entity that merely passively permits the publishing (or, here, the republishing) of another’s content. GoDaddy.com, LLC v. Toups, 429 S.W.3d 752, 755 (Tex. App.—Beaumont 2014, pet. denied). Chabot maintains that the website is a provider of an interactive computer service as defined by the CDA, that the content at issue was provided by another information content provider, and Frazier’s allegations improperly seek to treat Chabot as a publisher of the content posted on the website

Frazier argues that Chabot is not entitled to immunity for his publication of the 2023 WFAA.com article because Chabot did not act neutrally when he republished the article under the headline “Collin County Rep. Fred Frazier Dishonorably Discharged from DPD” after he had been informed of the article’s inaccuracies and after WFAA had published an updated and corrected article. Frazier asserts that instead Chabot acted as an information content provider by republishing the article.

Under the limited record here and viewing the evidence in the light most favorable to Frazier, we conclude Chabot did not establish as a matter of law immunity under the CDA

Ugh, this line: “the CDA generally bars defamation and libel claims against an entity that merely passively permits the publishing (or, here, the republishing) of another’s content.” The phrase “passively permits the publishing” is gibberish. Publishing is never passive!

In a footnote, the court adds “Where a defendant contributes to and shapes the
content of the information at issue, there is no immunity under the CDA.” I’ve complained before about the nonsensical and illogical “content shaping” exception to Section 230. Seeing this bad meme perpetuate is painful.

This case seems to cover some of the same ground as the D’Alonzo case from 20 years ago, which is so old that the lawyers probably had no idea it existed. I’ve repeatedly posted about how 230 can apply to verbatim content republication before. Too bad the court had no idea.

Stearns v. Google Inc., 2025 WL 2391555 (N.D. Cal. Aug. 18, 2025)

He alleges that he performed a Google search on May 11, 2019, which unwittingly returned images of child pornography which formed the basis of federal charges that were subsequently field against him. Plaintiff was convicted and sentenced to 11 years….

section 230 of the CDA generally immunizes entities like search engines from liability for claims involving how these entities do or do not moderate content created by others….The CDA would preclude any claim like plaintiff’s even if he stated a claim under state law [cite to Ginsberg v. Google]

Riganian v. LiveRamp Holdings, Inc., 2025 WL 2021802 (N.D. Cal. July 18, 2025)

This is a class-action lawsuit alleging “LiveRamp has tracked, compiled, and analyzed vast quantities of their personal, online, and offline activities to build detailed ‘identity profiles’ on them for sale to third parties.” With respect to Section 230:

“Plaintiffs are asking LiveRamp ‘to moderate its own content.'”
“CDA immunity does not apply when the defendant contributes to or shapes the content at issue.” Ugh, the content “shaping” meme again….
“The Data Marketplace does not consist only of user-generated content…[LiveRamp] is the ‘information content provider’ of the [Data Marketplace] dossiers because it is ‘responsible, in whole or in part, for the creation or development of’ those dossiers.”

U.S. v. EZLynk, SEZC, 149 F.4th 190 (2d Cir. August 20, 2025)

The district court ruling in this case was so interesting that I based my Fall 2024 Internet Law final exam around it.

EZ Lynk is a type of app store to obtain apps (called “tunes”) to customize cars. The app store includes many defeat device apps designed to overcome the manufacturer’s emission control efforts, i.e., to run a more polluting car. The district court ruled that the app store qualified for Section 230 protection. The Second Circuit disagrees.

The Second Circuit credits the following allegations that EZ Lynk materially contributed to the alleged unlawful activity:

EZ Lynk “directly and materially” contributed to the development of delete tunes disseminated through the EZ Lynk System. It worked with delete-tune creator PPEI “in the early stages of testing the EZ Lynk System[,] approximately two years before the system’s launch in 2016,” and again previewed the updated device before its launch in 2018. Several of the posts cited in the Complaint explicitly refer to drivers installing PPEI-provided delete tunes through the EZ Lynk System, and PPEI jointly administers the EZ Lynk Forum Facebook group, helping drivers troubleshoot the installation of their delete tunes using the EZ Lynk System. The Complaint also alleges EZ Lynk “work[ed] with” and “collaborated with” delete-tune creator GDP Tuning before the EZ Lynk System was publicly available

OK, but the apps/tune are still third-party content, no? Relying heavily on the problematic LeadClick case, the Second Circuit says the allegations:

raise the reasonable inference that Appellees deliberately courted – i.e., “recruited” – delete-tunes creators and “collaborated with” them to ensure that their delete tunes would be compatible with and available to users of the EZ Lynk System. Under that inference, Appellees “did not merely act as . . . neutral intermediar[ies]” between the delete tunes creators and vehicle owners “but instead ‘specifically encourage[d] development of what [was] offensive about the content.’”

I mean, isn’t this is what all app stores do? To ensure good consumer experiences, app stores provide a set of technical specifications for compatible apps, review the apps for various standards, and otherwise exercise content moderation over the apps’ availability. So does this mean that all app stores are not “neutral intermediaries” (ugh) of any “illegal” apps available in their app stores?

I think the court was likely responded to the problematic nature of defeat devices and not intending to doom all app stores, but the sloppy handling of Section 230 for app stores leaves plenty of room for future plaintiff mischief.

Gibralter LLC v. DMS Flowers, LLC, 2025 WL 2623293 (E.D. Cal. Sept. 11, 2025)

This is a trademark dispute between floral businesses that spilled over to Teleflora, which provides an ecommerce platform.

With respect to the state law claims (“Unfair and Deceptive Trade Practice, Common Law Trademark Infringement and Unfair Competition, and Trademark Dilution and Injury to Business Reputation”), the court says Section 230 applies to Teleflora’s liability:

The FAC alleges that Teleflora’s online platform enables third parties to sell their products through “estores” on an affiliate network such that Teleflora qualifies as an “interactive computer service provider” under the CDA…. [Cite to the Parts.com v. Yahoo decision from a dozen years ago.]

A party is not an information content provider outside the ambit of CDA
immunity unless it creates or develops the offending content in whole or in part. Plaintiffs’ allegations establish at most that Teleflora controls, supervises, monitors, and profits from the offending content – not that it created or developed that content.

The court applies Section 230 to state IP claims but it spends no time justifying that decision, which is correct in the Ninth Circuit but not well-accepted elsewhere.

UPDATE: The court also dismissed the state law claims in the Second Amended Complaint on the same grounds:

At most, the allegations suggest that Teleflora operates the online platform that enables third party floral partners to sell their products through its online partnership program. In alleging that Teleflora “publishes” each floral partner’s business information, promotes these businesses, “monitors and inspects” the partnership network, and “actively and routinely publishes, codes, and updates substantial content and placement of content on the floral partner’s estore[s],” Plaintiffs show that Teleflora operates akin to an “interactive computer service provider” under the CDA rather than a party that creates or develops infringing content outside the ambit of the CDA

2026 WL 194328 (E.D. Cal. Jan. 26, 2026)

Bodin v. City of New Orleans, 2025 WL 2589590 (E.D. La. Sept. 8, 2025)

This is a challenge to New Orleans’ rules for short-term rentals. The court rejects Airbnb’s challenges based on Section 230 (emphasis added):

The 2024 Ordinance requires Airbnb to verify the registration status of each listing “before any booking transaction is facilitated,” and to reverify each listing “at least every 30 days of the prior verification” and whenever Airbnb “knows or should know” that any data relevant to verification has changed, essentially requiring Airbnb to monitor the registration status of all of its New Orleans listings to identify changes that are potentially material to verification. Airbnb alleges that by forcing it to engage in verifying the registration status of a third-party listing, the 2024 Ordinance treats Airbnb as a publisher of third-party content in conflict with § 230. Airbnb claims that the 2024 Ordinance runs further afoul of § 230 by effectively requiring Airbnb to remove listings when it cannot verify that the host is eligible to list the property….

The 2024 Ordinance does not operate against Airbnb’s role as a publisher of third-party STR listings but rather against its conduct as a booking agent between users and hosts for which Airbnb earns a fee. The 2024 Ordinance does not require Airbnb to monitor or delete anything from its website. Airbnb remains free without penalty to allow as many unlawful STR listings on its website as it chooses to. The 2024 Ordinance simply precludes Airbnb from collecting a fee, in other words profiting, for booking an STR transaction that includes a non-permitted (unlawful) STR. Airbnb may very well determine that for its business model the most effective means of compliance will be to review its website so as to remove unpermitted host listings from its site but the 2024 Ordinance does not compel that action….. Because the verification requirement of the 2024 Ordinance does not treat Airbnb as the speaker or publisher of third party content, the CDA is not implicated.

Oh come on.

Greater Las Vegas Short-Term Rental Association v. Clark County, 2025 WL 2608146 (D. Nev. Aug. 28, 2025)

The regulation at issue “directly imposes verification, monitoring, and deactivation obligations on hosting platforms.” The court accepts Airbnb’s Section 230 challenge using a Calise duties analysis:

The Court agrees with Plaintiffs that the “duty to monitor” springs from Airbnb’s status as a publisher of host listings….platforms like Airbnb are only required to monitor the content of host listings if they are licensed to do business in Clark County… [Note: I didn’t understand this discussion]

Plaintiffs contend unlike the Santa Monica ordinance in HomeAway, the Clark County Ordinance requires that postings be “verified prior to publication,” “monitored to ensure they contain certain information,” or “removed when certain conditions are met.” The Court is persuaded that these requirements distinguish the Clark County Ordinance from the ordinance at issue in HomeAway. Moreover, at the Hearing, Defendant conceded that the provisions in question do impose a duty on platforms like Airbnb to monitor content.

It looks like the plaintiffs win here because Clark County imposed liability upon publication, rather than only at the time of booking?

Onwuka v. Twitter Inc., 2023 Cal. Super. LEXIS 113496 (Cal. Superior Ct. Dec. 12, 2023)

The court summarizes: “plaintiff is unhappy with defendant’s editorial and/or publishing processes” (i.e., alleging racial discrimination in its content moderation practices). In light of the Murphy v. Twitter case, this is an easy Section 230 dismissal. “Defendant’s content rules are typical publisher conduct….Defendant’s policy that required plaintiff to check a box admitting that he violated defendant’s rules to unlock his account–even if unfair or untrue–is such publishing conduct….All of the content that plaintiff claims defendant required him or others to remove (and all of the content in plaintiffs locked account) is created and posted by plaintiff and others, not defendant.”

Espinha v. Elite Universe, Inc., 2025 Cal. Super. LEXIS 42223 (Cal. Superior Ct. July 24, 2025)

In support of the first cause of action, Plaintiffs allege Defendant operates a website on which a user accused Plaintiffs of working “to protect and advance the interests of a network of illegal . . . scam artists”, and Defendant refused to remove the posts even though the user who made them agreed to do so. As Defendant points out, the Communications Decency Act of 1996 immunizes Defendant from liability…Even if Plaintiffs allege actionable claims for defamation against the person who made the posts on Defendant’s website, Defendant is not liable for maintaining the website. Moreover, “[w]here. . . an internet intermediary’s relevant conduct in a defamation case goes no further than the mere act of publication—including a refusal to depublish upon demand, after a subsequent finding that the published content is libelous—section 230 prohibits this kind of directive.”…

Plaintiffs also rely on Liapes v. Facebook (2023) 95 Cal.App.5th 910, which is not on point. In that case, the Court of Appeal held the Communications Decency Act of 1996 does not immunize a social media platform acting as an information content provider by requiring users to disclose their age and gender to design and create an advertising system which required advertisers to exclude delivery to users based on those characteristics. In the instant case, Plaintiffs’ allegations are simply Defendant permitted a user’s post to remain on its site. Plaintiffs do not allege facts to show Defendant acted as an information content provider—”that is, someone ‘responsible in whole or in part, for the creation or development’ of the content at issue.”

Day v. TikTok, Inc., 2022 U.S. Dist. LEXIS 34380 (N.D. Ill. Feb. 28, 2022)

The plaintiff complained about videos uploaded by another user. An obvious Section 230 case. A meritless FOSTA workaround also failed.

Amy v. Apple, 5:24-cv-08832-NW (N.D. Cal. Oct. 15, 2025)

This is a putative class action brought against Apple, Inc. by individuals depicted in Child Sexual Abuse Material (“CSAM”) shared using Apple’s technology and hosted on Apple’s servers. Named Plaintiffs Amy and Jessica (using pseudonyms) allege violations under 18 U.S.C. §§ 2252, 2252A, and 2255 as well as violations of products liability and negligence state laws….

Plaintiffs allege that Apple’s failure to implement NeuralHash or any other child safety features capable of detecting known CSAM on its products caused Plaintiffs to be injured because CSAM depicting them was received, possessed, and distributed using Apple products. Apple could have designed its products to protect and avoid injury to child victims of known CSAM, and Apple knew or should have known that CSAM depicting Amy and Jessica would continue to spread through Apple’s products without Apple implementing proactive detection technologies. Despite this knowledge, Apple avoided design changes that would have increased safety and reduced the injury to CSAM victims. Plaintiffs allege that Apple’s failure to implement any known CSAM detection is a design defect because Apple can safely implement readily available features to prevent the spread of known CSAM but has continuously failed to do so.

The court points to the Doe v. Apple decision, which alleged similar claims on similar facts, and “Plaintiffs rely on the same arguments and analyses that the Court rejected
previously.” The court points out that the plaintiffs have problems with Apple’s alleged scienter and the applicability of Section 230.

Paul v. Brattin, 2025 WL 2845390 (W.D. Mo. Oct. 7, 2025)

This is a claim that retweeting created false light liability:

Mr. Richard Brattin, a Missouri State Senator, reposted an X post originally authored by Deep Truth Intel. The post featured a photo of Mr. Loudermill handcuffed on the curb and stated, “The Kansas City Chiefs Super Bowl Parade shooter has been identified as 44-year-old Sahil Omar, an illegal immigrant.” Mr. Brattin’s repost added “@POTUS CLOSE THE BORDER.” Contrary to Mr. Brattin’s post, Mr. Loudermill was not an illegal immigrant or connected to the shooting.

The court correctly says that Section 230 doesn’t apply to Brattin’s addition (“@POTUS CLOSE THE BORDER”) because that’s first-party content. However, Brattin’s addition isn’t false light on its own or in context, so the court should have dismissed the claim. Instead we get this:

Mr. Brattin created his own X post for which Ms. Paul seeks to hold him liable. There are no allegations about the content of the Deep Truth Intel post, only Mr. Brattin’s. The face of the Amended Complaint does not seek to hold Mr. Brattin liable for the Deep Truth Intel post. Ms. Paul’s false light claim is plausible on its face. Mr. Brattin is not entitled to immunity under the CDA for his own post

Paul v. Hoskins, 2025 WL 2845388 (W.D. Mo. Oct. 7, 2025)

Same facts as the prior squib, except a DIFFERENT Missouri State Senator, Hoskins, retweeted the same post with this caption:

Fact – President Biden’s @POTUS open border policies & cities who promote themselves as Sanctuary Cities like @KansasCity invite violent illegal immigrants into the U.S. Fact – Violent illegal immigrants with guns are exactly why we need the 2A. I have the right to protect my … show more

[What is up with all of the Missouri State Senators grandstanding about immigration using false facts? I know the answer to that question, but it’s still disgusting.]

In this case, Hoskins’ caption actually referred to violent illegal immigrants, so the false light claim is more plausible. It too survived a 230 dismissal attempt.

Byrd v. Google LLC, No. 2023 L 013005 (Ill. Cir. Ct. October 31, 2025)

Plaintiff has failed to provide facts as to how Google has defamed him or violated his right of publicity. Google does not deny that these articles pop up when a search is made for Plaintiff, but Google is not the party that has written these articles or published the pictures. Additionally, the Court finds that under United States Code, “no provider or user of an interactive computer service shall be treated as the publisher or speaker of any information provided by another information content provider. Thus, the Court finds Google cannot be treated as the publisher of articles that have been published online about Plaintiff, even if they may show up when using their services.

Zenon v. Google, Inc., No. CV-014025/23 (N.Y. Civil Ct. March 25, 2024)

This is a scammy ads case. “As to Google, plaintiff alleges that it allowed Reckon to advertise on its site; that it received payment from Reckon for advertising; and that it did nothing to prevent, alter or remove the content of Reckon ‘s advertisement. Yet these are precisely the editorial functions immunized by Section 230.”

Nordheim v. LinkedIn Corp., 2025 WL 3145293 (N.D. Cal. Oct. 21, 2025)

Another failed pro se account termination case, this time against LinkedIn:

According to Plaintiff, an individual, Aaron Laks, made harmful and false accusation against Plaintiff on LinkedIn. Plaintiff reported Laks’ accusations to LinkedIn but LinkedIn failed to intervene or investigate and, instead, suspended Plaintiff’s account without cause. Plaintiff also alleges that “Linkedin still retains and displays defamatory content” and that LinkedIn banned Plaintiff “due to false reports”. He claims all stem from his alleged harm that he incurred as a result. Plaintiff thus seeks to hold Defendant liable as a publisher for failing to remove content posted by a third-party and for temporarily barring Plaintiff from accessing or controlling his own content….

the content he is concerned with was either created by Laks or by Plaintiff, not LinkedIn…Although Plaintiff complains about the actions LinkedIn took or failed to take with respect to the content created by Laks, or by temporarily preventing Plaintiff from responding to that content, he does not allege any content created by LinkedIn.

Mann v. Meta Platforms, Inc., 2025 WL 3255009 (N.D. Cal. Aug. 18, 2025)

The allegations in Mann’s amended complaint are substantially identical to the allegations in his initial complaint – Meta exposed him to third-party content on Facebook relating to drug use that Mann found distressing….for the reasons stated in the court’s OSC, § 230 bars Mann’s claims.

Mann’s citation to the testimony of Meta’s CEO does not compel a different result. A statement that “Facebook no longer serves its original purpose” and is “now a showcase where the algorithm is in charge” does not render Meta responsible for third-party content on the Facebook platform. This does not amount to a specific promise to remove meth-related third-party content such that § 230 immunity does not apply.

Atlas Data Privacy Corp. v. We Inform LLC, 2025 WL 2444153 (D.N.J. Aug. 25, 2025)

This is a challenge to “Daniel’s Law,” a notice-and-takedown law that permits certain government officials and family members to remove their contact information from online sites. With respect to Section 230:

The court at this early stage has little information about the activities of these four defendants relevant to CDA immunity…At oral argument on the motions to dismiss, defendants candidly conceded that they do not operate platforms where third parties simply post information. Defendants seek out and compensate others for providing the home addresses appearing on their websites.

Even if defendants do not create the home addresses and unlisted telephone numbers of covered persons, the court has insufficient evidence in the record to determine whether they develop it. Defendants We Inform, Infomatics, and The People Searchers acknowledge in affidavits that they “provide comprehensive reports” to their consumers. Smarty similarly attached to its motion screenshots of its website, which state that Smarty “meticulously craft[s] personalized solutions tailored to every facet of [its] customers’ business needs.” The screenshots also provide that its service will “[f]ill in missing data & unlock additional information about any validated street address” that a user searches. To determine whether defendants develop the information in issue and whether they have immunity under the CDA must await discovery.

Niedziela v. Viator Inc., 2025 WL 2732916 (C.D. Cal. Sept. 25, 2025)

A woman suffered serious personal injuries when a tree branch fell on her on a tour booked through Viator (a TripAdvisor subsidiary). Viator defended on Section 230. The court says “the right on which Niedziela’s claim is premised relates to Defendants’ status as publishers of the Waterfall Gardens Tour listing, not a separate or independent right.” Then, citing Calise, the court says:

to the extent that Niedziela’s negligence claim is premised upon Defendants’ failure to warn, Section 230 does not immunize Defendants from liability because Niedziela does not seek to hold Defendants liable for failing to vet or monitor third-party conduct. To the extent that Niedziela’s negligence claim is premised upon Defendants’ advertisement of the Waterfall Gardens Tour or the inclusion of the Waterfall Gardens Tour on the Viator website, however, Niedziela does seek to hold Defendants liable as speakers or publishers, and Section 230 applies

The court also says Viator may have materially contributed to the listing’s content because it added a certification badge (the “Badge of Excellence”) to the listing:

The Court is not persuaded that the Badge of Excellence is an aggregate metric akin to that in Kimzey. The star rating system in Kimzey was a pure aggregation metric that did not include Yelp’s own impressions about the quality of a business. Niedziela, in contrast, alleges that the Badge of Excellence reflects Viator’s evaluation of the quality of the Waterfall Gardens Tour, which included conclusions that Viator drew as a part of its intense vetting process. To the extent that Defendants dispute the truth of Niedziela’s allegations about the criteria reflected in the award of the Badge of Excellence or the role of Viator’s vetting process in deciding whether to award the Badge of Excellence to a tour listing, those disputes are not appropriate for resolution at this stage of the litigation….

even if Defendants are correct that the Badge of Excellence was awarded based upon “objective” criteria such as whether a tour permitted mobile booking, those criteria reflected Viator’s determinations about what conditions affected the quality of a tour experience, not third-party determinations. Thus, unlike a neutral aggregation tool, the Badge of Excellence credited particular postings based upon Viator’s assessment of those postings….for the purpose of the instant Motion, the Badge of Excellence constitutes Viator’s material contribution to the Waterfall Gardens Tour listing, such that Defendants can be held liable as creators of that content even if other content in the listing was provided by a third party

Terms like “neutral aggregation tool” are a good tipoff that the court has lost the jurisprudential plot.

Also, “as a matter of law, “Viator’s Terms of Use were not reasonably conspicuous, and Niedziela is not bound by the exculpatory clause contained therein.”

In re Apple Inc. App Store Simulated Casino-Style Games Litigation, 2025 WL 2782591 (N.D. Cal. Sept. 30, 2025)

Prior blog post. The court sets up the facts:

As Plaintiffs explain, each Defendant operates an app store through which social casinos are available for download. Each Defendant also requires apps downloaded from their respective stores to use their respective payment processing system for in-app purchases. Each Defendant then takes a thirty percent cut of every in-app transaction. Whenever Defendants process a virtual chip purchase in a social casino, say Plaintiffs, they are contributing to the problem by unlawfully facilitating illegal gambling transactions

The court previously denied Section 230 for payment processing, but authorized interlocutory appellate review, which the Ninth Circuit declined. The defendants took another run at Section 230, citing the intervening Calise precedent. It doesn’t change the answer:

The crux of the statutory claims in these cases is that Defendants were prohibited from processing in-app payments for social casino apps. Payment processing is not an act of publishing. It is a transaction, one that is “distinct, internal, and nonpublic.” Of course, payment processing activities may be an important part of publishing activity. But that does not make payment processing a publishing activity. Instead, it is better viewed as a generic business activity common to virtually all companies, publishers or not, just like hiring workers or paying taxes…Limits on Defendants’ ability to process certain payments does not interfere with Defendants’ ability to publish third-party apps by offering them in their app stores or by making in-app content available. One can understand this point by recognizing that the duties imposed by these statutes apply equally to dedicated payment processors such as PayPal, Square, and Stripe even though those companies are plainly not publishers. A duty that applies equally to non-publishers does not treat a defendant as a publisher.

The defendants argued that they would have to monitor the activities of the apps to avoid liability. The court is unmoved:

Defendants can choose to stop offering their own payment processing and allow app developers to use the services of dedicated third-party processors. In this way, Defendants can avoid all the issues raised by Plaintiffs’ claims without so much as glancing at any app’s content….

monitoring does not become necessary just because it “would be the best option from a business standpoint” or would be the “most practical compliance option.”…Perhaps if the termination of their payment processing services would pose an existential threat to Defendants, or if it would prevent Defendants from engaging in their publishing activities, then such termination would not be an acceptable alternative to monitoring.

I wonder about any opinion where the court’s answer is essentially “you can avoid liability by exiting the industry.”

The defendants argued that they only provide neutral tools (ugh). The court responds:

While the Ninth Circuit has recognized a neutral tools analysis for Section 230, it has consistently situated that analysis under the third prong of the immunity test—whether content is provided by a third party. This is because the neutral tools analysis informs whether the defendant is a “creator or developer” of content, i.e., whether the content is the defendant’s or another’s.

I’ve repeatedly criticized the “neutral tools” doctrine as an oxymoron, and this narrowing construction by the court is even more dubious. I wonder how the Ninth Circuit will view this doctrinal move by the court.

The court certifies the case for interlocutory appeal once again. It points out in detail various doctrinal problems with Calise, essentially baiting the Ninth Circuit to fix the doctrinal mess it made in Calise. This case will reach the Ninth Circuit eventually, one way or another.

Google LLC v. Latam Airlines Group S.A., 2025 WL 2721690 (N.D. Cal. Sept. 24, 2025)

This case involves two videos that a user uploaded to YouTube that criticized Latam Airlines. In 2018, a Brazilian court held the videos defamed Latam and ordered their removal from YouTube Brazil. In a series of rulings from 2024 and 2025, the Brazil Supreme Court ordered the videos to be removed globally. Google sought relief in US court that it doesn’t have to comply with the global removal order in the US.

The court says Google’s Section 230 argument can support its preliminary injunction request:

YouTube is an ICS provider.
The videos came from a third party.
The Brazilian global removal order would treat Google as the publisher of third-party content. Cite to Google v. Equustek.

The court also says the SPEECH Act protects Google because Brazilian defamation law doesn’t require plaintiffs to show actual malice.

Fleites v. MindGeek S.A.R.L., 2025 WL 2902301 (C.D. Cal. Sept. 25, 2025)

This is a very long FOSTA opinion involving CSAM on Pornhub. Citing Doe v. MindGeek (C.D. Cal. 2021) and Doe #1 v. MG Freesites (N.D. Ala. 2022), the court denies a Section 230 defense because MindGeek is partially responsible for the content development:

Plaintiff claims that MindGeek reviewed, uploaded, categorized, tagged, optimized for user preference and disseminated the videos of Plaintiff. MindGeek also purportedly uploaded the optimized, tagged, and categorized video to its other tubesites. While the Court agrees that Plaintiff’s pleadings as to MindGeek’s involvement in the videos as specific to her leave more to be desired, the Court finds that these allegations paired with the general allegations found in the rest of the SAC detailing MindGeek’s tools that are
not neutral in nature but rather encourage criminality are sufficient at this stage of the litigation when all reasonable inferences are drawn in favor of Plaintiff.

With respect to the FOSTA beneficiary liability claims, the court says Doe v. Reddit only governs the 230 FOSTA exception, which isn’t applicable because the court rejected Section 230 on other grounds. Thus, the court will accept constructive knowledge arguments regarding the prima facie elements that would otherwise be foreclosed if the FOSTA 230 exception was governing the case.

R.Q.U. v. Meta Platforms, Inc., 2025 Cal. Super. LEXIS 70297 (Cal. Superior Ct. Nov. 5, 2025)

An outgrowth of the state court social media addiction case.

the fact that a design feature like “infinite scroll” led a user to harmful content does not mean that there can be no liability for harm arising from the design feature itself. Here, there is evidence that the infinite scroll feature itself caused some harm to Moore…Moore has testified that the “endless scroll” feature has caused her to use Defendants’ applications much more than she would have without that feature

Gas Drawls, LLC v. Whaleco, Inc., 2025 U.S. Dist. LEXIS 254999 (C.D. Cal. Dec. 5, 2025)

The plaintiff enforces the IP rights of rapper Daniel Dumile Thompson, better known as MF DOOM. This is a trademark enforcement case. With respect to the state IP claims:

Plaintiff characterizes Temu as an information content provider on the ground that it is “responsible” for the product listings and allegedly alters and advertises them. These conclusory assertions do not plausibly allege that Temu is a content provider for the reasons discussed above—i.e., Plaintiff provides no factual basis to infer that Temu materially contributed to the alleged infringement. Thus, the state-law intellectual property claims, as alleged, are barred under § 230.

Also interesting:

Plaintiff contends that Temu is directly liable because it knowingly offers “MF DOOM” as a search keyword that triggers the display of the infringing listings. But Plaintiff does not explain how Temu “offered” the keyword, and the FAC itself states that Plaintiff’s counsel found the listings by typing “MF DOOM” into the search bar. It is therefore unclear that Temu did anything other than provide a search tool for its platform.

State v. TikTok Inc., 2025 WL 2399525 (N.C. Bus. Ct. Aug. 19, 2025)

The North Carolina AG sued TikTok for addicting minors. The court starts out with a standard anti-230 trope:

when section 230 says not to treat an internet platform “as the publisher or speaker of” others’ content, it means not to burden the platform with traditional publisher liability. The statute’s reach ends there. It does not relieve internet publishers “from all potential liability” or provide “an all purpose get-out-of-jail-free card for businesses that publish user content on the internet.”

TikTok doesn’t qualify for Section 230:

Neither of the State’s theories seeks to hold ByteDance liable for monitoring, altering, or removing user content, or for failing to do those things. The thrust of the unfairness theory is that ByteDance purposely designed TikTok to be addictive to minors. If what the complaint says is true, TikTok is packed with features—autoplay, endless scrolling, social rewards, and more—that exploit minors’ developmental immaturity and neurological susceptibility to intermittent, variable rewards. And TikTok addiction allegedly disrupts healthy sleep habits and social interactions, causing insidious psychological harms to teens and children. This theory has more in common with products liability than publisher liability, resting as it does on an alleged duty not to design and offer a product that endangers a vulnerable population…

It is no answer to say, as ByteDance does, that addicted minors spend their time on TikTok viewing third-party content. ByteDance’s business is, after all, to host and display user videos. Nearly everything it does is connected in some way to its users’ content. But it and other social-media platforms “continue to face the prospect of liability, even for their ‘neutral tools,’ so long as plaintiffs’ claims do not blame them for the content that third parties generate with those tools.” The State’s unfairness theory neither blames ByteDance for its users’ content nor aims to hold it accountable in its capacity as a publisher of that content. The theory instead seeks to hold ByteDance liable “for its own injurious conduct” in “creating and employing tools to addict young users.”…

the State’s unfairness theory treats ByteDance as a product designer, not a publisher, and faults it for offering a combination of features and social rewards that foster compulsive use by minors. Unlike Bride, ByteDance’s liability does not turn on user content or its failure to remove or suppress that content. This sort of anti-addiction claim therefore does not implicate section 230…

Section 230 gives internet platforms wide latitude to moderate content. But it does not shield them from liability for breaching their promises or misrepresenting their content-moderation activities.

Relying on Justice Barrett’s Moody concurrence, the court also rejects the First Amendment defense: “The algorithm does not convey a message by its programmer; it simply bows to user preferences and propensities….a reasonable person would understand TikTok’s video feed to reflect a given user’s content choices as opposed to ByteDance’s own creative expression or editorial judgment.” So much judicial ignorance about how algorithms work!

The court concludes:

If the State’s allegations are true, ByteDance has intentionally addicted millions of children to a product that is known to disrupt cognitive development, to cause anxiety, depression, and sleep deprivation, and (in the worst cases) to exacerbate the risk of self-harm. Federal law does not immunize this conduct, the First Amendment does not bless it, and North Carolina’s laws and courts are not powerless to address it.

Patterson v. United Network for Organ Sharing, 2022 WL 23024110 (D.S.C. March 7, 2022)

A patient sued the organ donor matching network for facilitating a liver match with the wrong blood type. The court rejects the network’s Section 230 defense:

the Court declines to find that United Network is entitled to blanket immunity under the CDA, as it appears to the Court that United Network’s duties clearly exceed those of an interactive computer service provider as contemplated by the CDA. In other words, accepting all well-pleaded allegations of Plaintiff’s complaint as true, matching Plaintiff with an incompatible donor goes beyond merely hosting a computer service that parties use to post information.

Martin v. Care.com, Inc., 2025 IL App (1st) 250913-U (Ill. Ct. App. December 15, 2025)

Care.com helps families hire in-home caregivers. Care made numerous public statements touting the safety of its caregivers, including doing background checks. However, Care didn’t screen for past incidents of child abuse. After Care’s referral, the plaintiffs retained Dunwoody as a nanny. Allegedly, Dunwoody had a history of child abuse and injured the plaintiffs’ baby. Dunwoody blamed the dad for the baby’s injuries, which had major consequences for the dad. Eventually, the state investigation exonerated the parents. The parents sued Care.com for its promises about screening. The district court dismissed on Section 230 grounds. The appeals court reverses.

With respect to Care’s marketing statements:

The corresponding obligation of Care.com is not to make misleading statements to consumers in the solicitation of business. Complying with this duty certainly cannot be said to require Care.com to moderate what caregivers communicate about their backgrounds through its platform….Care.com’s ability to satisfy its statutory duty under this cause of action stems from the statements Care.com itself chooses to make to consumers on its website. Accordingly, success on this cause of action does not require it to be treated as a publisher or speaker of content posted on its platform by third parties.

The negligent misrepresentation claims reach the same place:

it is Care.com’s own undertaking to have background checks performed on all potential caregivers and to inform customers of this when soliciting their business. Nothing other than a business decision requires Care.com to do this; it could simply allow potential caregivers to use its platform to communicate their background and qualifications to other customers and place the entire burden of conducting background checks on customers. If Care.com had done only the latter, then arguably publisher liability would be the only source of a duty from which liability could be imposed in a negligence claim. However, because Care.com undertook to have background checks performed on all potential caregivers and to make statements to customers about what these background checks entailed, its duty to customers such as the plaintiffs derives from its own actions and statements in this regard. In our view, Care.com’s ability to comply with this duty does not require it to moderate content or communications made by third parties through its Internet platform. Accordingly, success on this claim does not require it to be treated as a publisher or speaker in contravention of section 230(c)(1).

The court distinguishes Doe v. Grindr because

in totality, the statements by Care.com on its website are more specific than the statement at issue in Doe. More importantly, though, we find the statements at issue in this case to refer to Care.com’s own undertaking to ensure that potential caregivers undergo background checks prior to interacting with other customers. When we view these in their light most favorable to the plaintiffs, these statements simply are not about moderating content that is posted to or communicated through an Internet platform. For example, when Care.com states that “[w]e ensure potential account holders are screened and evaluated against our conduct and eligibility standards” by being “background-checked through our CareCheck process,” the court views this as a statement about Care.com’s own undertaking to its customers, which has nothing to do with the actions of a publisher concerning third-party content posted on the Internet.

The court rejects the argument that Section 230 applies if publication of third-party content was a but-for cause.

Sosa v. AT&T, 2025 WL 3719229 (N.D. Cal. Dec. 23, 2025)

“The only conduct Sosa complains of by YouTube is YouTube’s decisions regarding whether to takedown his video, when to put his video back up, and what ranking to give his video. These are ‘quintessential’ publishing decisions giving YouTube immunity to state law tort claims under Section 230.”

Kostov v. Go Daddy LLC, 2025 Ariz. Super. LEXIS 1282 (Ariz. Superior Ct. Oct. 8, 2025)

On the merits, Defendants are mostly correct: the Communications Decency Act does bar the majority of this lawsuit. Section 230 of the CDA provides immunity to interactive computer services providers against liability arising from content created by third parties. Rigby v. GoDaddy Inc., 59 F.4th 998, 1007 (9th Cir. 2003). " data-highlevelcontenttype="urn:hlct:5">the Communications Decency Act does bar the majority of this lawsuit. Section 230 of the CDA provides immunity to interactive computer services providers against liability arising from content created by third parties. This includes requests for injunctive relief, such as removal of content.

That immunity applies because (a) Defendants provide or use an interactive computer service, (b) Ms. Kostov’s claims, for the most part, treat Defendants as the publisher or speaker of the information, and (c) the information comes from another content provider. Registering domains and hosting websites fall into the first prong. Ms. Kostov’s request for damages and injunctive relief show that she is treating Defendants as the speaker and/or publisher of the harmful statements. And, as Ms. Kostov’s complaint suggests, Defendants did not create any of the content.

The CDA, therefore, bars nearly all of Ms. Kostov’s claims. That includes defamation, negligence, cyberstalking, cyber-harassment, and injunctive relief.

What it does not clearly bar, however, is the demand for registrant information. That request appears in the recently filed amended complaint. Although Defendants addressed the amendments in their reply, this request was overlooked. Because Defendants have not addressed it, the Court declines to dismiss it.

This Court recognizes the significant difficulties Ms. Kostov has endured with the content and with efforts to have it removed. This Court, however, cannot circumvent established law, even if GoDaddy has process for reporting abuse. This Court’s order does not require GoDaddy, however, to sit idly by.

Doe v. DeLuca, 2025 Vt. Super. LEXIS 700 (Vt. Superior Ct. Dec. 15, 2025)

Doe alleges (1) “YouTube LLC is contributorily liable for the unauthorized commercial use of Plaintiff’s likeness by providing the platform and failing to remove the infringing content after notice”; and (2) “YouTube LLC facilitated the commercial use of Plaintiff’s likeness without Plaintiff’s consent, violating Plaintiff’s right to control the commercial exploitation of their identity.” These allegations treat YouTube wholly as a “publisher” or “speaker” of the videos made and posted by DeLuca. Doe effectively concedes YouTube’s status as an “interactive computer service,” and his allegations do not in any way challenge DeLuca’s status as “another information content provider.” Doe has not alleged that YouTube was “responsible, in whole or in part, for the creation or development of DeLuca’s video….

YouTube’s insertion of advertisements into DeLuca’s video does not remove Section 230 immunity for YouTube. A defendant must do more to meet the “material contribution” test.

Distinguishing Forrest v. Meta, the court adds: “Providing “neutral tools” for DeLuca to post his video does not eliminate Section 230 immunity for YouTube, where it otherwise “did absolutely nothing to encourage the posting of . . . [allegedly actionable] content.”” [insert my oft-repeated objection to the “neutral tools” phrase.]

The court acknowledges 230’s IP exception, but says the publicity rights claim is a privacy statute; and even if it wasn’t, the court would follow the Ninth Circuit’s ccBill decision to preclude state IP claims. This is a surprise move given that most non-Ninth Circuit courts have diverged from the Ninth Circuit on this point.

Despite the Calise case, the court reaches to pre-Calise precedent to find that Section 230 also applies to breach of contract claims:

Doe alleges that: (1) he “reviewed YouTube’s terms of service agreement”; (2) he “submitted a report to YouTube LLC to remove the [DeLuca] video”; (3) “YouTube LLC failed to remove the content”; and (4) “YouTube LLC failed to adhere to its own terms of service when it failed to remove the reported video.” As the cases above make clear, Doe’s allegations, while framed as a breach of contract claim, nevertheless go to the heart of YouTube’s actions as a publisher — Doe complains that YouTube published DeLuca’s videos when it should not have. Calise’s plain language shows that Section 230 applies to this sort of allegation that would “oblige[] the defendant to `monitor third-party content’—or else face liability—then that too is barred by § 230(c)(1).”

Also, “YouTube’s ToS do not create promises which it could have breached in the way that Doe alleges.”

Extra: “a now commonplace occurrence like DeLuca’s recording by cell phone of Doe in public and posting it online without more does not constitute as matter of law the sort of objectively outrageous conduct required for an IIED claim.”

BONUS: Gonzalez v. Viator Tours Inc., 2025 WL 2420943 (D. Mass. Aug. 20, 2025). A woman suffered a slip-and-fall on a third party excursion booked through Viator/TripAdvisor. Instead of relying on Section 230, the court dismisses the case on prima facie grounds:

“the amended complaint does not plausibly allege that Viator or Tripadvisor were responsible for, or had control over, the operation of the catamaran tour or the placement of the ramp….Viator and Tripadvisor had no duty to take reasonable care in the operation of the Sunfos tour because Gonzalez does not allege that they had a role in, or control over, its operation”
No duty to warn because no special relationship.
No negligent selection claim outside of employment/IC relationship. Also, the complaint didn’t allege that “Sunfos was an unsafe or inexperienced catamaran operator” or “why Viator or Tripadvisor knew or should have known Sunfos to have such a reputation.”

UPDATE: Cox v. CoinMarketCap OpCo LLC, 2026 WL 445010 (D. Ariz. Feb. 17, 2026):

Plaintiff sufficiently alleges that CMC is an information content provider. Plaintiff alleges that CMC “artificially suppressed HEX’s value” and “inflat[ed] the price of one or more other cryptocurrencies.” At this juncture, this is sufficient to establish that CMC did more than passively display content created by third parties. However, this argument is not altogether foreclosed. Accordingly, § 230 does not affect the outcome of this Order.

The post A Massive Roundup of Section 230 Decisions appeared first on Technology & Marketing Law Blog.

OnlyFans Defeats “Chatter Scam” Claim–N.Z. v. Fenix

Eric Goldman — Sun, 21 Dec 2025 16:47:35 +0000

The court summarizes the plaintiffs’ “chatter scam” contentions:

Plaintiffs allege that Fenix Defendants, in cooperation with the Agency Defendants, operate a fraudulent scheme whereby Fenix Defendants charge OnlyFans subscribers to communicate directly with creators, purport to connect subscribers with creators, and instead connect subscribers with “professional chatters” hired to impersonate creators and convince users to spend more money on the website.

This is my first time blogging about “chatter scams,” but I’ve blogged about other types of inauthetic Internet conversations for a long time. For example, 20 years ago, I blogged about dating services that kept publishing profiles of terminated users to make their database look more enticing (Anthony v. Yahoo); and in 2013, I tested on how Ashley Madison sent automated messages to increase dater engagement and goad customers to pay to respond to those automated messages (Exam, sample answer). With AI taking over online conversations, we will see many more lawsuits over undisclosed AI online engagements when people expected to be engaging with humans.

The court dismisses the case with leave to amend.

Section 230

Citing Calise, the court says

The court finds that Plaintiffs’ claims are not barred to the extent they rely on Fenix Defendants’ own representations about promising authentic relationship between Fans and Creators….The court is not persuaded that Fenix Defendants’ alleged role in the Chatter Scams hinges on a “monitoring obligation” to exclude material, but rather focuses on Fenix Defendants’ fulfillment of the alleged promises and representations. However, to the extent Plaintiffs seek to hold Fenix Defendants liable for “facilitating communication” between Plaintiffs and Agency Defendants, the court finds that Plaintiffs’ claims are barred.

VPPA

Service providers. The plaintiffs adequately alleged that “Fenix Defendants and Agency Defendants are video tape service providers because they are in the business of delivering video content to Fans and structure their business on these interactions”
Consumers. “Plaintiffs allege that they subscribed to Creator accounts and paid for access to PPV videos, which were sent through chat and message-based unlocks.”
Disclosure. “Plaintiffs allege that, each time a Fan interacts with a Creator’s account, the platform collects and transmits sufficient information to identify the specific Fan, including Fan’s username, which can be used to locate and view the Fan’s profile.” The court says this isn’t enough: “the alleged information disclosed would not readily permit an ordinary person to identify the specific person.”

Wiretap Claims

“Plaintiffs do not adequately allege that Chatters are reading these messages “in transit,” but rather that Chatters are viewing the messages after they were received and mirrored from the Creator’s inbox.”

Breach of Contract

Some of the breach of contract claims survived Section 230. Nevertheless, due to the integration clause, the court rejects efforts to bring in contract language from outside the TOS. Plus, the TOS “disclaims Fenix Defendants responsibility, stating that they “are not responsible for any Fan/Creator Transaction” and “All Fan/Creator Transactions are contracts between Fans and Creators.””

Fraud

“Fenix Defendants made explicit disclosures regarding the use of third parties, its inability to control how Fan content is used, and the materials provided to Fans.”

Hallucinated Citations

Plaintiffs’ counsel Hagens Berman outsourced brief-drafting to co-counsel Celeste Boyd. “Hagens Berman did not perform a full cite-check on her work. It turned out Boyd had used AI to draft the briefs.” Boyd was experiencing some personal issues at the time, and

Boyd failed to realize when, and to what extent, ChatGPT was modifying her research and writing—supplementing and/or cross-pollinating concepts and authorities from outside sources despite being explicitly instructed not to do so. Boyd failed to check the accuracy of the Opposition Briefs because she ran out of time. And finally, Boyd failed to communicate with her colleagues that she used ChatGPT to assist with the briefs and that she failed to review the AI-generated material.

The court rejects the plaintiffs’ request to file corrected briefs. (Also, “the court observes that there are still errors in the corrective briefing Plaintiffs wish to file.”) The court orders Hagens Berman to pay $10k in sanctions and Boyd to pay $3k in sanctions. The order was also sent to the applicable licensing authorities.

Case Citation: N.Z. v. Fenix Int’l Ltd., 2025 WL 3627591 (C.D. Cal. Dec. 12, 2025). The hallucinated citations ruling is 2025 WL 3626155.

The post OnlyFans Defeats “Chatter Scam” Claim–N.Z. v. Fenix appeared first on Technology & Marketing Law Blog.