Privacy/Security Archives - Technology & Marketing Law Blog

How Often Do Consumers Balk at Doing Online Age Authentication?

Eric Goldman — Tue, 26 May 2026 18:00:22 +0000

In search engine parlance, the “bounce” rate is the percent of searchers who click on a search results link and then immediately hit the back button. High bounce rates usually signal that something has gone wrong. Either the destination website didn’t appeal to the user enough to convert them to engage more, or the search result wasn’t what the consumer was looking for (or both).

Created by ChatGPT May 2026

I’m going to analogize bounce rates to the rate that consumers fail to overcome age authentication walls, which I’ll call the “balk rate.” (We could more granularly distinguish between voluntary refusals and technical inability, but the outcome is the same either way). There is no single standard or expected balk rate for age authentication walls. Instead, a service’s balk rate likely varies based on factors such as:

the nature of the destination. How critical is it that the consumer overcome the wall? For example, there will be a lower balk rate for access to an essential government service than a site that consumers consider non-essential. A related issue is how long the consumer anticipates the relationship will run. Consumers who expect a one-off interaction are more likely to balk than a consumer planning to make a long-term commitment.
the availability of competitive alternatives that have less onerous age authentication procedures. For example, pornography consumers can easily find online alternatives that don’t require age authentication (at least for now), so those consumers are more likely to balk when they encounter an age authentication wall.
the nature of the authentication process.
- how many steps are involved in the process? Each additional step in the authentication process will increase the overall balk rate.
- relatedly, how much time does the process take? Consumers are impatient.
- what disclosures must the consumer make to overcome the wall? The more sensitive the disclosure, the higher the balk rate. Most age authentication processes that achieve decent accuracy levels necessarily rely on the disclosure of sensitive consumer information (such as government IDs or face scans) that will produce a lot of balks, but there still may be balk rate differences between them.
- how much trust do consumers have in the authenticator? Trust is also a proxy for consumer concerns about privacy and security.

There are likely other considerations I didn’t capture here. I welcome your suggestions.

In this post, I’ll highlight three data points about balk rates. (If you know of other published data on this topic, please email me).

Pornhub’s Experiences

Pornhub has shared some data about its balk rates. In Louisiana, Pornhub says its traffic dropped 80% in Louisiana when it implemented an age authentication wall. Elsewhere, Porhub has said that “over 99% of users subjected to a verification requirement did not verify their age.”

Going back through the factors I identify above, you can see why these numbers might be so high. Pornography services have competitive alternatives that aren’t age-authenticated, and there are high privacy and security risks to pornography consumers.

The high balk rates also explain why Pornhub opted-out of states that have imposed age authentication mandates. If it’s going to lose 99% of those consumers due to the mandate, it’s already out of the market either way, so officially withdrawing from the market has no real opportunity cost.

An EU Study

In 2022, the EU did a comprehensive study of age authentication balk rates in the “Pilot Execution Report – first large scale euCONSENT pilot“. The study assigned EU consumers three authentication “missions” to complete and then studied consumers’ mission completion rates.

The missions differed depending on the age and status of the user, so it’s pretty hard to draw any definitive conclusions. Most importantly, the study doesn’t reveal the completion rate of the first mission, which was to do the initial age authentication. To me, this seemed like the most essential datapoint, but the report didn’t mention it. The second mission was to navigate to another site without reauthenticating. That had about an 80% completion rate. The third mission was to jump through a more rigorous authentication hoop. Only about 63% of the group who completed the first mission were able to complete that third mission.

There was a follow-on study (“Pilot Execution Report – third euCONSENT“) with more missions. Collectively, some of the data points that stood out to me:

12% of adults and 21% of parents failed to complete the authentication and reauthentication process; and 22% of parents failed to complete the parental authorization process.
85% of consumers said they wouldn’t wait more than 5 minutes to do an authentication process, even if that was a one-time process for a permanent web-wide authentication.
If given the choice, 68% of consumers preferred face scans, 15% preferred document scanning, and only 3% preferred credit card authentication (which, as I mention in my Segregate-and-Suppress paper, isn’t considered to be a credible authentication nethod).
21% of the study participants reported a technical problem trying to do the authentication.
With respect to trying to buy alcohol online, 22% said they would do something other than complete the online age authentication.

I’ve been through these studies a few times, and each time I was confused by the methodology and results. The reports left open obvious questions, may be specific to the EU’s consent process, and may be outdated based on developments in the past 4 years. And yet, these reports make it clear that there will be tens of millions of EU consumers who will fail to navigate (or would prefer not to navigate) the authentication systems the EU is putting in place.

The Carnegie Mellon Study

A Carnegie Mellon research team (plus one Princeton researcher) posted a preview of an experiment on age authentication balk rates. The study is called “Measuring User Responses to Online Age Verification Mechanisms Through A Deceptive Experiment.” The researchers solicited participants to watch R-rated video clips. However, before the survey takers could watch the clips, the researchers said they had to navigate an age authentication barrier to see how they reacted. The survey indicates the following balk rates:

checkbox self-attestation: 1% balk rate (i.e., 99% completion rate). This option is meaningless because I don’t believe any regulators consider self-attestation a permissible method of age authentication.
“Email-based estimation”: 14% balk rate.
“AI facial estimation”: 49% balk rate.
government-ID methods: 73-77% balk rate (the variation depended on assurances about privacy and security).

The researchers conclude: “technically robust verification methods may be ineffective in practice if users systematically decline to comply.”

Two observations of mine:

Consistent with the EU report showing consumers prefer face scans over document ID reviews, the balk rate was noticeably lower for face scans than government-issued IDs (though both balk rates were high). As face scans roll out across the Internet, I wonder if consumers are becoming desensitized to doing face scans and increasingly view them as an inevitable and standard price of admission?
The preview doesn’t mention what motivations participants had to complete the process. For example, were they promised any compensation? If the only motivation for navigating the authentication wall was altruism (i.e., to support the research), then we should expect much higher balk rates than we would find in the field, when users are trying to achieve their self-directed objectives.

Implications

The Carnegie Mellon paper references the constitutional principle of tailoring, i.e., how likely is the law to achieve its desired outcome? Higher balk rates are a sign that an age authentication mandate isn’t appropriately tailored because it’s suppressing constitutionally protected conversations. However, there is no numerical cap on balk rates before an age authentication mandate becomes constitutionally impermissible. Instead, in the Free Speech Coalition v. Paxton decision, the majority opinion said “adults have no First Amendment right to avoid age verification.” That implies that the court may not care about balk rates at all.

Age authentication mandates always shrink the Internet, and balk rates are one way of measuring the shrinkage. Every time an adult fails to navigate an age authentication process (whether by choice or due to technical challenges), that’s another lost customer for the authenticating service. If the Carnegie Mellon study accurately predicts field behavior, face scans or document reviews will cost the authenticating services half of their customers or more. Such high balk rates would collapse the Internet ecosystem, because there won’t be enough authenticating customers for services to operate profitably. Even a 10-20% balk rate will have major consequences for many services that are already operating on razor-thin margins, such as content publishers who have already seen their ad revenues shrink over time. These Internet shrinkages have significantly economic and social consequences for all of us, yet regulators routinely ignore these issues completely when clamoring for more age authentication manates.

To reduce balk rates, governments around the globe are trying to build an infrastructure to reduce the friction of age authentication. Less friction addresses one problem (the balk rate) and creates a host of other problems.

The EU plans to rely on widespread adoption of digital IDs combined with an API wrapper that exposes only age authentication information to services around the Internet. Digital IDs raise a host of privacy and security concerns. They are also the foundational infrastructure for comprehensive government monitoring and control of constituent movements online. I’m also unclear how the EU plans to address the fact that tens of millions of EU residents won’t have digital IDs for the foreseeable future.

Alternatively, some governments are trying to force one-time age authentications when a user acquires a device or first logs into an app store. By moving the age authentication process forward to a central point (the device or the app store), the user avoids doing repetitive authentications downstream. However, that assumes the user can or wants to complete the authentication in the first place; anyone blocked at the beginning is stuck. The high-value authentication data also will act as attractive centralized honeypots for malefactors. Also, this approach normalizes age authentication and will make it seem routine for interactions that today don’t require age authentication. It will likely shift the default about when we need to age-authenticate. Today, we can enter websites or use apps without presenting credentials, just as we do in most physical spaces; in the future, that presumption will be reversed. Finally, whoever is doing the centralized authentication won’t do it for free. A small number of entities are poised to extract monopoly rents by taking a cut of this government mandated process.

* * *

Blog Posts on Segregate-and-Suppress Obligations

The post How Often Do Consumers Balk at Doing Online Age Authentication? appeared first on Technology & Marketing Law Blog.

Court Rejects Lawsuit Over Online Criticisms of a Dater–D’Ambrosio v. Meta

Eric Goldman — Sat, 16 May 2026 16:39:26 +0000

Abbigail Rajala posted a critical review of her dating experience with Nikko D’Ambrosio on the Chicago subboard of Facebook’s Spill the Tea group. According to the district court, D’Ambrosio “sued anyone remotely associated with those posts for all possible, imaginable claims, including the woman who dated him and her parents, women commenting on posts, the operators of the Facebook group, and Facebook itself.” The district court dismissed his case. The Seventh Circuit affirms, says parts of the appeal may be sanctionably “frivolous,” and calls out the plaintiff lawyers’ misuse of Generative AI.

Illinois Right of Publicity Act

“D’Ambrosio’s IRPA claims fail because he has not sufficiently alleged that any defendant used his likeness for a commercial purpose.”

With respect to Facebook:

A free-floating profit motive is not enough…Meta did not have a commercial purpose in terms of the IRPA merely because it displayed advertisements for products or services unrelated to the posts on the same page with them.

Doxing Act

This is the Seventh Circuit’s first review of Illinois’ recently enacted Doxing Act. It says there are six elements to the claim:

(1) intentional publication of personally identifiable information; (2) the published information identifies a person without reliance on extrinsic sources; (3) lack of consent to the publication; (4) intent to harm or harass; (5) knowledge or reckless disregard of a reasonable likelihood of death, bodily injury, or stalking to the person whose information is published; and (6) one or more of the listed harms results.

The panel says D’Ambrosio didn’t sufficiently allege Rajala’s scienter about placing him in reasonable fear of death, bodily injury, or stalking:

D’Ambrosio never alleged that he was actually stalked or subjected to bodily injury, nor that anyone attempted to do so. D’Ambrosio identified no past incidents of physical harm or stalking directed against men discussed in the Group. The Group’s rules prohibit sharing screenshots with other people, and its administrators warn users about the risks of confronting men they personally know whom they see posted on it. The allegation that Ms. Rajala made “100,000 unidentified women” become aware of his conduct does not, without more, support an inference that she recklessly disregarded a reasonable likelihood that one of those women would physically harm D’Ambrosio or stalk him. Recall that the purpose of this online group was to help women identify men to avoid.

With respect to the Spill the Tea group operators:

D’Ambrosio’s allegations reasonably support an inference that the STT defendants recklessly encourage users to post sensational content regardless of its potentially tortious nature and that they take measures to prevent the subjects of such posts from becoming aware of their existence and to assist users in avoiding legal responsibility when they cross the line. Notwithstanding efforts to prevent information posted on the Group (and the others nationwide) from leaving the platform, nothing can really stop allegations of anything from rudeness to serious felonies from spreading elsewhere…We find no allegations in this case, however, from which we could reasonably infer that the STT defendants knew of or recklessly disregarded a risk to D’Ambrosio of death, bodily injury, or stalking.

The panel has several (unfair IMO) criticisms fordater accountability boards like Spill the Tea. I wonder if those criticisms could be correlated with the fact that all three judges on the panel were old white men who never navigated the dating world as millennial women?

Though the court rejects this doxing claim, I continue to be extremely nervous about the chilling effects of anti-doxxing statutes. A “reckless disregard” standard gives plaintiffs a lot of room to manufacture controversy out of standard online chatter. Given that thin-skinned individuals–even the US government–take unjustified views of what constitutes doxxing, anti-doxxing statutes are well-positioned to become SLAPP factories.

Defamation

The allegedly defamatory post referenced someone else, not D’Ambrosio, and there was no reason for anyone to believe the post equated the two people. D’Ambrosio also doesn’t make a sufficient showing of reputational damage. As a result, the court says it doesn’t need to address Section 230 because the claim fails for lack of merit. Sidestepping Section 230 is probably for the best in light of the Seventh Circuit’s penchant for overcomplicating its Section 230 analysis.

Sanctions

The panel says “This is a relatively rare appeal in which sanctions appear to be appropriate [because] This appeal was entirely frivolous at least as to each of the Rajalas.” D’Ambrosio sued Rajala’s parents. “Outside of the statement of the case, the Rajalas were mentioned only once in D’Ambrosio’s opening brief.” As for Rajala, the doxxing claim “is replete with fictitious quotations and misstatements of law, matter that cannot form the basis of a non-frivolous appeal.” (More on the hallucinations in a moment). The defamation and false light claims are also unsupportable. The court orders the plaintiff’s lawyers to show cause regarding sanctions.

Misuse of Generative AI

The court says the plaintiffs’ filings, made by lawyers from Trent Law Firm PC, “bear the hallmarks of the misuse of generative artificial intelligence.” The court even notes the firm’s website “boasts of the firm’s extensive incorporation of artificial intelligence into all areas of its representation.” The court refers the matter (plus the frivolous claims) over the Illinois State Bar, but it doesn’t independently sanction any Generative AI misuse. Instead, it makes a short but grandiose statement against Generative AI misuse.

As I’ve mentioned before, I’m increasingly seeing Generative AI misuse in cases where the lawyers display other violations of attorney professionalism, such as the frivolous claims in this case. Maybe the court decided to address the frivolous claims (which appeals courts routinely overlook, at least in terms of sanctions) more aggressively as a backdoor way of redressing their concerns about the Generative AI misuse.

Parting Thoughts

Nikko D’Ambrosio is a multi-time loser: he didn’t seem to be a very good boyfriend, he’s not a good citizen (he committed tax violations), and he’s not a good plaintiff. On the plus side, he did find one perfect match: he found lawyers just as dedicated as he was to Streisand Effect-ing their way to, um, stardom.

Case Citation: D’Ambrosio v. Meta Platforms, Inc., 2026 WL 1361951 (7th Cir. May 15, 2026).

If you have the stomach for it, try to read Trent’s “David v. Goliath” blog post from 2025 about this case. The post has zingers like: “We have a great team—project managers, everything related to AI now. Even Meta can’t beat us.” In retrospect, about that…

The post Court Rejects Lawsuit Over Online Criticisms of a Dater–D’Ambrosio v. Meta appeared first on Technology & Marketing Law Blog.

Section 230’s Application to Account Terminations, CSAM, and More

Eric Goldman — Thu, 19 Mar 2026 15:22:14 +0000

The Section 230 cases keep coming faster than I can blog them (the first 3 hit my alerts in a single day).

Weiss v. Google LLC, 2026 WL 733788 (Cal. App. Ct. March 16, 2026)

Weiss’ business started running financial services ads on Google in 2015. Google suspended the ads multiple times, until Google issued a final suspension in 2024. The court says Section 230 protects Google’s suspension decisions.

The court starts with standard context-setting: “California’s appellate courts and federal courts have also generally interpreted section 230 to confer broad immunity on interactive computer services.”

The court continues:

Weiss seeks to adjudicate Google’s characterization of his business and its decision to suspend its ads. However, this conduct, i.e., Google’s “refusal to allow certain content on its platform,” is “typical publisher conduct protected by section 230” regardless of the reason for that refusal….

even if Google’s characterization of Weiss’s advertisements does not align with Weiss’s characterization, section 230 still affords Google immunity from liability for its decision to suspend his content…

all the content Weiss claims Google wrongfully suspended was admittedly created by Weiss, not Google…

Google’s determination that Weiss’s ads violated its general policies is not equivalent to contributing to the ads’ content.

In a footnote, the court adds: “Weiss seeks to hold Google liable for its enforcement of its own general policies, rather than a breach of a specific promise.”

When the dust settles, this becomes just another failed lawsuit over account terminations and content removals.

A reminder of the content moderation dilemma Google faces here. A few courts have said that Facebook doesn’t qualify for Section 230 protection for running scammy ads (e.g., Forrest v. Facebook). As a result, Google has good reason to suspend Weiss’ ads to manage its own liability exposure. At the same time, if Weiss succeeded with his claims here, then Google would have been potentially liable for removing ads based on Google’s fears that they are scammy. This would force Google to deploy a Goldilocks version of content moderation: Google would have to get its ad removal policy “just right,” with potential liability for mistakes in either direction. An impossible challenge.

Thompson v. The Meet Group, 2026 WL 730134 (E.D. Pa. March 16, 2026)

Thompson said Tagged deactivated his livestreaming account and stole $10k from him.

For reasons that aren’t obvious to me, Tagged defended on Section 230(c)(2)(A) grounds instead of 230(c)(1). Maybe this has something to do with trying to navigate around the abysmal Anderson v. TikTok case? EDPa courts are bound by that decision.

The court says Tagged can’t establish the 230(c)(2)(A) defense elements on a motion to dismiss: “application of CDA immunity in this case requires assessment of facts that are not in the pleadings—such as the reason why Thompson’s account was disabled and the content of Thompson’s posts.” Also, Thompson’s allegations of theft might defeat 230(c)(2)(A)’s good faith prerequisite. Cites to Smith v. TRUSTe and e-ventures v. Google.

No matter, the case fails anyway. (Another example of Section 230 not being the only reason why lawsuits lose). The court says the plaintiff had no property interest in his social media account that could be converted (cite to Eagle v. Morgan). The plaintiff’s TOS breach claim fails multiple ways, including the TOS’s reservation of termination rights and damages waiver.

So this becomes yet another failed lawsuit over account terminations, just not due to Section 230. You already know this, but if you’re a defendant in these cases, you should be focusing on 230(c)(1), not 230(c)(2)(A).

Gehringer v. Ancestry.com Operations Inc., 2026 WL 734526 (N.D. Cal. March 16, 2026)

Plaintiffs are individuals who have not subscribed to the Ancestry.com service and have not consented to the use of their name or photograph. They allege Ancestry not only includes their yearbook information on a searchable database, but also utilizes their likenesses as part of advertisements for Ancestry.com services…

Plaintiffs contend Ancestry used their likeness in three forms of “advertising”: 1) publication of the yearbook information on a database that contains a paywall for certain features; 2) dissemination of emails to potential Ancestry.com subscribers, noting Ancestry Hints® can expand their family tree, and using the names and images of Plaintiffs as examples; and 3) an Ancestry free trial program that allows potential subscribers to access Plaintiffs’ yearbook information for a limited time.

The court nixes claims over category #1 and #3 ads due to copyright preemption.

As for the category #2 ads:

Plaintiffs allege Ancestry crafted email advertisements that included their likenesses to encourage potential customers to subscribe to Ancestry’s service. The email advertisements were not created by a third-party user of Ancestry.com—Ancestry authored the content, and as such, it is “responsible, in whole or in part, for the creation” of that offending content. To avoid this conclusion, Ancestry attempts to recast the allegations in the First Amended Complaint, asserting Ancestry merely “republish[es] yearbook photos taken and first published by Esperanza High School.” But as the screenshots in the Complaint confirm, the emails sent by Ancestry to prospective users include far more than republished images of Plaintiffs; they incorporate those images into an advertisement for the Ancestry Hints® functionality and Ancestry’s subscription service. Drawing all inferences in Plaintiffs’ favor, Section 230 does not immunize Ancestry against liability for the content of the alleged email advertisements

Notice that Ancestry’s ad creation practices go further than Facebook’s sponsored stories, which also didn’t qualify for Section 230 protection.

State v. Sharak, 2026 WI 4 (Wis. Supreme Ct. Feb. 24, 2026)

Google scanned Sharak’s Google Photo uploads, identified what it thought was CSAM, and submitted a CyberTip. Sharak argued that Google was conducting the search on the state’s behalf. The court disagrees and upholds Sharak’s conviction.

That isn’t unusual. What’s more unusual is the court’s discussion of Section 230. “Rauch Sharak argues that [Section 230(c)(2)’s safe harbor] encourages ESPs to scan for CSAM by granting immunity to ESPs that moderate content and creating civil and criminal liability if ESPs do not scan for CSAM.”

The court responds:

Though § 230(c) may grant immunity to ESPs that choose to scan for CSAM, it does not require, reward, or incentivize scanning for CSAM in the first place. Moreover, § 230(c)(2)(A) grants immunity for “any action voluntarily taken in good faith to restrict access to” obscene material, which sweeps far more broadly than would be required to induce Google’s CSAM scan at issue here….

Even if the statutes encourage Google to scan for CSAM or provide a law-enforcement purpose, Rauch Sharak has not shown that they are enough to turn Google into an instrument or agent of the government.

Alice Rosenblum v. Passes Inc., 2026 WL 711837 (C.D. Cal. Feb. 3, 2026)

[The fact allegations are based on the court’s summary of the complaint.] Passes is a competitor to OnlyFans. Unlike its rivals, Passes allows 15-17 year olds to create accounts with parental consent. Guo is the CEO, and Celestin is a content acquisition specialist. At Guo’s direction, Celestin personally reached out to 17-year-old Alice Rosenblum to create a Passes account. Celestin did a photoshoot of Rosenblum and (with Guo’s help) created a Passes account for her without requiring parental consent.

“Over the next month, while Plaintiff was still 17 years old, Celestin and Ginoza [another Passes employee] allegedly directed Plaintiff to create sexually explicit images and videos of herself….the FAC provides over 14 examples of child sexual abuse material (“CSAM”) involving Plaintiff, being marketed on the Passes platform for $69 to $4,000. Furthermore, Passes agents posing as Plaintiff allegedly communicated via direct message to “big spenders” to continue to market and sell CSAM involving Plaintiff.”

The court rejects Passes’ and Guo’s Section 230 defense:

Section 230 immunity plainly does not apply to Plaintiff’s claims. To be sure, Plaintiff does largely seek to hold Passes Defendants liable as providers of an interactive computer service, and several allegations treat Passes as a publisher, as they involve Passes’ distribution of CSAM involving Plaintiff…Plaintiff alleges that Passes and its agents were directly responsible for the creation and portrayal of the CSAM on the Passes platform: Plaintiff alleges that Celestin, acting as an agent of Passes, personally took at least one photo of Plaintiff which was uploaded to Passes, and further instructed her to create specific photographs and videos and upload them to Passes, which he later marketed under specific captions and sold. Plaintiff further alleges that Passes itself hosted a banner featuring a sexually explicit photo of Plaintiff, which marketed CSAM involving Plaintiff. Plaintiff therefore seeks to hold Passes liable for harm allegedly arising out of its own creation of harmful content.

Passes claimed that Celestin and Ginoza were third parties, but “As alleged, Celestin was
not merely another third-party user of Passes; rather, he acted as an agent and employee of Passes.” Cite to Quinteros.

The court summarizes:

Section 230 immunity does not apply to Passes, a platform which has allegedly, through its agents, deliberately created, marketed, and sold illegal content, acting as an “information content provider” that uses its own “interactive computer service.”

In a footnote, the court adds regarding Guo: “Plaintiff’s allegation that Guo encouraged Plaintiff over the phone to post content, which supports Plaintiff’s claims for IIED and California Civil Code § 52.5, does not hold Guo accountable for Passes’ publishing activity.”

Doe v. X Corp., 2026 WL 772384 (N.D. Tex. Feb. 25, 2026)

“A third party copied commercial pornographic content from Plaintiff’s OnlyFans and studio-based productions and uploaded it to X without his consent, violating the OnlyFans terms and conditions and the studios’ licensing agreements.” He sued pursuant to 15 U.S.C. § 6851(b)(1)(A), a private right of action for nonconsensual production of intimate visual imagery. Doe produced the porn consensually, but he claims the restrictions extended to nonconsensual distribution.

The court says X qualifies for Section 230. Doe responded that he owned the IP in the works, so the IP exception applies. The court says:

The [IP] exception applies only when the claims arise from a law directly implicating intellectual property rights, not merely when intellectual property is involved in the claim. And the statute under which Plaintiff sues—§ 6851—is not an intellectual property law. Rather, it is concerned with “whether the depicted individual consented to a specific disclosure of an intimate visual depiction—regardless who holds the copyright to the image.” Thus, § 6851 creates a privacy-based tort right of action, not an intellectual-property based one.

The boundary between privacy and IP laws remains amorphous–increasingly so with all of the concerns about “deepfakes,” “virtual replicas,” and other AI-related regulations that use privacy framing to create what look like sui generis IP rights. This could be a good student paper topic.

For more discussion of the IP exception to Section 230, see this article.

Teague v. Google, 2026 WL 746996 (D. S.D. March 17, 2026)

Plaintiff claims Google committed defamation based upon the fact that “people think I raped [redacted]. This case (sic) been dismissed in 2021 but it still show (sic) on Google and caused me to (sic) threaten and attacked a few times.” Plaintiff further claims his image is on Google and it is difficult to get a job because the rape charges still appear on Google.”…

Google is not a “publisher or speaker” under the CDA and therefore “cannot be liable under any state-law theory to the persons harmed by the allegedly defamatory material.”

Google is immune from suit for defamation claims arising out of other content providers’ posts on the internet.

The post Section 230’s Application to Account Terminations, CSAM, and More appeared first on Technology & Marketing Law Blog.

Photobucket’s Attempted TOS Amendment Mostly Fails–Pierce v. Photobucket

Eric Goldman — Sat, 14 Mar 2026 16:54:18 +0000

Photobucket is a venerable photo hosting service whose best days are far behind it. In 2017, its management imploded the service by imposing above-market hosting fees. Most users stopped using Photobucket, but Photobucket kept their photos.

In 2024, Photobucket emailed its legacy users, asking if they wanted Photobucket to keep or delete their accounts. Users who clicked on the email’s links–included to delete their accounts–were presented with a new TOS formation process that included a consent to use the photos to derive users’ biometric information for AI purposes. “If users did not opt out of the Biometric Policy within 45 days of July 22, 2024, Photobucket claims the right to sell, lease, trade, or otherwise profit from the users’ biometric information.” (Photobucket claims it hasn’t actually pursued this AI option). The new TOS also contained an arbitration provision that wasn’t in some prior TOS versions. Photobucket invokes the arbitration clause against the plaintiffs’ lawsuit.

Article III Standing. The court says the plaintiffs only have Article III standing for equitable relief, not damages. This narrows the case substantially.

Pierce

Pierce agreed to Photobucket’s 2008 TOS and last logged into Photobucket in 2014. The 2008 TOS informed Pierce that his “continued use” of Photobucket would constitute acceptance to any TOS modifications. Since he didn’t use the site after 2014, he didn’t assent-by-use to the 2024 TOS:

a reasonable person would not understand his failure to take his photos off of
Photobucket, after not logging in for nearly ten years, to constitute “continued use” and thus acceptance of any revised terms.

In other words, a user’s maintenance of a legacy account isn’t “continued use” of the service.

Ms. Hughes

Ms. Hughes agreed to Photobucket’s 2006 TOS and last logged into Photobucket no later than 2011. The 2006 TOS said:

By using the Services you agree to the Terms of Service set forth below as they may be updated from time to time by Photobucket.com, Inc. (“Photobucket.com”). Photobucket.com may modify or terminate the Services from time to time, for any reason, and without notice, including the right to terminate with or without notice, without liability to you, any other user or any third party, provided that when Photobucket.com does so, it will update these Terms of Service. You are advised to periodically check the website for changes in the Terms of Service.

The court says this TOS “told Ms. Hughes that she was “advised to periodically check the website for changes in the Terms of Service.” The 2006 Terms “necessarily inform[ ] how a reasonably prudent user would interact” with Photobucket’s website.”

But…the TOS applicable to Pierce said “It is therefore important that you review this Agreement regularly to ensure you are updated as to any changes.” The court disregarded that language for Pierce. Can you find a difference between the disclosures to Pierce and Hughes? Beyond the (seemingly immaterial) language differences, the court’s different conclusions might be explained by (1) Pierce was governed by Colorado law, Hughes by CA law; or (2) Hughes admitted getting emails telling her about the coming changes, though she didn’t pay attention to them. I don’t find those distinctions persuasive, so I can’t meaningfully distinguish Pierce’s situation from Ms. Hughes’.

The court says Hughes is bound to the 2024 TOS:

the 2006 Terms told Ms. Hughes that she had an obligation to periodically check Photobucket’s website for updates to the Terms. The 2024 Terms and arbitration provision constitute an update to the Terms that Ms. Hughes had an obligation to stay apprised of. Ms. Hughes assented to the 2024 Terms because they informed her that failure to opt out within 45 days of the effective date would constitute acceptance, and Ms. Hughes did not opt out

Whoa. The court is saying that even though Hughes functionally abandoned Photobucket in 2011, a “reasonably prudent user” would have kept checking Photobucket’s TOS 13 years later just in case the terms had changed. Wild.

Because Ms. Hughes “agreed” to the 2024 TOS, she also “agreed” to its jury trial waiver.

However, the arbitration clause excludes IP claims. The plaintiffs alleged 1202(b) claims, which the court says are IP claims and thus not covered by the arbitration provision. This claim stays in court.

Cumming

The parties can’t agree when Cumming created her Photobucket account or when she last used it, but everyone agrees that she agreed to the 2013 TOS and didn’t use the site later than 2013. That TOS version said “so long as you’ve used the Site after the change, regardless of any separate notice, you agree to the current posted version of the Terms.” Similar to the court’s discussion of Pierce, the court says “a reasonable person in Ms. Cumming’s position would not understand her failure to take photos off of Photobucket to mean that she “used” Photobucket after 2010 or 2013 and thus assented to the 2024 Terms.”

Mr. Hughes

He didn’t have a Photobucket account, but Ms. Hughes uploaded photos of him. The court says he’s not a third-party beneficiary of any TOS and not bound by the arbitration clause.

Court Stay

The court stays the litigation until after the arbitration, even though the court held that 3 of the 4 named plaintiffs were not bound by the arbitration and the fourth plaintiff had a claim not subject to arbitration. Because the court will not be bound by the arbitrator’s decisions for the non-arbitrated plaintiffs and claims, I didn’t understand why the court held everything else up. A slightly lucky break for Photobucket, because it avoids the cost of defending the litigation and arbitration simultaneously.

Implications

Here’s where things stand when the dust settled:

damages are out of the case
part of one plaintiff’s case is sent to arbitration
when that’s complete, the court will address the remainder of that plaintiff’s case plus the other three plaintiffs’ cases

A messy outcome…perhaps messy enough to motivate the parties to settle? Without the availability of damages, this case became less interesting to the plaintiffs. Alternatively, I could also see the plaintiffs appealing this ruling.

Though Photobucket nominally got the outcome it wanted (the case sent to arbitration), it does not come out of this ruling looking very good. Some of the lowlights:

its inital TOS amendment provisions sucked. It had various versions of “you need to come back to the site to check for possibly amended terms,” which has rarely fared well in court. Frankly, it’s shocking to see the judge find this “keep checking the TOS 13 years later” provision worked against Ms. Hughes. I don’t think that’s what a reasonable consumer would do. (As usual, the court cited no empirical basis for its assessment of what a reasonable consumer would do or think).
the fact that Photobucket’s TOS amendment language kept changing over time. The language differences ensure more litigation work when it’s challenged.
the fact that Photobucket kept changing its governing law clause. Another decision that increased its defense costs and the risk of inconsistent outcomes.
the fact that Photobucket couldn’t definitively establish the dates of the users’ account creation or usage.
its 2017 implosion. How did it misjudge the market so badly?
its 2024 pivot to potentially engage in AI mining. I guess if you’ve already killed your business, why not try to salvage what’s left of the carcass?
the attempt to bind legacy users via a TOS that users had to click through even if they wanted to exit Photobucket. Gauche.
the arbitration provision’s exclusion for IP. Plaintiffs are weaponizing 1202, so IP carveouts have become dangerous. Reminder: every part of the arbitration provision should be carefully vetted for potential plaintiff weaponization.

The result was a messy outcome with different plaintiffs for getting different outcomes. Not what Photobucket was aiming for.

The obvious question: was there a better way for Photobucket to force all legacy users onto its new AI-friendly terms? This judge seemed to believe that the right incantation would let Photobucket put the onus on users to check for TOS amendments, but most judges won’t permit this. Could Photobucket have forced users to the new terms through its emailed notifications? The Ninth Circuit just permitted this, so maybe? The reality is that it’s difficult or impossible to universally bind all legacy users to new terms if they aren’t coming back to the website. I don’t have any clever hacks or tricks to work around this.

Case Citation: Pierce v. Photobucket Inc., 2026 WL 672764 (D. Colo. March 10, 2026). CourtListener page.

Other posts about Photobucket

The post Photobucket’s Attempted TOS Amendment Mostly Fails–Pierce v. Photobucket appeared first on Technology & Marketing Law Blog.

Fair Use Blocks Privacy-Motivated Copyright Lawsuit–MCM v. Perry

Eric Goldman — Mon, 16 Feb 2026 17:14:50 +0000

The case involves a Twitter user, Perry (a/k/a “I, Hypocrite”), who tweet-critiqued a crypto company Celsius Networks. The first tweet in the sequence referenced a business setback for Celsius. The second tweet in the sequence contained a collage of two images with the caption “Same company btw” (i.e., Celsius).

The first collaged image shows Jessica Khater’s, a Celsius executive, listing in Forbes 30 Under 30. The second collaged image is a screenshot from an unnamed video that depicted “Jessica” with the transcription that she studied marketing and business. The juxtaposition implied that Jessica and the Forbes 30 Under 30 executive were the same person.

The court is as baffled by this tweet thread as you are (“This Court makes no finding as to what Defendant subjectively intended to communicate through the Tweet, as the Defendant’s intentions are not alleged within the complaint or obvious from the Tweet itself”). Connecting the dots, perhaps the inference is that the Forbes 30 Under 30 executive studied business and marketing, worked for Celsius, and thus might be responsible for Celsius’ downfall. Or perhaps the inference is that the Forbes 30 Under 30 executive chose to make porn earlier in their life (which, as discussed in a moment, would not be true) and that choice relates to their competence or reputation. If either inferential chain seems illogical or shaky, recall this is a social media tweetstorm about crypto, a notoriously chaotic corner of the information ecosystem. The court never expressly resolves if the video Jessica and the Forbes 30 Under 30 executive are the same person.

The screenshot is included in the court filings, and the similarities of the two faces is directly relevant to the tweet sequence’s meaning. Nevertheless, I’m covering up “Jessica’s” face because she is a sex trafficking victim:

The screenshot was extracted from an unnamed sexually explicit video produced by Girls Do Porn (GDP). As you can see, the screenshot isn’t sexually explicit (Jessica is depicted on a bed fully clothed). In prior proceedings, another court held that GDP was “a criminal sex trafficking enterprise” and awarded restitution by transferring the IP rights in the videos to the victims–presumably to give the victims additional legal tools to suppress further disseminations of the video. (I didn’t work through the 17 USC 201(e) implications of the prior restitution order).

“Jessica” received the copyright to the video from which the screenshot was extracted and assigned the rights to an enforcement agent. Jessica’s enforcement agent sent a 512 takedown notice to Twitter targeting the screenshot. Twitter removed the tweet.

Despite the removal, Jessica’s enforcement agent also sued Perry for copyright infringement for posting the screenshot in the first place. The court dismisses the claim due to fair use–on a motion to dismiss.

Nature of the Use

the Tweet utilized the still frame for a transformative purpose. The Video is a pornographic film with the express purpose of displaying explicit sexual content. Conversely, the Tweet does not contain any nudity or sexually explicit imagery and is framed as a commentary on Celsius….

The Defendant’s reproduction of the still frame in the composite image is in service of this commentary….By arranging the images of two women, both identified as being named Jessica, side by side, the composite image vaguely implies that a Celsius executive appeared in a pornographic film. The still frame’s accompanying text stating that Jane Doe was studying business and marketing further supports this implication.

In short, a reasonable observer would understand the Tweet as a commentary on Celsius with a markedly different purpose from the original pornographic video. Further, as a commentary on a “subject of public interest” (i.e., Celsius’ decision to pause its customer’s transfers and withdrawals), the Tweet’s transformative use of the still frame justifies its copying.

Nature of the Work. The court says this factor is neutral and not important.

Amount Taken

the Tweet reproduced a single frame of a forty-six-minute video….The Tweet does not capture the central expression of the Video and is not a substitute for the original. The heart, or core, of the Video is its sexually explicit imagery. The Tweet is not pornographically explicit and shows a fully clothed woman describing her career interests.

Market Effect

Defendant’s use of a single still frame from the Video was a transformative secondary use intended as a form of commentary on Celsius. Further, the Defendant’s use of a single frame from the video did not include any sexually explicit imagery. In short, a person in the market for a sexually explicit, pornographic film would not turn to the Tweet. Because Defendant’s use of the still frame would not, and could not, usurp the market for the Video…

Plaintiff admits that the Tweet would not harm the market for the Video.

Implications

Do Screenshots Extracted from Videos Infringe? In general, I think that single images extracted from videos should routinely qualify as fair use. This case involved more complicated facts, because the video’s screenshot compared the depicted individual to the Forbes 30 Under 30 segment in service of a larger critique of Celsius. Many extracted screenshots from videos won’t similarly engage in social commentary or need to present the screenshot as visual evidence to support the commentary.

Even so, if the extracted screenshot merely illustrate the video or the person depicted, or provides the foundation for a meme, the republication of a screenshot is a trivial fraction of the source work and poses no threat to the market for the originating video. In other words, the last two fair use factors should always weigh in the defendant’s favor. This case may not be definitive precedent to establish that other screenshot publications should routinely qualify as fair use, but it shows a roadmap to that conclusion.

Copyright and Overremovals. Twitter honored to Jessica’s enforcement agent’s 512 takedown notice by removing the tweet. However, this court opinion confirms that the tweet was never infringing. As a result, Twitter’s response appears to be yet another unwarranted 512-induced overremoval (I have another post about DMCA overremovals coming soon).

When Takedowns Don’t Satisfy the Copyright Owner. We don’t often see copyright owners sue uploaders after a successful 512 takedown. 512 doesn’t eliminate those lawsuits; instead, 512(h) facilitates such lawsuits by helping copyright owners unmask the uploader. Nevertheless, the incremental value of a copyright infringement lawsuit after a successful takedown is typically small. The need for an injunction has essentially evaporated; lawsuits take a long time chronologically and cost more money; the damages at issue might be trivial (especially if the takedown was effectuated quickly); and the copyright owner runs the risk of a Streisand Effect (an especially acute risk here given the privacy motivation of this lawsuit). I’m not sure what the plaintiff hoped to accomplish with this post-takedown lawsuit.

Copyright as a Silencing Mechanism. This lawsuit seemed to be motivated more by privacy concerns than copyright. The plaintiff admitted as much: “Plaintiff wishes to depress the demand for the Video and use the Federal Copyright Law to control further dissemination of the Video, or any portion thereof” (cleaned up).

While copyright law can act as a doctrinal tool for suppressing content, it’s ill-suited as a privacy tool for reasons that Prof. Silbey and I discussed in our Copyright’s Memory Hole paper. As we wrote there, “treating copyright law as a general-purpose privacy and reputation tort harms us all.”

I’ll note that the complaint only alleged copyright infringement–no defamation, false light, or privacy claims. I wonder if any of those alternative claims would have been more appropriate to address the underlying privacy concerns?

* * *

I feel sympathy for Jessica’s sex trafficking victimization. However, especially after Twitter’s takedown of the screenshot, this copyright lawsuit was also problematic. I still believe that any time a court grants fair use on a motion to dismiss, a 505 fee shift to the defense should usually follow because the legal claims weren’t close.

Case Citation: MCM Group 22 v. Perry, 2026 WL 279525 (S.D.N.Y. Feb. 3, 2026). The complaint. Defense counsel’s writeup of the case.

The post Fair Use Blocks Privacy-Motivated Copyright Lawsuit–MCM v. Perry appeared first on Technology & Marketing Law Blog.

California’s Consumer Privacy Act (CCPA) Assists a Private Right of Action–Shah v. MyFitnessPal

Eric Goldman — Sun, 15 Feb 2026 15:56:35 +0000

It’s been years since I blogged about the California Consumer Privacy Act (CCPA). Have you missed the dumpster fire meme?

* * *

This is one of an ever-growing number of cases alleging that a website purported to let users decline cookies but then disregarded those instructions and placed the cookies anyway.

Among other claims, the plaintiffs alleged that the unconsented cookie placements and resulting consumer tracking violated the common law invasion of privacy and intrusion upon seclusion doctrine. The court says that the CCPA’s statutory provisions bolster these common law claims:

The California Consumer Privacy Act (CCPA) further supports the conclusion that plaintiffs Shah and Wiley had a reasonable expectation of privacy in the information that was collected by cookies they had attempted to reject. As the California Attorney general’s website explains, the CCPA requires that companies give users the choice to opt out of any collection of personal information for “cross-context behavioral advertising, which is the targeting of advertising to a consumer based on the consumer’s personal information obtained from the consumer’s online activity across numerous websites.”

Two obvious points. First, CA AG’s website explanations aren’t binding interpretations of the CCPA. As the Dude might say, that’s just like, uh, their opinion, man. (Though this AG quote is just trying to summarize the overwhelmingly complex CPRA).

Second, the CPRA’s cross-context behavioral advertising restriction doesn’t implicate all cookie placements. In other words, there are many reasons why a website might place a cookie that have nothing to do with that awkward statutory construct. In this case, some of the defendants’ activity at issue would not be related to the AG’s guidance.

The court continues:

When evaluating Californians’ reasonable expectations of privacy, the CCPA’s provisions are highly relevant “customs, practices, and circumstances,” because they provide Californians with the reasonable expectation that they will have some control over their data and necessarily shape users’ expectations about their ability to opt out of websites’ collection of data for profit.

Say what? The CCPA expressly precludes private rights of action for violations of its privacy provisions (there’s an unrelated limited private right of action for some data breaches). However, if courts will treat the CCPA’s statutory text as norm-shaping in a way that strengthens common law privacy claims, the CCPA’s text nevertheless facilitates a private right of action workaround despite its clear and contrary statutory intent. Nice.

Some courts have already been mangling the CCPA’s data breach private right of action to apply to any data disclosures, not just those we’d consider to be a result of a “breach.” Now, if the CCPA further turbocharges common law-based private rights of action, plaintiffs are getting an expanding toolkit of options to bypass the CCPA’s clear, express, and very-much-intended prohibition on private rights of action.

To be fair, I don’t think the court needs the CCPA’s norm-setting to establish the problems with asking users for their cookie preferences and then (allegedly) disregarding those instructions. If the website says X and then does not-X, consumers have a pretty reasonable expectation of X–no need for any statutory backup to legitimize that expectation. At the same time, I think of cases, like the old In re JetBlue case, where there’s a “no harm/no foul” realpolitik outcome when a privacy violation is inconsequential. If the plaintiffs don’t like a website’s data collection, but suffer no adverse consequence from it, what are we even doing?

Case Citation: Shah v. MyFitnessPal, Inc., 2026 WL 216334 (N.D. Cal. Jan. 27, 2026)

Because this case involves both the CCPA and CPRA, I might as well include the CPRA meme too:

Prior CCPA/CPRA Posts

The post California’s Consumer Privacy Act (CCPA) Assists a Private Right of Action–Shah v. MyFitnessPal appeared first on Technology & Marketing Law Blog.

The Sixth Circuit Wades Into Online TOS Formation (and Leaves Me More Confused Than Ever)–Dahdah v. LowerMyBills

Eric Goldman — Thu, 12 Feb 2026 23:40:25 +0000

TL;DR: The court provides this overview:

LowerMyBills.com refers internet users who are interested in refinancing their home mortgages to affiliated lending partners, including Rocket Mortgage. The website tells users that they will agree to its hyperlinked “Terms of Use”—including a mandatory arbitration provision—if they click on a particular button. Michael Dahdah visited this website three times, inputted his information, and clicked the critical buttons. LowerMyBills referred him to Rocket. When Dahdah later received calls from Rocket that he did not want, he sued the company in federal court. Rocket responded by invoking LowerMyBills’ arbitration provision. But the district court held that Dahdah’s “click” did not create an enforceable agreement. We disagree. Under the significant body of circuit precedent interpreting California law, LowerMyBills gave Dahdah sufficiently conspicuous notice that he would accept the proposed terms by clicking the button. So his decision to take this action qualified as a valid “acceptance” of LowerMyBills’ “offer” to contract. The district court thus should have granted Rocket’s motion to compel arbitration.

* * *

Let’s dig into the details, starting with the relevant screens. The plaintiff went to LowerMyBills’ site and requested information about mortgages. The court focuses on the following two screens (the fourth and fifth pages in a 5-page sequence). A screenshot of the bottom of the fourth screen:

A screenshot of the bottom of the fifth screen:

[By redacting the screenshots to only show the page bottoms, the court removed the TOS formation process from the full context. This supports the court’s pro-formation bias by making the pages look simpler than they actually were.]

As you can see, these screenshots look like pretty standard “sign-in-wraps.” The court characterizes them as “a hybrid offer (not a clickwrap or browsewrap offer).” The court prefers the hybrid language because the same methodology applies to sign-in-wraps and other formation processes that aren’t clickwrap/scrollwraps or browsewraps. The court rejects the plaintiff’s argument that this was a browsewrap:

Browsewrap offers seek to create contracts when users simply browse a webpage (hence, their name). LowerMyBills did not propose that type of offer. It required users to take a specific step to accept its offer: click the relevant buttons.

The Sixth Circuit applies California law to these screenshots (both parties agreed on that choice), which is a little dicey because the Sixth Circuit isn’t a repeat player with California TOS formation law. As an example, the Sixth Circuit completely ignores the Godun decision even though I think Chabolla and Godun can’t be understood without reference to the other.

[Personnel notes:

The opinion was written by a TAFS judge (TAFS = Trump-Appointed Federalist Society). TAFS judges’ opinions routinely are distinctive compared to non-TAFS opinions (not necessarily in a good way). I thought this opinion was disorganized (my blog post merges related topics that were confusingly addressed in disjointed locations throughout the opinion) and overrelied on cherrypicked precedent (a hallmark of TAFS opinions).
For a court applying California law outside of California, it was conspicuous that none of the lawyers listed on the opinion caption are based in California…]

The Court’s Description of TOS Formation Law

The Wrap Taxonomy

“any reasonable person would conclude that so-called scrollwrap or clickwrap offers objectively convey the website operator’s “manifestation of [a] willingness to enter into a bargain” with website users”
“So-called browsewrap proposals fall on “the other end” of potential offers….courts often hold that these offers cannot create valid agreements because they leave users “unaware” that the operator has even proposed an offer”
“many proposals fall in between these extremes. These “hybrid” offers (what some courts have called “sign-in wrap” offers) present the trickiest cases.”

Sign-In Wrap (“Hybrid”) Requirements

In determining if an offer is reasonably conspicuous, this court asks Four Questions (no, not those questions):

Q1: “Did the website display the offer on an “uncluttered” page, or on a page filled with items that will “draw the user’s attention away from” the proposal?” “Simple streamlined designs” are more likely enforceable than “a page with lots of distractions.”

Q2: “Did the website operator place the proposed offer close to—or away from—the button that a user must click to signal the user’s acceptance of the proposal?” The closer the offer is to the action button, the more conspicuous it is.

Q3: “Did the website operator use a font size or color that would draw attention to the proposal?” The court says that it’s more likely conspicuous when sites use “a larger font or at least colored hyperlinks.” This is not a faithful characterization of Chabolla/Godun, which had exacting requirements for both fonts AND hyperlink presentations. It’s telling that the court favorably cites Selden v. Airbnb, a DC Circuit case (i.e., not a California case) that predates Chabolla/Godun, to support its summary rather than any Ninth Circuit case.

Q4: “Did the website operator and users engage in the kind of interaction that one would expect to include contractual terms?” Users expect terms with continuing relationships and not for one-off interactions.

These Four Questions are similar–but not identical–to the Ninth Circuit standards. Here’s how I summarize those standards in my Internet Law course:

Who Decides

The court says that if the facts about what happened aren’t in dispute, the court can rule on the formation process as a matter of law rather than send the formation question to the jury.

Application to This Case

Reasonably Conspicuous Notice

The court says the conspicuousness of the notice is a “close question.” Here’s why the court concludes that the notice was reasonably conspicuous:

the proposal on the fourth page followed a “simple design” that did not contain much clutter (other than a logo for Quicken Loans as the “Featured Provider”). Selden, 4 F.4th at 156. [Reminder: Selden is a DC Circuit opinion that predates Chabolla/Godun] In this respect, then, this page resembles the simple sign-up pages for Uber or Airbnb. And it differs from Fluent’s webpages in Berman, which contained other eye-catching images and information. Admittedly, the fifth page had far more terms than the fourth page. It also identified Dahdah’s consent to the specific “Terms of Use” in the second of four paragraphs of details. But we view this page as serving a belt-and-suspenders role for the fourth page’s proposal. And we resolve this case based on the notice that consumers would have received across the pages in combination….

LowerMyBills placed the proposal “directly” “below the action button” on each of the pages. And it used a “dynamic scrolling function” in which these pages automatically scrolled down as users inputted information in the boxes. So users would always see the offer on the same screen as the action buttons.

The plaintiff pointed out that the 5-screen formation process was confusing because the prior screens had a similar “calculate” button without terms. The court says that multi-screen processes are OK, noting that Uber’s process had two screens. But I also note (which the court didn’t) that Chabolla said: “three faulty notices do not equal a proper one.” I think the court would say that the fourth and fifth screens are each independently sufficient, but I wanted to see more thoughtful discussion about how the multiple screens reinforce or conflict with each other.

The court notes that LowerMyBills used a “very small font,” which calls it “a legitimate concern.” As I teach my students, the offer language should never be in the smallest font on the page. In Chabolla, a TOS formation failed in part because the offer language’s font was “notably timid in both size and color” (a critique that could apply here). In response, the court cherrypicks the precedent and says that the font size might be comparable to the font sizes used by Uber or LiveNation (both are pre-Chabolla cases, and Uber is a 2nd Circuit case). Also, the hyperlink was in “bright blue” on a white background, so “LowerMyBills did not hide the critical hyperlink using the same font color as the other text.” (The Ninth Circuit would treat a different font color for the links as mandatory, not a plus factor).

The court also struggles with whether the interactions with LowerMyBills was a one-off or ongoing relationship given that they were largely acting as a referral service (the court says this is also a close call). The court makes this empirical claim without a scintilla of empirical support: “reasonable users also would expect that the free referral service comes with some contractual strings attached….given that the site matches users with potential lenders, we cannot say the objective user would fail to anticipate some sort of continuing relationship.” [Insert goose meme: relationship with WHO?]

The court says that it’s OK the offer language was below the action button rather than above because “Other courts have enforced these offers when placed below rather than above the button that signaled the user’s assent.”

Manifestation of Assent

The court says concluding “that Dahdah took actions showing his assent to LowerMyBills’ offer becomes “straightforward” once we conclude that the offer was reasonably conspicuous.” The plaintiff clicked on the green “calculate” and “calculate your free results” buttons.

The plaintiff weakly attacked the call-to-action language, which lets the court skirt any serious analysis. But look back at the text: it says “by clicking the button above,” which we could assume refers to the green button right above that text. But there are surely other “buttons” on the screen above the text (remember, the court clipped the screenshot, improperly IMO), which would make the cross-reference ambiguous. If there are more “buttons” “above,” what should have happened?

Also, the Chabolla opinion rejected a TOS formation when the offer language said “by signing up” and the action button said “continue.” Would it matter to Chabolla that the offer language didn’t precisely describe the action button?

Arbitration Terms

The court acknowledges that LowerMyBills’ TOS was silent on many key provisions about the arbitration, such as selecting an arbitration service. However, the provision says that the Federal Arbitration Act applies, and the court says that’s good enough to gap-fill all missing arbitration terms.

Implications

Would this case have turned out differently if it had actually been in a California court? I believe Chabolla and Godun changed a lot about TOS formation, and this court mostly disregarded those cases to rely on pre-Chabolla cases, some of them from courts outside California. So, I believe this ruling is not consistent with California courts. But really, who knows? TOS formation remains another Calvinball area of Internet law.

To be fair, LowerMyBills’ TOS formation process might not be condemnable despite their sloppiness. Obviously it could be easily improved (2 clicks, please), but it’s pretty consistent with the old standards for TOS formation. However, I think it’s disingenuous to treat this opinion as consistent with California law without wrestling more thoughtfully with the effects of Chabolla and Godun.

Case Citation: Dahdah v. Rocket Mortgage, LLC, 2026 WL 194455 (6th Cir. Jan. 26, 2026)

The post The Sixth Circuit Wades Into Online TOS Formation (and Leaves Me More Confused Than Ever)–Dahdah v. LowerMyBills appeared first on Technology & Marketing Law Blog.

The Ninth Circuit Wrecked Internet Jurisdiction Law…And For What?–Briskin v. Shopify

Eric Goldman — Tue, 27 Jan 2026 15:19:03 +0000

I added the Ninth Circuit Briskin v. Shopify en banc ruling to my 2025 Internet Law casebook, and I taught it for the first time in Fall 2025. Wow, that did not go well at all. The opinion is absolutely unteachable. Here are some of the questions I highlighted in class that I couldn’t answer:

How did Shopify “know” that web browsers were in CA?
Did Shopify “know” CA law restricted its conduct? [flag this point in particular]
Is there a difference between aiming everywhere and aiming nowhere?
Is Briskin consistent with Zippo?
How can Shopify avoid jurisdiction in CA?

Maybe someday we’ll get a teachable Internet jurisdiction case, but not today.

Because the opinion is a mess, I will be further reducing my coverage of the Internet jurisdiction topic in my Fall 2026 Internet Law course until I get better teaching tools. In the interim, I will keep emphasizing my Calvinball meme slide.

* * *

Here is the big takeaway holding from the Ninth Circuit’s Briskin ruling: “Shopify expressly aimed its conduct at California through its extraction, maintenance, and commercial distribution of the California consumers’ personal data in violation of California laws.”

But…what if Shopify never violated California law at all? On remand, that’s exactly what the court said. In other words, the Ninth Circuit credulously accepted the plaintiff’s allegations, but now we find out the allegations were false. Does California still have jurisdiction in this case??? ¯\_(ツ)_/¯

* * *

Shopify provides backend merchant services to online retailers. In this case, the plaintiff claims he purchased fitness apparel from IABMFG, with Shopify as the backend e-commerce provider. “Plaintiff alleges that he, like other consumers, was uninformed of [Shopify’s] involvement in the transaction, and without consent, defendants collected his sensitive private information, including full name, address, email address, credit card number, IP address, the items purchased, and geolocation.”

Crappy Pleadings

The plaintiff transacted with IABMFG in 2019, but he says he learned about Shopify’s allegedly shady privacy practices only in 2021. He then assumed Shopify’s 2021 practices were in place in 2019, but the complaint didn’t present any evidence to support that assumption:

The issue is not that plaintiff obtained factual support about Shopify’s 2019 conduct and then waited too long to file a complaint, the issue is that plaintiff has still not provided adequate factual support that the conduct disclosed in 2021 actually took place in 2019 as well. Accordingly, all of plaintiffs’ claims must be dismissed for want of factual support

Reminder: the Ninth Circuit found the plaintiffs’ allegations credible enough to justify breaking Internet jurisdiction law.

Shopify’s Lack of Intent

“Shopify’s policies required merchants to obtain consent for Shopify’s access.” Whether or not the merchant honored this requirement, the court says that the policies demonstrate that Shopify didn’t willfully listen into the conversation between the retailer and plaintiff. This lack of intent negates the state wiretapping, common law privacy, and computer crime claims.

So, to recap: the plaintiff’s claims all failed because the complaint assumed the key facts about Shopify’s conduct; and several claims ALSO failed for lack of Shopify’s intent. Great job, Ninth Circuit.

The court provides some additional guidance for the amended complaints, some points of which are a little more plaintiff-favorable:

The wiretap claim can’t be dismissed on the grounds that Shopify was just a service provider.
Credit card information isn’t “record information” and is capable of being intercepted. However, the court questions if Shopify intercepted that information while in transit.
The court says that Shopify isn’t eavesdropping equipment.
The court couldn’t decide yet if Shopify’s behavior was “highly offensive” for the common law privacy claims.
The state computer crimes trespass claim can be supported on the theory that the plaintiff suffered actual damages when he seeks disgorgement of his personal information.

We’ll see if the plaintiff can turn this case around with an amended complaint. For now, the collapse of the case on remand sharpens my skepticism about the Ninth Circuit’s acquiescence in its jurisdictional ruling.

Case Citation: Briskin v. Shopify Inc., 2026 WL 161441 (N.D. Cal. Jan. 21, 2026). CourtListener page.

The post The Ninth Circuit Wrecked Internet Jurisdiction Law…And For What?–Briskin v. Shopify appeared first on Technology & Marketing Law Blog.

AT&T Blocks T-Mobile’s Data Portability Efforts (Guest Blog Post)

Eric Goldman — Fri, 09 Jan 2026 18:09:32 +0000

Created by ChatGPT Dec. 2025

By guest blogger Kieran McCarthy

If you have ever wondered why big incumbents keep running to the Northern District of Texas the moment someone builds a tool that makes switching easier, comparing prices easier, or generally makes the internet work like the internet, AT&T Services, Inc. v. T-Mobile US Inc. should help you understand why.

On December 18, 2025, Judge Karen Gren Scholer entered a temporary restraining order blocking T-Mobile from implementing the original “Easy Switch” feature in its T-Life app, and blocking “any substantially similar version” that “accesses or obtains” information from AT&T’s “protected computer systems,” unless T-Mobile gets permission of the Court.

This opinion builds on the case law the N.D. Tex has been generating for years in the Southwest Airlines “don’t you dare build a useful layer on top of our website” cases.

The facts of the case are pretty simple. T-Mobile marketed a feature that let customers log into their current carrier account (AT&T or Verizon) and pull information to help them compare plans and switch. Customers made the decision to switch, and T-Mobile, for obvious reasons, automated the process. The horror!

AT&T sued, saying this was not “customer convenience.” It was unauthorized automated access and scraping of data from password-protected AT&T pages, with allegations of repeated bypassing of AT&T’s blocks, and “over 100” fields of customer data per user.

Over 100 fields? Dang! That’s, like, so many fields! And I suppose there are a few different lenses through which one could analyze that fact. One approach might be to say that automating a process with over 100 fields might be precisely the kind of thing that makes the internet useful, and that saves everyone time, money, and mental headaches.

Another way to view this fact is as evidence of “soooooo much computer fraud” even when T-Mobile is simply automating a process that consumers are choosing to automate. But that is how things work in the Northern District of Texas.

By the time the TRO issued, T-Mobile had already changed the tool so AT&T and Verizon customers could upload a bill PDF or manually enter information.

The court found AT&T likely to succeed because the Easy Switch tool, and its iterations before the November 26 change to PDF upload, accessed AT&T’s systems without authorization, pulled “over 100 fields” of customer data, and transmitted the data back to T-Mobile. It also found irreparable harm to AT&T’s control over its systems and data, plus reputation, goodwill and ‘customer privacy,’ without any inclination to grapple with the awkward fact that the customers were the ones asking to move their own information around. How the court concluded that customer privacy was at issue when the customers themselves initiated the switch .

Even though T-Mobile deactivated the challenged version, the court found the threat remained because T-Mobile wanted to retain the ability to use something “very similar” later.

T-Mobile is enjoined from implementing the original version or any “substantially similar” version, and “substantially similar” is defined basically as anything that accesses or obtains information from AT&T’s protected systems.

Perhaps, learned reader, you might be wondering if there was any discussion of user empowerment, lower lock-in costs, increased innovation and competition, added product development, interoperability, improved price discovery, or any other known policy benefits associated with data portability in the policy section of the TRO?

No. There was not. This is the entire policy discussion of the opinion: “This temporary restraining order will serve the public interest. The enforcement of state and federal laws serves the public interest.”

See how easy this judging stuff is?

To be clear, this is not a case where you would expect someone like T-Mobile to prevail in Texas. But the lack of analysis or consideration for the broader issues at stake is always a bit startling. A big incumbent takes a dispute that is at least partly about competition and consumer switching, recasts it as “computer trespass,” and asks a court to shut the product down quickly. And the N.D. Texas always obliges, especially when the plaintiff is a household-name company with a website and Terms of Use, and the defendant is building a tool that rides on top of it.

That posture matters historically because it reflects an early willingness to treat “automation + Terms + notice” as a path into computer-access liability, even when what is being accessed is, functionally, consumer-facing information.

AT&T’s complaint is explicit that this case is “not about competition for customers,” but about “unauthorized” intrusion into its systems, using automated bots “disguised as an AT&T customer,” scraping “over 100 categories” of data, and bypassing AT&T’s security measures. And that is what is what I like to call “bullshit.”

Either way, the N.D. Texas proves once again why it is the preferred venue and forum for those looking to build walled gardens.

* * *

Interestingly, Texas does have a mandatory data portability law, the TDPSA, or the Texas Data Privacy and Security Act. But the reality is that these laws have very little utility for consumers.

A portability right on paper like the TDPSA is little more than a slow and functionally useless export option. The reality is that laws like this don’t help consumers move with their data.

For one, TDPSA only mandates that companies return the “data you provided,” not the data you actually need to switch. Second, the time, frequency, and authentication friction make it useless for “I want to switch today.” Under TDPSA, controllers generally have up to 45 days (plus a possible 45-day extension) to respond. Waiting 45-90 days for data is so unhelpful that most consumers don’t see any value in requesting it. Next, a .pdf copy of data does not equal “interoperable.” Without shared schemas, APIs, and validation rules, the receiving service cannot reliably ingest the data—and certainly not at scale.

In a case like this one, the consumer-facing promise is “we’ll read your bill and account and recommend the right plan fast.” A statutory portability right typically gives you a dataset, not the transformation, normalization, and comparison workflow that makes switching easy. And when a competitor tries to fill that gap by automating access into the incumbent’s systems, you collide with the CFAA, terms of service, and state computer access statutes (exactly what the TRO discusses). Which is why, without meaningful analysis of the real value of automation for consumers in cases like this one, mandatory portability statutes are functionally useless for consumers.

[Eric’s comment: data portability mandates are generally quite popular, at least in academic circles. But I haven’t seen any evidence indicating that the mandates actually improve anything for anyone. I welcome pointers to academic studies on this topic.]

The post AT&T Blocks T-Mobile’s Data Portability Efforts (Guest Blog Post) appeared first on Technology & Marketing Law Blog.

2025 Internet Law Year-in-Review

Eric Goldman — Tue, 06 Jan 2026 19:29:34 +0000

2025 is the Trump 2.0 era, so you won’t find much upbeat news in this Internet Law year-in-review.

10. Are Websites Legally Equivalent to Exploding Coke Bottles?

Traditionally, tort law distinguishes between tangible items (chattels) and intangible services. Several doctrines impose additional liability for chattels, such as strict products liability and specialized forms of negligence.

Plaintiffs are trying to extend these chattel-based tort doctrines to intangible activities like publishing content. This raises the venerable Internet Law exceptionalism question: when should physical-space laws extend to online activity? In other words, is a user-generated content website the legal equivalent of an exploding Coke bottle?

In 2025, more lower-court judges applied strict liability and negligence doctrines to social media. It remains to be seen if these opinions will be upheld on appeal. Meanwhile, emboldened plaintiffs are now proliferating chattel-based theories against other online content publishers, including Generative AI model-makers and videogames.

9. A Swiss-Cheesed Section 230 Survived 2025

Section 230 survived 2025, and it will likely reach its 30th birthday. But will it survive beyond that? Section 230 looks more like Logan’s Run than Yoda.

Several Section 230 repeal bills are pending. Why tho? Section 230 is already shrinking and being swiss-cheesed even if Congress does nothing.

In particular, Section 230 took major hits last year in the Calise and YOLO opinions, which encouraged courts to create a virtually infinite number of common law exceptions to Section 230. This year, Doe v. Twitter added two new 230 exceptions for alleged breaches of a “reporting mechanism architecture” duty and NCMEC reporting.

8. TOS Formation Is More Difficult in the Ninth Circuit

The Ninth Circuit dramatically raised the bar on online TOS formation law in Chabolla and Godun. Together, these rulings provide several more reasons for courts to reject TOS formation. View all pre-Chabolla rulings upholding TOS formation with suspicion. And if you haven’t reassessed your TOS formation process after Chabolla and Godun, why not?

7. The SAD Scheme Takes Some Huge Hits

Prof. Fackrell posted a 2025 SAD Scheme year-in-review. Two standouts:

Judge Kness said the SAD Scheme “should no longer be perpetuated in its present form.”
Judge Ranjan (WDPa) and the District of New Jersey functionally banned the SAD Scheme in their courts.

6. Silicon Valley Execs Embrace Trump

Traditionally, Silicon Valley entrepreneurs have viewed regulators with suspicion and preferred technology solutions over legal ones. That stereotype is partially outdated. Many Silicon Valley leaders–such as Musk, Zuckerberg, Ellison, Benioff, and toss in Bezos for good measure–have enthusiastically embraced crony capitalism and anticipatory compliance with MAGA expectations (when it personally benefits them). [See also “How the Bay Area’s tech billionaires behaved in 2025.”] The oligarchs’ subservience to Trump diverges from mainstream Silicon Valley views, but those with the gold make the rules.

5. Internet Censorship Rolls Out Globally

2025 global censorship lowlights include the UK Online Safety Act and Australia’s ban of under-16s from social media. We are well-past the high water mark of online free speech globally.

4. New Notice-and-Takedown Scheme for “Visual Intimate Depictions”

The Take It Down Act combines CSAM, non-synthetic non-consensual pornography, synthetic AI-generated pornography, and other “visual intimate depictions” into a single regulated content category. This lazy drafting ensures that the law confusingly overlaps and supplements existing law–and regulates constitutionally protected content.

The law creates a new notice-and-takedown scheme for intimate visual images (this mechanism goes into effect this summer). Services must resolve all of the following issues within 48 hours of receiving each takedown notice about intimate visual depictions:

Can the service find the targeted item?
Is anyone identifiable in the targeted item?
Is the person submitting the takedown notice identifiable in the targeted item?
Does the targeted item contain an intimate visual depiction of the submitter?
Did the submitting person consent to the depiction?
Is the depiction otherwise subject to some privilege? (For example, the First Amendment)
Can the service find other copies of the targeted item?
[repeat each step for each duplicate. Note the copies may be subject to a different conclusion; for example, a copy may be in a different context, like embedded in a larger item of content (e.g., a still image in a documentary) where the analysis might be different]

As you can imagine, this process will lead to many unwarranted removals, especially after vigilantes and trolls start weaponizing the process.

3. Can Anything Stop the Tidal Wave of AI Regulations?

State legislatures are in a regulatory frenzy over Generative AI. In response, Congressional Republicans unsuccessfully proposed a moratorium on state AI laws. When that failed, Trump issued a performative executive order discouraging some state AI laws.

Eventually, the Supreme Court will decide if Generative AI outputs qualify for First Amendment protection. If so, many of the state AI regulations are unconstitutional. If not, Generative AI is doomed.

2. The TikTok Divest-or-Ban Calvinball

In January, the Supreme Court upheld Congress’ TikTok divest-or-ban law. Shortly thereafter, the TikTok divest-or-ban deadline arrived on Biden’s last day in office. He took no action. President Trump then unilaterally extended the deadline without satisfying the statutory preconditions for an extension. Trump has since purportedly issued several more extensions without any statutory authority to do so. Trump also (without any authority to do so) had the DOJ tell app stores to keep TikTok available despite the law.

As a result, an undivested TikTok has remained publicly available throughout 2025 despite Congress’ ban. This outcome mocked the Supreme Court and Congress:

The Supreme Court accepted Congress’ pretextual claims that TikTok threatened national security and consumer privacy. Trump’s defiance exposed that no one, including Congress, actually cared about these purported harms.
Congress passively watched Trump disregard a valid enacted and alleged constitutional law.

Also, Congress intended the divest/ban to combat Chinese authoritarianism, but it actually facilitated Trump’s domestic authoritarianism. Trump used the law to broker a kleptocratic divestment to his buddies who will keep TikTok’s algorithm friendly to Trump.

I teach the TikTok ban in week 1 of my Internet Law course as Exhibit A of how Internet Law is Calvinball.

1. Supreme Court Upholds Mandatory Online Age Authentication (FSC v. Paxton)

I was wrapping up a 2-week China trip when the Supreme Court issued its opinion in Free Speech Coalition v. Paxton. I was eager to return to a country that has a First Amendment–so I could access most websites without a VPN; I wouldn’t have to show my passport to enter every museum; and I could freely criticize the government without fearing for my liberty. And then the Supreme Court’s FSC v. Paxton opinion made me question everything.

As just one example of the court’s wrecking ball to American principles: the majority adopted intermediate scrutiny to evaluate the law, even though neither party argued for that standard, and then the court analyzed intermediate scrutiny without giving either side the chance to argue the standard. Pure Calvinball.

By overturning 30-year-old precedent, the opinion newly opened the floodgates on mandatory online age authentication. The majority opinion claimed it was limited to children’s access to online pornography, but the opinion repeatedly and gratuitously went much further. Emboldened regulators around the country are proliferating age authentication mandates on a diverse range of topics. The constitutional battles over those laws will rage for years. Here’s a roundup of NetChoice’s 2025 efforts.

Regardless of how the legal battles turn out, Internet publishers are already deploying age authentication solutions to manage their legal risks, and they won’t be quick to rip out these implementations. Thus, the FSC opinion let the age authentication genie out of the bottle, and it will never go back in–regardless of what the courts or the Constitution say in the future.

FSC v. Paxton has locked us into an age-authenticated Internet, very different from the one we have today, with less privacy and security, less free speech, less content, and less resiliency. Everyone will be poorer for it.

Well, almost everyone. The censors are giddy–as are the age authentication vendors, who celebrating their good fortune with a black tie industry awards gala. See you there.

(Dis)Honorable Mentions

Other 2025 items of note:

The first batch of district court rulings regarding copyright and Generative AI have been a mixed bag. A few courts have rejected copyright claims over training data, except when the source files were obtained via file sharing. We’ll see how these opinions fare on appeal. Amidst this uncertainty, Anthropic agreed to a massive $1.5B settlement.
The Meta Pixels cases keep chugging along. There are now hundreds of rulings in Westlaw, and the plaintiffs are doubling-down against other unique identifiers. However, the pixel cases aren’t always doing well on appeal. Could the Meta Pixel litigation frenzy flame out when the appellate court speak up?
The US State Department has threatened to ban content moderators and actually banned five Europeans associated with the DSA. US government censorship will continue until free speech improves.
Many people have celebrated the GDPR as the gold standard of global privacy laws. But…it’s also stifling the EU and needs reworking (e.g., 1, 2).
It’s the 5 year anniversary of Meta’s Oversight Board. How’s that been working out?
It’s also the 5 year anniversary of the Copyright Claims Board. How’s that been working out? Reminder: Congress created the Copyright Claims Board in December 2020, when perhaps it should have had other priorities.

* * *

Previous year-in-review lists from 2024, 2023, 2022, 2021, 2020, 2019, 2018, 2017, 2016, 2015, 2014, 2013, 2012, 2011, 2010, 2009, 2008, 2007, and 2006. John Ottaviani and I previously listed the top Internet IP cases for 2005, 2004 and 2003.

* * *

Generated by ChatGPT Oct. 2025

My publications in 2025:

The post 2025 Internet Law Year-in-Review appeared first on Technology & Marketing Law Blog.