This is the fourth blog post in a series about Section 230 of the Communications Decency Act. You can view the full series here.
Section 230 plays an important role in allowing sites with user-generated content to operate in general–since it shields them from most liability for third-party speech–while giving them the ability to moderate their platforms as they see fit. This is a complex and contentious debate, and while Public Knowledge does support moderate reforms to 230–even as it relates to speech itself–we nevertheless count ourselves among its supporters.
However the broad language of Section 230 should not be interpreted in a way that gives platforms that host third-party content a special exemption from laws that apply to businesses generally, or creates an exemption from the kinds of health, safety, public interest, and economic regulation that governments at every level—from federal agencies to municipalities–engage in. To be clear at the outset, this does not mean that any and all regulations a government may want to enforce are good ideas. Some of them might be. Others might be terrible. The point is that 230 shouldn’t be read in a way that rules them out.
That is not to say that the legal arguments that Section 230 does, in fact, preclude some kinds of regulation of online services are trivial. They’re not. Judges have been skeptical of arguments that seek to get around Section 230 in clever ways when it seems like people are just looking for a way to directly impose liability for speech in exactly the ways that Section 230 prohibits. You could easily extend the same logic to policies that impose liability on or otherwise regulate online services, to the extent that there is some indirect effect on third-party content. All I want to argue here is, first, it is not necessary to read 230 in this way, and second, if 230 is interpreted as a broad charter of deregulation for online services, the predictable political response would be for it to be repealed, or statutorily curbed in a way that harms its speech-promoting function. If you love Section 230 you should want it to have clear boundaries.
230 Protects Speech, Not Business Models: HomeAway v. Santa Monica
The clearest boundary that it should have–and this covers almost every specific instance discussed in this post–is that while 230 provides a shield for a platform hosting speech, it does not shield every action that a platform takes in connection with speech.
Here is a recent example: Santa Monica passed an ordinance forbidding short term rental and house sharing services like Airbnb from booking rentals for people who are not permitted to rent out their premises under Santa Monica law. No one questions that Santa Monica has the authority to pass an ordinance about who can and who cannot rent their properties using these services. The question is to what extent the city can require that services like Airbnb can help make such laws enforceable. Airbnb is, of course, not just a bulletin board system. Users put up their listings, but then Airbnb completes the financial transaction–keeping a small percentage for itself, of course. The Santa Monica ordinance does not directly tell Airbnb what content users are allowed to post–it attaches liability to the related financial transaction. Airbnb and many others (including former Representative Chris Cox, one of Section 230’s primary architects) argued that this created an obligation for Airbnb to monitor user-submitted posts and take down the ones where, if Airbnb processed the related transaction, it would be in violation of the ordinance.
But in HomeAway v. Santa Monica, both the federal district court and the Ninth Circuit Court of Appeals disagreed. The ordinance does not force Airbnb to take down anything. It could, for instance, take away the ability for users to directly book all, or simply the unlawful Santa Monica rentals on its platform, instead providing a mechanism for users to contact each other. This is how Craigslist works, after all. Clearly this is not its business model and it might prefer to simply block all Santa Monica rentals rather than screen out which ones are allowed from which are not, or to provide service to Santa Monica at a loss. But those choices are Airbnb’s to make–Santa Monica did not impose any of them. Section 230 continues to shield Airbnb for liability as a publisher or speaker of the listings it hosts, but that does not mean that it is entitled to the business model of its choice.
230 Does Not Conflict with COPPA: FTC v. YouTube
A similar dynamic is at play with the Federal Trade Commission’s recent settlement with YouTube over COPPA violations. COPPA—The Children’s Online Privacy Protection Act—puts restrictions on whether and how online services can collect data about children under 13. It applies to any “operator of a website or online service directed to children, or any operator that has actual knowledge that it is collecting personal information from a child.”
This section is a little heavy on legalese—apologies for that. The basic point is that regulating a site’s data collection activities is not directly making it liable for user content. The rest is just details.
One thing to keep in mind about COPPA is that sites can’t just wave it away. A site will be found to be “directed to children” based on objective factors based on the nature of the content on the site–it can’t just put up an easily bypassed “age gate” or declare in its terms of service that it’s not for kids. Neither is there an exception for user-generated content. (The FTC provides guidance about what “actual knowledge” means as well, and “age gates” are primarily useful for sites that are in part directed toward children, but where children are not the primary audience.) Thus YouTube being subject to COPPA in the first place isn’t very difficult to establish.
This is relevant to Section 230 because, while YouTube has lots of child-directed content, the vast majority is posted by users, not created by YouTube itself. Thus it has been suggested that finding YouTube liable for COPPA violations is finding it liable for hosting third-party childrens’ content–that is, holding it liable as a publisher, which is not permissible under Section 230.
Of course COPPA was passed after the Communications Decency Act, and typically when two statutes seem to be in tension, you don’t read the latter statute as having impliedly amended the earlier one, but neither do you read the earlier statute as an implied limitation on the later one. Instead, judges and good lawyers try to find a way to read them so they don’t conflict. In this case it is straightforward to do so.
First, similarly to the situation with Airbnb, YouTube can comply with COPPA in a foolproof way by just not collecting data on its users. (Since just a “portion” of a website can be considered child-directed under COPPA, this doesn’t have to mean no data collection on YouTube at all, just no data collection for portions of YouTube, e.g. specific channels, that contain child-directed content.) Requirements on how YouTube can collect data are necessarily related to third-party content but they do not impose liability on YouTube as a publisher or speaker, just as how restrictions on Airbnb’s ability to complete transactions are related to user-submitted postings. In both cases the platform can continue to host the content in question but may have to change its business practices and other behaviors. But Congress did not guarantee to YouTube or any other business its free choice of business model.
Still, one could argue that data-collection of some kind is a “publisher” function in the context of the internet, or that liability under COPPA is just a species of publisher liability. Adopting this reading, however, puts COPPA and 230 into conflict, which is reason enough to avoid it. There are textual reasons to avoid it, as well: COPPA applies to “operators” of web sites and services, and “operators” are defined as anyone who operates a website or service “who collects or maintains personal information from or about [] users.” Even if some “operators” are publishers, not all publishers are “operators,” since not all publishers collect data on users. Additionally, not all operators are publishers, since COPPA applies to services that do not “publish content” as traditionally understood at all—such as an online calculator or database app that has “actual knowledge” of younger users. Because “operator” means something different than “publisher,” and is not a subset of “publisher,” and because it relates to data collection activities which are not, or are not exclusively “publisher” activities, it is difficult to maintain that COPPA creates the kinds of liability that 230 seeks to prevent.
Section 230 Does Not Affect Who is Considered a “Seller”: Oberdorf v. Amazon
Another situation that has arisen recently involves Amazon, which in Oberdorf v. Amazon was held liable as a retailer for a product sold on its marketplace by a third party. (This case is not over, and a recent panel decision may be overturned by the Third Circuit Court of Appeals en banc.) When a marketplace sells a product itself (for example, its own brands, or items it has purchased wholesale), it of course is subject to standard product liability rules. The question is whether, when a third party lists a product, can the online marketplace be liable for product defects? This is, or should be, distinct from holding it liable for third-party content itself, since the marketplace would be held liable for its own non-speech-related conduct, not for hosting third-party content per se. The question is when does it make sense to consider an online marketplace the “seller” of a good?
It is a challenging question to answer in the abstract because the facts of how different online marketplaces work can vary greatly. Craigslist is very different from Amazon. The facts can even vary on one marketplace. For example, Amazon might list a product and provide payment processing, but the seller ships the product itself. Or, Amazon might provide payment processing, stock (on consignment) the item itself in its warehouses, and handle the shipping. Additionally, the seller might create a unique product listing that makes it clear that it is the unique provider of a particular good. Or it might simply add itself as a new seller on an existing product listing created by Amazon or another seller.
There are other interesting policy issues here with respect to Amazon in particular. Amazon is said to sometimes pressure its suppliers into moving toward the consignment model, where it continues to stock and ship products but the seller technically retains title to them until they are sold. This model helps Amazon by keeping unsold inventory off its books and preventing it from paying anything upfront for its inventory. But is it fair to consumers that Amazon could be able to escape liability for defective or dangerous products through clever bookkeeping?
Here, the fundamental legal conflict between 230 and retailer liability should be easy to dispense with. A marketplace is a seller or not. If it is a seller, holding it liable as one does not conflict with 230’s requirement that it not be held liable as a publisher or speaker. It’s not being held liable for the product listing, assuming it was created by a third party, it’s being held liable for the act of selling, to which traditional retailer liability applies. As with the other cases discussed in this post, it can keep up whatever listings it likes if it changes its business practices such that it no longer qualifies as a “seller.” This all follows from distinguishing hosting content, which 230 protects, from particular ways of monetizing it, which it does not.
That doesn’t mean that determining when a marketplace actually is a seller is an easy question. Given the various ways that a marketplace can be structured, it isn’t. It seems pretty reasonable to say that when the only difference between a “third-party” product and one sold directly by the retailer itself is who owns the legal title, that the marketplace can fairly be considered a “seller.” At the same time, there are plenty of online marketplaces that are structured in a way where it is obvious to buyers that they are buying from a third party, such as Craigslist’s classifieds, or even eBay.
In Oberdorf v. Amazon, it’s actually somewhat tricky: Amazon did not stock the defective goods in question, but merely listed them and completed the credit card transaction. At the same time, the design of Amazon.com, unlike the design of eBay, puts multiple sellers (including Amazon itself) together on one listing, making it potentially more difficult for consumers to realize when they are buying from Amazon itself, and when from a third party. These are probably the kinds of fact-specific determinations that are best left to the courts to examine case by case, allowing the common law to develop and provide guidance both to future courts and platforms themselves.
I should note that there are alternative theories out there, such as recognizing that platforms have a duty to warn their users about dangers inherent with third-party transactions, or requiring that platforms make it easier for harmed parties to hold third parties accountable, e.g. with “know your customer” rules. Such requirements might even make sense for marketplaces that do not qualify as retailers.
However, the basic idea is that holding a platform liable as a “seller” does not conflict with Section 230. That doesn’t mean that online marketplaces always should be subject to such liability, just that Section 230, a law about promoting speech and allowing for content moderation, doesn’t have anything to say on the matter. Allowing state courts to figure out the contours of online marketplace liability seems like the right approach, rather than interpreting a federal law in a way that systematically advantages one kind of business model over another.
PLAN Act: Don’t Amend 230 for the Sake of Amending It
The above discussion shows why, properly construed, Section 230 does not need to be amended in ways that, for instance, the PLAN Act proposes. The PLAN Act carves out an exception to Section 230 to allow local governments to regulate Airbnb-type rentals. But the 9th Circuit in HomeAway demonstrated that Section 230 does not stand in the way of typical economic regulations, as long as they are not directly trying to restrict what sorts of content can be posted online. Under this view of Section 230, platforms are free to continue to host third-party content without liability, but policymakers may limit the ways they can monetize that content–for example, through privacy laws modeled on COPPA, or through limits on transactions associated with content (provided they do not relate to the actual economics of hosting content online, for example, hosting or registrar fees).
This is not to say that Section 230 is perfect as it is. But proposals to change it should make sense, and be worth the political fight. It’s not necessary to limit Section 230 in ways that it is already limited. If the HomeAway is not followed in other jurisdictions perhaps statutory reform is necessary to ensure a level playing field between online and offline business. But if so, it would make no sense to limit it to housing and rental issues (or at least not to housing and rental issues without considering issues of housing and rental discrimination and consumer protection). Instead, an approach that ensures that governments can enact economic regulations that affect platform business, just as they can regulate traditional businesses, could keep Section 230’s core–which is about speech, not business models–intact. (Reforms to Section 230’s core should not be off the table, either, but they should be narrowly targeted in a way that avoids either creating an incentive for platforms to over-moderate, or creating an incentive against moderation.)
Supporting Section 230 Means Acknowledging its Limits
I am concerned with the discourse around Section 230 in a number of ways. One of the primary threats, of course, is from people who don’t understand Section 230, who blame it for problems that largely don’t exist.
Another threat, however, comes from supporters of Section 230, who understand it very well, but whose defense of it could backfire. Lots of online services depend on Section 230 to be able to host third-party content at scale, and to moderate it as they see fit without incurring liability. This is the core of what Section 230 is supposed to protect. But if they or their lobbyists also argue that Section 230 protects their specific business model, insulates them from privacy laws, or in general exempts them from regulations that other businesses (online and off) have to comply with, the reaction from most policymakers won’t be to just accept it. They’ll change the law. And they might change it in ways that remove the core of Section 230–which would be bad.
And even when it comes to speech-related issues, supporters of Section 230 should acknowledge that, in specific areas, we need more responsibility from platforms than Section 230 currently requires. As Public Knowledge has previously suggested, perhaps platforms should have more responsibility for content they actively pay for. In certain sensitive areas, perhaps platforms should be required to follow industry best practices on moderation and removal. Otherwise, the risk is that Section 230 will be amended in broad ways (such as SESTA/FOSTA’s enactment of a “knowledge” standard that is ambiguous with respect to platforms) that harm the ability of users to use online tools to communicate and that risk over-moderation.
Section 230 is an important law, and the internet is much more central to commerce, culture, and communication than it was in 1996, when it was enacted. Policymakers (and judges!) when examining the law should look to the law’s core purpose and what it is meant to protect, and what is peripheral. By re-committing ourselves to the promise of the internet as an open, decentralized communications platform, we can understand what is important about Section 230 and where it can be improved.