Section 230 of the Communications Decency Act of 1996, 47 U.S.C.A. § 230, (CDA) provides online businesses a refuge from civil liability that could otherwise arise from content posted to a website, online blog or other social media platform by a third party. Specifically, § 230(c) of the CDA immunizes providers of interactive computer services against liability arising from content created by third parties, stating: “No provider … of an interactive computer service shall be treated as the publisher or speaker of any information provided by another information content provider.” 47 U.S.C. § 230(c).
Many businesses seek shelter under this provision of the CDA for legitimate business purposes, such as a commentary section for product or service reviews, but other businesses exploit this immunity, such as revenge porn sites like yougotposted.com.
It is essential, however, that all businesses that conduct business online or that operate an online website understand that the CDA’s immunity provision is not always a safe harbor. Why? Because the CDA’s grant of immunity applies only if the interactive computer service provider is not also an “information content provider,” (ICP) which is defined as someone who is “responsible, in whole or in part, for the creation or development of” the offending content. 47 U.S.C.A. § 230(f)(3), emphasis added.
Under the CDA’s framework, a website operator can be both a service provider and a content provider: if the website operator passively displays content that is created entirely by third parties, then it is only a service provider with respect to that content. But as to content that it creates itself, or is “responsible, in whole or in part” for creating or developing, the website is also a content provider. Fair Housing Council of San Fernando Valley v. Roommates.com, LLC, 521 F.3d 1157, 1167-1168, 36 Media L. Rep. 1545 (9th Cir. 2008).
In the Roommates.com case, the Ninth Circuit found that an online roommate locater website, roommates.com, was an ICP because, although much of the content was supplied by third-parties, the website required subscribers to provide information as a condition of accessing its service, and it provided a set of pre-populated answers. Thus, the Ninth Circuit found that defendant Roommates.com was “much more than a passive transmitter of information provided by others; it [was] the developer, at least in part, of that information.” And the CDA provides immunity only if the interactive computer service does not “creat[e] or develop[ ]” the information “in whole or in part.” As the Ninth Circuit stated, by any reasonable use of the English language, Roommate is “responsible” at least “in part” for each subscriber’s profile page, because every such page is a collaborative effort between Roommate and the subscriber.
Like the Ninth Circuit, federal courts in Maryland distinguish an interactive computer service provider or an Internet Service Provider (“ISP”) from an ICP upon the question of passivity. “State-law plaintiffs may hold liable a person who creates or develops unlawful content, but not the interactive computer service provider who merely enables that content to be posted online.” Hare v. Richie, 2012 U.S. Dist. LEXIS 122893 at 41 (D. Md. Aug. 29, 2012) (quoting Nemet Chevrolet v. Consumeraffairs.com, Inc., 591 F.3d 250, 254 (4th Cir. 2009)) (emphasis added). In general, courts consider “the ‘prototypical service qualifying for this statutory immunity” under the CDA to be something like “an online messaging board…on which Internet subscribers post comments and respond to comments posted by others.'” Id. at 43 (quoting FTC v. Accusearch, Inc., 570 F.3d 1187, 1195 (10th Cir. 2009)).
How can you determine if your business may face exposure as an ICP? You must consider the following questions:
• What is the level of collaboration and interactivity between your online business activities and the content posted by your users;
• Is your business a ‘prototypical’ ISP, such as an Internet message board;
• Does your business participate in the development of Internet content;
• Do you manage user activities online;
• Do you review and consult on content posted; and
• Do you generate profit from the content posted?
If the answer to any of the questions is yes, your business should consider how to minimize exposure. Cyber risk suits and other Internet-based litigation arising from defamation, business loss, IP claims, and other causes of action have exploded in the last few years. Any business operating online should seek the advice of an expert to protect the business and its customers and to prevent such suits before they happen. Clear, well-posted online use policies are a good start, but federal and state laws on cyber-risks and exposure for online actvities are complex and vary from jurisdiction to jurisdiction.