Website Provider Liability for User Content and Actions
By Cooley Godward’s Information Technology Group

Introduction. Many websites have found that developing an online "community" is crucial to obtaining their business objectives. As a result, user-generated content is ubiquitous online.

While user-generated content can facilitate a website’s objectives, it raises a host of thorny legal issues. Default legal rules may impose liability on websites for intellectual property infringement and other harms caused by their users, and a single bad user could cause liability ranging into the millions of dollars. There have now been over a dozen cases on the topic, some with sensible rulings and others raising the specter of effectively unlimited liability.

Websites planning to permit users to exchange content should implement a number of techniques to manage their potential risk. This article identifies some of the problems arising from permitting user-generated content on websites and provides a few general suggestions for managing the associated risks.

Sources of Liability. Below are a few of the most common legal issues websites encounter when permitting user-generated content.

1.         Intellectual Property Infringement.

A.        Copyright. Copyright law recognizes three types of liability: direct, contributory, and vicarious.

Direct Infringement

Direct infringement occurs when an infringer copies a copyrighted work. Direct liability is a strict liability offense, and thus does not require the infringer to know he or she is infringing. If direct infringement applies, a website provider would be liable if a user posts a copyrighted work that is subsequently downloaded or viewed by others.

Some courts held website providers directly liable for user-committed copyright infringement, while other courts rejected imposing direct liability as unduly harsh and instead analyzed infringement claims against website providers under contributory or vicarious liability.

This fall, Congress enacted the Digital Millennium Copyright Act (the "DMCA"). The DMCA contains a number of provisions purporting to limit website liability for user-committed copyright infringements. Most specifically, the DMCA has established some safe harbors for websites from direct infringement if the websites follow the statutory schemes. Among other things, eligibility requires the website to (a) adopt a provision in its user agreement regarding the termination of repeat infringers, (b) accommodate and not interfere with "standard" technical measures used by copyright owners to identify and protect copyrighted works, and (c) provide certain information regarding an agent for service of process both on its website and to the Copyright Office.

The DMCA also sets up a complicated scheme to permit websites to avoid liability for taking down allegedly infringing material. In general, to avoid liability, this scheme requires the website to notify the user about the complaint and then take certain actions based on the user’s response. We are not aware of any claim ever brought by a user against a website for taking down allegedly infringing material, so we are unclear of the benefit of this safe harbor. As a result of their dubious efficacy, websites might choose not to follow the complicated procedures.

Contributory Infringement

Contributory infringement occurs when a party knows of an infringing activity and substantially participates in that activity. While the existing cases have not definitively addressed when a website is contributorily infringing based on its users’ activities, the cases generally have suggested a notice-based liability standard. In other words, once a website receives notice that a user is committing infringement, the website will be deemed to be substantially participating in the infringement if it does not remove the infringement within a reasonable period of time. While the standards for notice historically have been murky, the DMCA clarified that the following elements are required to be a sufficient notice: (1) a signature, (2) identification of the work infringed (or if multiple works are infringed, a representative sample), (3) identification of the infringing work with sufficient information to permit the service provider to find it, (4) contact information of the notifier, (5) a statement that the notifier has a good faith belief that the use was not authorized, and (6 a statement that the information in the notice is accurate and, under penalty of perjury, that the notifier is authorized to act on behalf of the owner. A notice that does not substantially contain the foregoing probably can be ignored, unless the notice contains (2), (3) and (4), in which the website provider can ignore the notice only after contacting the notifier or taking other reasonable steps to try to get a conforming notice.

Of course, if a website actually knows of a particular infringement based on its practices, this knowledge will also trigger the duty to act. Thus, to minimize exposure for contributory copyright infringement, websites should (a) try to reduce actual knowledge of user-generated content by not monitoring their services, and (b) respond promptly to proper notices alleging that a user is committing copyright infringement.

The DMCA expressly carves out contributory infringement from the scope of its safe harbors. Thus, other than providing the standards for sufficient notice, the DMCA provides websites no relief from contributory copyright infringement.

Vicarious Infringement

Vicarious copyright infringement occurs when a party has the right and ability to control the infringer and reaps a direct financial benefit from the infringing activity. As a practical matter, many websites take the position that they have little or no ability to control their users. However, cases suggest that even nominal indicia of the right and ability to control users—such as a user agreement that contains subjective and arbitrary restrictions on users, or a pattern of disabling users’ accounts or yanking user content—could, when aggregated, lead to a finding that the website has the "right and ability to control" the infringing user.

Some cases have found "direct financial benefit" merely when parties charge flat fees for their services, even if these fees do not vary based on the amount of infringement committed by others. However, if these precedents are not followed, it is likely that a website will be deemed to have a direct financial benefit if its business model creates additional revenues as increased infringement occurs. This may occur when a website charges a transaction fee based on user activity (which includes situations where user activity is infringing) or when a website delivers advertisements on user content (which includes infringing content). In these circumstances, it is imperative that the website reduce all indicia of their right and ability to control their users—or else, regardless of their claim that it was not practical or possible to manage their users, the website may become vulnerable to claims, no matter how unjustified they may seem, for act of infringement committed by users.

The DMCA expressly carves out vicarious infringement from the scope of its safe harbors. Thus, the DMCA provides websites no relief from vicarious copyright infringement.

B.        Trademark. Trademark law prevents the use of trademarks of others in a manner that creates a likelihood of confusion about the source of goods or services or in a manner that dilutes the value of the trademark. As with copyright law, liability can be found for direct, contributory, or vicarious infringement.

Of these three types of liability, websites face the greatest risk that they may be contributorily infringing based on their users’ content. Contributory trademark infringement occurs when a party supplies a "product" (such as a web page) knowing that the "product" is being used to infringe a third party’s trademark. Thus, in this respect, contributory trademark infringement appears to have the same characteristics as contributory copyright infringement—actual knowledge or notice of infringement initiates a duty to cease further infringement or face liability.

2.         Defamation and Other "Publisher/Speaker" Torts. Section 230(c)(1) of the Communications Decency Act, passed in 1996, says "no provider or user of an interactive computer service shall be treated as a publisher or speaker of any information provided by another information content provider." To date, courts have treated this language as a nearly complete bar against liability for users’ defamatory postings.

While this statutory safe harbor has provided some welcome relief to websites, it is not a panacea. First, the safe harbor applies only to information "provided by another information content provider." Thus, information provided by employees and, perhaps, some independent contractors may still create liability. Second, the only claims courts have determined to be covered by the statute are defamation and certain conduct related to child pornography, and it is unclear whether other claims such as publicity or privacy rights violations would be covered by the statute. Intellectual property and federal criminal laws (including federal obscenity/child pornography claims) are not affected by the statute, and the words "publisher or speaker" have not been sufficiently interpreted to explain what other types of claims will be protected under the statute. Finally, the safe harbor applies only to "interactive computer services," a term which is not well-defined in the statute and which may not cover websites.

3/         Obscenity and Child Pornography. No cases specifically address website liability for user-generated obscenity or child pornography. Websites faced with state law obscenity or child pornography charges can argue that such claims qualify for immunity under §230(c), but this defense is not certain.

Further, the safe harbor in the Communications Decency Act (discussed above) expressly excludes federal criminal obscenity and child pornography laws from its safe harbor. Thus, websites could be liable for user-generated obscenity or child pornography in certain circumstances.

4.         Other Claims. Until the scope of the Communications Decency Act’s safe harbor is more fully understood, the range of potential claims against websites is impossible to define. If the safe harbor defense is not available, websites will need to develop other defenses, if they can, against claims for user-caused harms and attendant claims that the website knew of the harm and failed to take reasonable actions to prevent or remedy the harm.

Risk Management Suggestions. In light of the above analysis, Cooley Godward continues to believe that websites should take steps to avoid knowing their users’ activities and content and, in most cases, reduce indicia of their right and ability to control user behavior and content. Thus, we propose that websites consider the following recommendations:

·       Do Not Actively Monitor the Website. Active monitoring of the website will give the website actual or putative knowledge of user conduct and content. Thus, active monitoring creates the possibility that a website will be liable for all user-caused harms except those preempted by the Communications Decency Act’s safe harbor.

·       Consider Empowering Independent Contractors to Monitor the Website. Some websites believe that active monitoring is crucial to their business objectives. In these cases, the websites should have independent contractors do the monitoring. If done properly, the website will not be liable for the independent contractors’ monitoring or knowledge of user content. However, to ensure that the independent contractors will not be deemed agents of the website—in which case this risk management strategy will have failed—the independent contractors must be given the authority necessary to resolve problems they find.

·       Respond to Complaints. Although in general websites should minimize contact with user-generated content, if a website receives a legitimate complaint about user content (and, in the case of copyright infringement, the notice meets the statutory standards), it usually has a duty to respond promptly (unless the claim is preempted by the safe harbor in the Communications Decency Act).

·       Review and Update the User Agreement. Provisions enabling websites to blacklist subscribers or edit content based on subjective or arbitrary standards provide strong evidence of the site’s right and ability to control its users and their content. Thus, user agreements should only prohibit users from engaging in conduct that is illegal or tortious, or that interferes with the technological operation of the site. Further, Congress has specified certain language that should be in a user agreement: (1) to be eligible for the DMCA safe harbors, the user agreement must say that repeat infringers will be terminated, and (2) in a separate statute, Congress required "interactive computer services" to notify their users of the availability of filtering tools.

·       Train Employees. All employees who interact with the website can take legally significant actions that could undermine a risk management strategy. Thus, the website’s risk management strategy should be explained to all employees, and employees responsible for dealing with website problems should be given special training on how to implement the strategy.

·       Register with the Copyright Office. To be eligible for one of the DMCA safe harbors, notice must be filed with the Copyright Office, with the same information placed on the website. For more information, see http://lcweb.loc.gov/copyright/onlinesp/.

·       Insurance. Insurance is becoming increasingly available for risks associated with user-generated content. Insurance provides an excellent way to convert the risk of major liability into a manageable expense.

Conclusion. Deploying an effective strategy to manage risks associated with user-generated content is a complex and multifaceted effort with significant implications for the website, its relations with its users, and its associated liability. This article provides only a overview of the problems. Each website has its own unique business and technical practices that can minimize—or exacerbate—the problems described herein. Thus, websites should carefully map out and deploy a risk management strategy to meet their needs, and they continue to monitor developments to ensure maximum benefit as the law changes.

About the author: Cooley Godward LLP, a law firm with over 380 attorneys, serves clients from seven offices in California, Colorado and Washington. The Information Technology practice group consists of approximately 30 attorneys firmwide dedicated solely to providing information technology companies with focused, expert assistance in the acquisition, use and commercialization of information technology products.