Communications regulations changes could mean variable risk exposures for the tech industry

Published: May 26th, 2022

It’s no secret to those in the technology industry that Section 230 of the Communications Decency Act is a foundational component to how cyberspace works. However, today it is important to note that this decades-old legislation has become the target of regulation, creating significant impact on the level of risk in the tech industry.

Enacted in 1996, Section 230 of the Communications Decency Act helps protect online companies from liability arising from what is posted on their platforms. Many experts point to Section 230 as a foundational component to how the internet works today as it provides immunity to internet companies in two ways. First, a provider or user of an “interactive computer service” can’t be treated as the “publisher or speaker” of information provided by a third party. The law has a broad definition of “interactive computer service.” It includes almost any online platform that publishes third-party content. Second, providers and users of interactive computer services can’t be liable for voluntarily taking down content if the provider believes in good faith that the information is obscene or otherwise objectionable.

For Section 230 to protect a company from liability, the company that is being held accountable needs to be identified as providing or using an interactive computer service and therefore held liable as the publisher or speaker of the information. In addition, the company can be sued for fostering information provided by a third party. Without Section 230, online platforms would have to pay for settlements and judgments if they were sued for content that their users posted.

The Limits of The Law

Section 230 doesn’t provide immunity in every case though. Negligence and illegal behavior are some of the areas where Section 230 will not protect an online company. Therefore, it’s important that businesses understand how their platforms work and how they’re interacting with users.

There are four especially significant limits of Section 230 that businesses should recognize as they provide or use interactive computer services. This includes negligently designing a website or service that causes harm to a user, as well as materially contributing to illegality of information or harmful nature of content. Failing to warn users of a known danger on the platform and statutory exceptions such as federal civil rights claims, antitrust claims, Fair Housing Act claims, electronic communications privacy law claims or intellectual property claims.

Protecting E-Commerce and Gig Economy Businesses

E-commerce and gig economy platforms may have some protection under Section 230. However, immunity will come down to the type of claim and how a gig economy service operates. It’s not as easy as saying every kind of e-commerce or gig economy company would have immunity under Section 230, and varying laws and regulations add another layer of complexity.

For example, an e-commerce business will likely have protection from claims based on representations or omissions in a product description or advertisement because the content usually comes from a third party. But in some states, the company may be viewed as a seller, so it can still be liable for defective products. Meanwhile, for gig economy services, businesses can be liable if the platform encourages unlawful, illegal or harmful conduct.

The Future of Section 230 and Its Impact to the Tech Industry

Congress is considering 14 bills that could amend Section 230 to either repeal, limit the scope, impose new obligations, and alter the “Good Samaritan” portion of the law. For example, the “Disincentivizing Internet Service Censorship of Online Users and Restrictions on Speech and Expression Act,” or the DISCOURSE Act, aims to remove Section 230 protections for “market-dominant” computer services that manipulate algorithms to censor certain materials or viewpoints.

Another bill, the “21st Century Foundation for the Right to Express and Engage in Speech Act,” or 21st Century FREE Speech Act, aims to repeal Section 230 completely. It would also reclassify internet platforms as common carriers, requiring them to provide services to anyone without discriminating against individual users or classes of users based on political views, religious affiliation and region.

Even though these bills are not signed into law, it is important for tech companies to be aware of them because it can change how Section 230 worked over the last two decades and can impact a business’ operations today. In addition, it is not just tech companies who operate online platforms that could be impacted by changes to Section 230. It is also the companies that help make up the internet’s infrastructure.

For example, The Internet Society, a nonprofit organization, told The Verge in 2021 that these kinds of companies would have to reduce privacy practices because they’d have to be able to see what kind of information they’re passing off to determine if it’s illegal. Businesses around the world are using cloud computing more for their operations. And the infrastructure to handle this type of internet traffic continues to get built out. Changes to Section 230 could have serious impacts on how businesses providing cloud services and server hosting work.

Stay Connected

Section 230 is not a simple law or topic to understand. With the potential for future changes, it imperative for tech companies to have experienced risk management partners to help educate and mitigate changes to Section 230, the limits to its immunity and status updates on the current bills in Congress that can affect the law.

For example, courts and legislators are actively debating the proper scope of the law. Court decisions continue to evolve and often turn on factually specific questions such as the level of editorial control exercised by the company, the nature of the harms caused to a plaintiff. For example, were they injured by a statement on the website or by a product sold on the website – or the design of a particular website or service?

Plaintiffs’ lawyers and some courts will also try to avoid Section 230 protection by basing claims on the defective design or manufacture of products sold on a company’s website, rather than a statement about the product. In addition, they will claim the design of an online platform or service contributed to or encouraged the harm to the plaintiff and/or the illegal or tortious nature of the information. These are just two exposures. Others may include basing claims on information or content provided by the company, rather than a third party, and/or past instances of the company editing content, as well as claiming the company had a duty to warn users of known dangers and identifying promises to users by the company that the company failed to uphold.

It’s clear the scope of Section 230 will continue to evolve. Now is the time for tech companies to remain vigilant and actively respond to its impacts and potential risk exposures.

Article Tags

section 230

About Andrew Zarkowsky and Jay Silver

Andrew Zarkowsky is Technology Industry Practice Leader at The Hartford. Jay Silver is a partner at Womble Bond Dickinson, a transatlantic law firm serving business clients across every industry sector with expertise in Section 230 litigation.

View all posts by Andrew Zarkowsky and Jay Silver

Cookie	Duration	Description
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Advertisement" category .
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
CookieLawInfoConsent	1 year	Records the default button state of the corresponding category & the status of CCPA. It works only in coordination with the primary cookie.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
__atuvc	1 year 1 month	AddThis sets this cookie to ensure that the updated count is seen when one shares a page and returns to it, before the share count cache is updated.
__atuvs	30 minutes	AddThis sets this cookie to ensure that the updated count is seen when one shares a page and returns to it, before the share count cache is updated.

Cookie	Duration	Description
__gads	1 year 24 days	The __gads cookie, set by Google, is stored under DoubleClick domain and tracks the number of times users see an advert, measures the success of the campaign and calculates its revenue. This cookie can only be read from the domain they are set on and will not track any data while browsing through other sites.
_ga	2 years	The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_ga_WTGVKVXEZJ	2 years	This cookie is installed by Google Analytics.
_gat_gtag_UA_107693958_2	1 minute	Set by Google to distinguish users.
_gid	1 day	Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.
_jsuid	1 year	This cookie contains random number which is generated when a visitor visits the website for the first time. This cookie is used to identify the new visitors to the website.
at-rand	never	AddThis sets this cookie to track page visits, sources of traffic and share counts.
CONSENT	2 years	YouTube sets this cookie via embedded youtube-videos and registers anonymous statistical data.
iutk	5 months 27 days	This cookie is used by Issuu analytic system to gather information regarding visitor activity on Issuu products.
uvc	1 year 1 month	Set by addthis.com to determine the usage of addthis.com service.

Cookie	Duration	Description
IDE	1 year 24 days	Google DoubleClick IDE cookies are used to store information about how the user uses the website to present them with relevant ads and according to the user profile.
loc	1 year 1 month	AddThis sets this geolocation cookie to help understand the location of users who share the information.
mc	1 year 1 month	Quantserve sets the mc cookie to anonymously track user behaviour on the website.
test_cookie	15 minutes	The test_cookie is set by doubleclick.net and is used to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE	5 months 27 days	A cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface.
YSC	session	YSC cookie is set by Youtube and is used to track the views of embedded videos on Youtube pages.
yt-remote-connected-devices	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt-remote-device-id	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt.innertube::nextId	never	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.

Cookie	Duration	Description
__gpi	1 year 24 days	No description
_heatmaps_g2g_101137905	10 minutes	No description
cf_7167_id	20 years	No description
cf_7167_person_last_update	session	No description
GoogleAdServingTest	session	No description
prism_252377639	1 month	No description
querylyvid	3 months	No description
xtc	1 year 1 month	No description