Website Provider Liability for User Content and Actions

Many websites have found that developing an online "community" is crucial to obtaining their business objectives. As a result, user-generated content is ubiquitous online.

While user-generated content can facilitate a website.s objectives, it raises a host of thorny legal issues. Default legal rules may impose liability on websites for intellectual property infringement and other harms caused by their users, and a single bad user could cause liability ranging into the millions of dollars. There have now been over a dozen cases on the topic, some with sensible rulings and others raising the specter of, effectively, unlimited liability.

Websites planning to permit users to exchange content should implement a number of techniques to manage their potential risk. This Cooley Alert identifies some of the problems arising from permitting user-generated content on your website and then provides a few general suggestions for managing the associated risks.

Sources of Liability

Below are a few of the most common legal issues websites encounter when permitting user-generated content.

Intellectual Property Infringement

Copyright: Copyright law recognizes three types of liability: direct, contributory, and vicarious.

Direct infringement occurs when an infringer copies a copyrighted work. Direct liability is a strict liability offense, and thus does not require the infringer to know of the infringement. If direct infringement applies, a website provider would be liable if a user posts a copyrighted work that is subsequently downloaded or viewed by others. While some courts have held service providers directly liable for user-committed copyright infringement, other courts have rejected imposing direct liability as unduly harsh and instead analyze infringement claims against website providers under contributory or vicarious liability.

Contributory infringement occurs when a party knows of an infringing activity and substantially participates in that activity. While the existing cases have not definitively addressed when a website is contributorily infringing based on its users. activities, the cases generally have suggested a notice-based liability standard. In other words, once a website receives notice that a user is committing infringement, the website will be deemed to be substantially participating in the infringement if it does not remove the infringement within a reasonable period of time. (Note: The courts have not yet defined what is a suitable "notice" that alleges copyright infringement; for now, each notice must be analyzed on its own terms.) Of course, if a website actually knows of a particular infringement based on its practices, this knowledge will also trigger the duty to act. Thus, to minimize exposure for contributory copyright infringement, websites should (a) try to reduce actual knowledge of user-generated content by not monitoring their services, and (b) respond promptly to notices alleging that a user is committing copyright infringement.

Vicarious copyright infringement occurs when a party has the right and ability to control the infringer and reaps a direct financial benefit from the infringing activity. As a practical matter, many websites take the position that they have little or no ability to control their users. However, cases suggest that even nominal indicia of the right and ability to control users.such as a user agreement that contains subjective and arbitrary restrictions on users, or a pattern of disabling users. accounts or yanking user content.could, when aggregated, lead to a finding that the website has the "right and ability to control" the infringing user.

Some cases have found "direct financial benefit" merely when parties charge flat fees for their services, even if these fees do not vary based on the amount of infringement committed by others. However, if these precedents are not followed, it is likely that a website will be deemed to have a direct financial benefit if its business model creates additional revenues as increased infringement occurs. This may occur when a website charges a transaction fee based on user activity (which includes situations where user activity is infringing) or when a website delivers advertisements on user content (which includes infringing content). In these circumstances, it is imperative that the website reduce all indicia of their right and ability to control their users.or else, regardless of their claim that it was not practical or possible to manage their users, the website may become vulnerable to claims, no matter how unjustified they may seem, for act of infringement committed by users.

This summer, both the House of Representatives and the Senate passed versions of the Digital Millennium Copyright Act (the "DMCA"). It is expected that differences between the versions of the bill will be resolved in the joint House/Senate committee and the final bill will be enacted. The DMCA does contain a number of provisions purporting to limit website liability for user-committed copyright infringements, but as currently written, the DMCA does not meaningfully limit potential contributory or vicarious liability on the part of websites. Thus, as a practical matter, the DMCA is not expected to affect the current state of the law with respect to possible website liability for contributory or vicarious copyright infringements.

Trademark: Trademark law prevents the use of trademarks of others in a manner that creates a likelihood of confusion about the source of goods or services or in a manner that dilutes the value of the trademark. As with copyright law, liability can be found for direct, contributory, or vicarious infringement.

Of these three types of liability, websites face the greatest risk that they may be contributorily infringing based on their users. content. Contributory trademark infringement occurs when a party supplies a "product" (such as a web page) knowing that the "product" is being used to infringe a third party.s trademark. Thus, in this respect, contributory trademark infringement appears to have the same characteristics as contributory copyright infringement.actual knowledge or notice of infringement initiates a duty to cease further infringement or face liability.

Defamation and Other "Publisher/Speaker" Torts

Section 230(c)(1) of the Communications Decency Act, passed in 1996, says "no provider or user of an interactive computer service shall be treated as a publisher or speaker of any information provided by another information content provider." To date, courts have treated this language as a nearly complete bar against liability for users. defamatory postings.

While this statutory safe harbor has provided some welcome relief to websites, it is not a panacea. First, the safe harbor applies only to information "provided by another information content provider." Thus, information provided by employees and, perhaps, some independent contractors may still create liability. Second, the only claims courts have determined to be covered by the statute are defamation and certain conduct related to child pornography, and it is unclear whether other claims such as publicity or privacy rights violations would be covered by the statute. Intellectual property and federal obscenity/child pornography claims are not affected by the statute, and the words "publisher or speaker" have not been sufficiently interpreted to explain what other types of claims will be protected under the statute. Finally, the safe harbor applies only to "interactive computer services," a term which is not well-defined in the statute and which may not cover websites.

Obscenity and Child Pornography

No cases specifically address website liability for user-generated obscenity or child pornography. Websites faced with state law obscenity or child pornography charges can argue that such claims qualify for immunity under '230(c), but this defense is not certain. Further, the safe harbor in the Communications Decency Act (discussed above) expressly excludes federal criminal obscenity and child pornography laws from its safe harbor. Thus, websites could be liable for user-generated obscenity or child pornography in certain circumstances.

Other Claims

Until the scope of the safe harbor in the Communications Decency Act is more fully understood, the range of potential claims against websites is impossible to define. If the safe harbor defense is not available, websites will need to develop other defenses, if they can, against claims for user-caused harms and attendent claims that the website knew of the harm and failed to take reasonable actions to prevent or remedy the harm.

Suggestions For Risk Management

In light of the above analysis, Cooley Godward continues to believe that websites should take steps to avoid knowing their users. activities and content and, in most cases, reduce indicia of their right and ability to control user behavior and content. Thus, we propose that websites consider the following recommendations:

1. Do Not Actively Monitor the Website. Active monitoring of the website will give the website actual or putative knowledge of user conduct and content. Thus, active monitoring creates the possibility that a website will be liable for all user-caused harms except those preempted by the safe harbor in the Communications Decency Act.

2. Consider Empowering Independent Contractors to Monitor your Site. Some websites believe that active monitoring is crucial to their business objectives. In these cases, the websites should have independent contractors do the monitoring. If done properly, the website will not be liable for the independent contractors. monitoring or knowledge of user content. However, to ensure that the independent contractors will not be deemed agents of the which case this risk management strategy will have failed.the independent contractors must be given the authority necessary to resolve problems they find.

3. Respond to Complaints. Although in general websites should minimize contact with user-generated content, if a website receives a legitimate complaint about user content, it usually has a duty to respond promptly (unless the claim is preempted by the safe harbor in the Communications Decency Act).

4. Review the User Agreement. Provisions enabling websites to blacklist subscribers or edit content based on subjective or arbitrary standards provide strong evidence of the site.s right and ability to control its users and their content. Thus, user agreements should only prohibit users from engaging in conduct that is illegal or tortious, or that interferes with the technological operation of the site.

5. Train Employees. All employees who interact with the website can take legally significant actions that could undermine a risk management strategy. Thus, the website.s risk management strategy should be explained to all employees, and employees responsible for dealing with website problems should be given special training on how to implement the strategy.

6. Insurance. Insurance is becoming increasingly available for risks associated with user-generated content. Insurance provides an excellent way to convert the risk of major liability into a manageable expense.


Deploying an effective strategy to manage risks associated with user-generated content is a complex and multifaceted effort with significant implications for the website, its relations with its users, and its associated liability. This Cooley Alert provides only a overview of the problems. Each website has its own unique business and technical practices that can minimize.or exacerbate.the problems described herein.