Skip to Content

Section 230 of Communications Decency ActMay Not Provide Safe Harbor from State Criminal Law for Website Operators

February 23, 2015

Website operators beware: There are limitations on the immunity offered under federal law for offensive content posted by others. Recently, a website operator made a serious miscalculation as to the breadth of the immunity provided by Section 230 of the Communications Decency Act (“CDA”). On February 3, 2015, Kevin Bollaert, a “revenge porn” website operator, was convicted of 27 criminal counts of identity theft and extortion, stemming from his operation of that website. Bollaert apparently believed he could not be prosecuted as a website operator since the offensive content was posted by users, and not him personally.

“Revenge porn” websites allow people to post nude or explicit photos of adults without their permission. These sites are typically populated with photos posted by jilted lovers. Bollaert had operated a site called “,” which invited the users to post nude photos of others. Bollaert’s site also went a step further, requiring that, along with the photos, personal information about the subject of the photos be posted, including the person’s full name, location, age, and a Facebook link. If the subjects of the photos complained, Bollaert would refuse to take the photos down unless the victim paid a fee (up to $350) via another website he operated, Bollaert first used PayPal to collect the fees, then requested $250 Amazon gift cards when his PayPal account was shut down.

Bollaert’s defense to the criminal charges appears to have been based in part on the immunity provided under Section 230 of the Communications Decency Act (“CDA”), 47 U.S.C. 230. Under Section 230(c)(1), “[n]o provider or user of an interactive computer service shall be treated as the publisher or speaker of any information provided by another information content provider.” Simply put, a website operator generally cannot be held responsible for the content of material posted on the website by others. While defamation is the most common type of claim asserted in this area, the immunity provided by §230 generally applies to all types of claims, such as invasion of privacy, emotional distress, negligence, and fraud – any claim where the plaintiff seeks to hold the defendant liable for the content of the speech created by others. However, the immunity does not apply to violations of federal criminal law, intellectual property law, and electronic communications privacy law. It also does not apply to state criminal law that is “consistent” with the statute.

While a website operator is always responsible for its own speech as a “creator” of content, the operator will also lose immunity if it is determined to be the “developer” of content posted by a third party. One federal court held that if the primary purpose of the website itself is to serve as a conduit for unlawful activity, the CDA’s immunity does not apply. See Federal Trade Comm’n v. Accusearch, Inc., 570 F.3d 1187 (10th Cir. 2009). In addition, different jurisdictions have taken varying approaches to determine what constitutes “development” of content. Material contribution to the content will usually result in the loss of immunity. Solicitation or encouragement of defamatory content has been held to defeat the protections under §230 according to some courts, while other courts have held that mere solicitation or encouragement of harmful content is insufficient to pierce the shield of Section 230’s immunity.

What Bollaert apparently failed to realize is that while §230 of the CDA can provide immunity from tort and criminal claims, it does not necessarily provide protection against prosecution under statutes that are “consistent” with §230 (including federal criminal statutes). Bollaert was prosecuted for extortion and under California laws against identity theft, which prohibited anyone from willfully obtaining personal information to be used for “any unlawful purpose, including with the intent to annoy or harass,” and extortion.

Most people seem to agree that offensive websites such as Bollaert’s serve no legitimate purpose. Regardless of the offensive nature of Bollaert’s conduct, however, it is not clear that the California identity theft statute is actually “consistent” with the federal identity theft law (18 U.S.C. §1028) since California’s law appears to be much broader. Bollaert’s conviction arose from him being treated as the “publisher” of the offensive content, which, absent an exception, would provide him with immunity under §230. However, Bollaert’s requirement that personal information is provided with the photos might have been enough for the court to find the “developed” the content.

In contrast, Bollaert’s extortion conviction, which stemmed from his demand for compensation in return for deleting the offensive postings, should not fall under §230 since he engaged in that activity directly. Bollaert faces up to 20 years in prison as a result of his conviction.

The takeaway: A website operator that intends to actively encourage the posting of defamatory website content – pornographic or otherwise – in reliance on §230’s immunity cannot assume it is entitled to blanket immunity under the CDA.