Barnes v. Yahoo!, CDA Immunity, and Promissory Estoppel
posted by Daniel Solove
The Ninth Circuit recently decided Barnes v. Yahoo!, a case with some very interesting holdings relating to the Communications Decency Act § 230 as well as promissory estoppel. I wrote about this case briefly in my book, The Future of Reputation, long before it made it up to the Ninth Circuit.
Celia Barnes’ ex-boyfriend created fake profiles in her name on Yahoo. Moreover, as the court relates:
The profiles contained nude photographs of Barnes and her boyfriend, taken without her knowledge, and some kind of open solicitation, whether express or implied is unclear, to engage in sexual intercourse. The ex-boyfriend then conducted discussions in Yahoo’s online “chat rooms,” posing as Barnes and directing male correspondents to the fraudulent profiles he had created. The profiles also included the addresses, real and electronic, and telephone number at Barnes’ place of employment. Before long, men whom Barnes did not know were peppering her office with emails, phone calls, and personal visits, all in the expectation of sex.
Barnes contacted Yahoo to get the profiles taken down:
In accordance with Yahoo policy, Barnes mailed Yahoo a copy of her photo ID and a signed statement denying her involvement with the profiles and requesting their removal. One month later, Yahoo had not responded but the undesired advances from unknown men continued; Barnes again asked Yahoo by mail to remove the profiles. Nothing happened. The following month, Barnes sent Yahoo two more mailings. During the same period, a local news program was preparing to broadcast a report on the incident. A day before the initial air date of the broadcast, Yahoo broke its silence; its Director of Communications, a Ms. Osako, called Barnes and asked her to fax directly the previous statements she had mailed. Ms. Osako told Barnes that she would “personally walk the statements over to the division responsible for stopping unauthorized profiles and they would take care of it.” Barnes claims to have relied on this statement and took no further action regarding the profiles and the trouble they had caused. Approximately two months passed without word from Yahoo, at which point Barnes filed this lawsuit against Yahoo in Oregon state court. Shortly thereafter, the profiles disappeared from Yahoo’s website, apparently never to return.
The court held, as expected, that Section 230 immunizes Yahoo from Barnes’s claim that it was negligent in removing the content. This is in line with many courts that have interpreted the scope of Section 230 immunity.
The interesting part of the court’s holding involves Barnes’s promissory estoppel claim. For non-lawyers, promissory estoppel is a doctrine that provides that when one makes a promise to another person, and that person relies on that promise, then the promise will be treated akin to a contract. Ordinarily a contract requires bargaining and consideration, which are often lacking with mere promises.
Barnes contended that she relied on Yahoo’s promise to take down the tortious profiles and did not pursue other avenues of relief because of her belief that Yahoo would fulfill its promise. The court held that Section 230 didn’t immunize Yahoo against the promissory estoppel claim as it had against Barnes’s tort claims:
Subsection 230(c)(1) creates a baseline rule: no liability for publishing or speaking the content of other information service providers. Insofar as Yahoo made a promise with the constructive intent that it be enforceable, it has implicitly agreed to an alteration in such baseline.
I agree with this conclusion. Promissory estoppel and contract claims differ from tort claims such as negligence, defamation, or invasion of privacy. Indeed, such claims are treated very differently under the First Amendment, with tort claims receiving full scrutiny and contract/promissory estoppel claims receiving virtually no scrutiny. In a recent paper, Neil Richards and I discuss why First Amendment law takes such wildly divergent approaches: Rethinking Free Speech and Civil Liability, 109 Columbia Law Review (forthcoming 2009). We also argue that the line shouldn’t be drawn based on the formalist distinction between tort and contract, as this distinction readily breaks down. For example, we conclude that the tort of breach of confidentiality should be treated akin to contract/promissory estoppel claims rather than tort claims such as defamation and public disclosure of private facts.
Back to the case. One of the potential problems with the court’s holding is that it may deter ISPs and other sites from having an explicit policy for removing tortious material. Yahoo could be penalized with potential liability and a loss of its immunity by having a removal policy. An ISP or site that has no such removal policy and that would say “get lost” to people who request takedowns would not be subject to promissory estoppel liability. Is it fair to penalize those who have such policies?
The court notes how its holding is limited:
[A] general monitoring policy, or even an attempt to help a particular person, on the part of an interactive computer service such as Yahoo does not suffice for contract liability. This makes it easy for Yahoo to avoid liability: it need only disclaim any intention to be bound.
In other words, Yahoo is liable not because it had a general removal policy, but because it made specific promises to Barnes.
Eric Goldman argues that policies can readily be redrafted. He notes that “websites can easily manage their potential exposure to this claim by picking their words carefully.”
I hope that the Ninth Circuit’s holding doesn’t result in various sites qualifying all their promises and weakening their policies in the hopes of avoiding liability. One of the problems with situations faced by Barnes and others is that the websites and ISPs that have the offensive information posted about victims are often not in any customer relationship with the victims. Barnes did not contact Yahoo for a regular customer complaint with its service — she was hurt by a Yahoo customer. The removal policies at many sites and ISPs help people who are often non-customers. There is no particularly strong incentive for such sites and ISPs to respond to such complaints as with customers who could threaten to leave.
The court’s holding, though correct, might encourage ISPs and sites to further attempt to hide under Section 230′s umbrella by weakening promises to take down harmful content. And that’s a problem because the original goal of Section 230 was to encourage sites to monitor and take down offensive and hurtful content. Now the law seems to be saying loudly: You have no responsibility to protect people from harmful content about them. If you do nothing, then you’re not liable because of Section 230 immunity. If you promise to protect people, then you might be liable.
This reminds me of Stratton Oakmont, Inc. v. Prodigy Services Co., 23 Media L. Rep. 1794 (N.Y. Sup. 1995), where the court held that an ISP could be liable for content provided by another because it had a policy of monitoring content. This was the very case that Congress wanted to overrule when it passed the CDA 230.
Ironically, the law of Section 230 immunity seems to have moved closer to Stratton Oakmont with the Ninth Circuit’s holding (of course, very significant differences still remain). This isn’t the fault of the Ninth Circuit’s holding, which strikes me as quite valid. Rather, it is due to the perverse implications of the overreaching interpretations of CDA immunity that most courts have now adopted, making such immunity near absolute for tort claims.
For further discussion of some of the other issues in the case, see Paul Levi’s post at Consumer Law & Protection Blog and Eric Goldman’s post at Technology & Marketing Law Blog.
May 19, 2009 at 6:14 pm
Posted in: Constitutional Law, Cyberlaw, First Amendment, Law School, Media Law, Privacy, Privacy (Gossip & Shaming), Social Network Websites, Tort Law, Web 2.0
Print This Post
Responses (4)
Steven Roussey - May 20, 2009 at 10:59 am
“You have no responsibility to protect people from harmful content about them. If you do nothing, then you’re not liable because of Section 230 immunity. If you promise to protect people, then you might be liable.”
Yes, if the plaintiffs hadn’t forced this outcome, this would not be the result. I’ve already instructed our support staff to never promise, only to look into things. Better to act then to promise. What if you forget?!
Perhaps better to never have a conversational mode of communication at all. Perhaps only a web form, and a brief non-committal acknowledgment rather than email or a forum.
Gennadiy Kornev - May 22, 2009 at 11:16 am
Will there be a post on data.gov launch?
JOLT Digest » Barnes v. Yahoo!, Inc. | Harvard Journal of Law & Technology - May 23, 2009 at 2:28 pm
[...] Randazza of the Citizen Media Law Project and Daniel Solove of Concurring Opinions provide overviews of the decision. Eric Goldman of the Technology and Marketing Law Blog [...]
IP Osgoode - Intellectual Property Law & Technology Program » Immunity under the Communications Decency Act - May 27, 2009 at 4:12 am
[...] attention in blogs and in the media. There were two posts I found particularly illuminating. A post by Daniel Solove discusses the possible downsides of this ruling. Solove worries that by extending liability for [...]
Leave a Reply