Updated: June 30, 2020
If you run a website that hosts user-generated content, or are yourself a user of social media or a cloud-based storage service, you have likely heard of the Digital Millennium Copyright Act, or DMCA, codified as 17 U.S.C. §512. The DMCA is the federal law that expanded the ability to enforce copyright to the internet. Under then-existing copyright law, service providers that stored material on their systems at the direction of users—referred to as Online Service Providers (OSPs)—could be liable for copyright infringement if their users posted infringing material. Under the DMCA, OSPs are shielded from liability for infringement, and even if they do not police their own website for infringing content, as long as they follow certain rules. For services that host user content, the applicable “safe harbor” provision is found in 17 U.S.C. 512(c)(3). To be eligible for the safe harbor, among other things, an OSP needs to: (i) lack actual knowledge that material hosted on their website is infringing; (ii) not be aware of facts from which infringing activity is blatantly obvious (referred to as “red flag knowledge”); and (iii) upon obtaining such “red flag” knowledge, act expeditiously to remove or disable access to the infringing material. Upon notification of claimed infringement from a copyright owner, OSPs must respond expeditiously to remove or disable access to material claimed to be infringing. Note that strict, prompt compliance with these procedures is required to maintain DMCA safe harbor eligibility.
First, it is important to recognize that takedown notices under 17 U.S.C. §512(c)(3) must substantially comply with certain statutory requirements.
A proper takedown notice needs to be in writing, and substantially include: (1) the physical or e-signature of the copyright owner, or a person authorized to act on the owner’s behalf; (2) identification of the copyrighted work claimed to have been infringed, or a representative list of works at a specific site if multiple copyrighted works are covered in a single notice; (3) identification of the allegedly infringing material to be removed, with enough information to allow the service provider to find the material (a URL, or instructions to navigate to it); (4) information to allow the online service provider to contact the complaining party (an address, telephone number or email address); (5) a statement that the complaining party has a good faith belief that use of the material complained of is not authorized by the copyright owner, its agent, or the law; and certifying that the information, under penalty of perjury, is accurate; and (6) a statement that the information in the notification is accurate, and under penalty of perjury, that the complaining party is the copyright owner or authorized on behalf of the copyright owner.
Under current law, an improper notice – one that fails to substantially comply with the above requirements – cannot be the sole basis for an OSP’s knowledge of infringement. That is to say, if the provider is otherwise unaware of hosting the allegedly infringing material, a deficient notice cannot create knowledge to disqualify the provider from the safe harbor provision.
However, receiving a deficient notice does not put an end to the takedown process. If an OSP receives a notice that only includes the identification of the copyrighted work or works, the identification of the material that is claimed to be infringing, and the contact information of the complaining party, the OSP must take reasonable steps to promptly contact the complaining party and have the notice corrected. If, and only if, the complaining party fails to correct their notice, can the service provider disregard the notice. Otherwise, the service provider must continue to comply with the DMCA takedown process.
Assuming the takedown notice the OSP receives is proper—or properly corrected—the OSP must forward the takedown notice to the user that posted the allegedly infringing material, actually remove or disable access to the allegedly infringing material, and then give notice to that user that the material has in fact been disabled or removed from the OSP’s website. It is not enough to merely take down the material suspected of infringement at some point; the DMCA specifically provides that the OSP must promptly take down the material suspected of infringement after receiving a proper takedown notice. If the OSP does not take down the material identified in the notice in a justifiably prompt period of time, it could become liable for copyright infringement.
After taking down the noticed material, the OSP’s job still is not done. At this stage, the user that originally posted the content suspected of infringement has an opportunity to dispute the notice if they believe that the takedown notice was mistaken, or the content was not infringing. If the user intends to file a dispute, they will send the OSP a DMCA counternotice, as provided for under 17 U.S.C. §512(g).
The OSP should initially handle a counternotice similarly to a takedown notice, by verifying that the counternotice is proper. A proper counternotice must be in writing and include: (1) the contesting party’s signature or e-signature; (2) a description of the material removed and the URL where it was located prior to removal; (3) a statement by the contesting party under penalty of perjury signifying the contesting party has a good faith belief that the content was mistakenly removed; and (4) the contesting party’s name, address, phone number and a statement consenting to jurisdiction in the federal district court in the user’s district, or any federal district in which the OSP can be found. If the counternotice is proper, the OSP must provide it to the original notice sender and will have between 10-14 business days following its receipt of the counternotice to replace or re-enable the subject material on the website.
In that same 10-14 day window, however, the original notice sender could notify the OSP that it has filed a copyright infringement lawsuit against the user, seeking either damages or a court order preventing the user from continued infringing. If the original takedown notice sender pursues an infringement lawsuit, the OSP does not need to restore or re-enable the subject material until after the lawsuit concludes or settles. Prompt compliance with this procedure will keep OSPs eligible for the DMCA’s safe harbor from liability for infringing material posted by their users. Failure to comply, however, will result in the OSP losing safe harbor eligibility and potentially becoming liable for damages as a secondary copyright infringer.
Under 17 U.S.C. 512(c)(2), OSPs only qualify for the DMCA’s safe harbor if they designate an agent to receive any takedown notifications. OSPs should make sure their designated agent’s name, address, phone number and email address are placed in an accessible location on their website. OSPs also need to provide that same information to the Copyright Office, along with any additional contact information the Copyright Office deems appropriate. That information will then be included in a directory of all OSP designated agents, for reference by potential takedown claimants.
OSPs should note that compliance with the takedown procedures is not the only requirement to qualify for protection under the DMCA’s safe harbor. In addition to lacking actual or “red flag” knowledge of the infringing activity hosted on the OSP’s system (or complying with a takedown notice providing such knowledge), under 17 U.S.C. §512(c)(1)(B), an OSP must not receive a direct financial benefit from that infringing activity, specifically in situations where the OSP has the right and ability to control the infringing activity. An OSP which meets both prongs will also lose its liability shield under the DMCA safe harbor provisions. The right and ability to control generally means conduct that is more than merely removing or disabling access to infringing material, or even voluntarily monitoring user submissions to identify obvious infringements.
Even if the OSP has the “right and ability to control” the infringing activity, it may not derive a “direct financial benefit.” A direct financial benefit exists only where the activity is a draw for its users, not just an added benefit – meaning the service provider in some way attracted or retained subscribers as a direct result of infringement. OSPs can earn revenue from other aspects of the service or receive income by providing access to all an OSP’s services (and therefore not directly from infringing activity) without deriving a direct financial benefit. Note, however, that an OSP is more likely to derive a direct financial benefit the more directly its income is related to the number of users that sign up due to infringing activity.
OSPs that merely transmit data between parties, rather than host user content, fall under a different DMCA safe harbor provision altogether. 17 U.S.C. § 512(a), is a narrower safe harbor than the safe harbor protecting services that actively host user content, and generally applies to less services. Under 17 U.S.C. §512(a), OSPs qualify for this safe harbor if: (1) the transmitted material was initiated by or at the direction of the user, or anyone other than the OSP; (2) the transmission process is carried out through an “automatic technical process” where the OSP does not select any material; (3) the OSP does not select the recipient of the material, except as an automatic response to the request of another user; (4) the OSP does not make a copy of the material, or store it in a manner in which it is accessible to anybody other than the anticipated recipients, or maintain the copy for longer than is necessary to transmit the material; and (5) the material is not modified through its transmission. “Passive” websites can only take advantage of this particular safe harbor if all of these separate provisions are met.
Under 17 U.S.C. §512(i), all OSPs are required to adopt and reasonably implement a policy governing the termination of repeat infringers, or users that generate repeated, uncontested takedown notices. The OSP must additionally communicate this policy publicly to its users – by making it available on the OSP’s website and/or including this policy as a part of the OSP’s Terms and Conditions of its service use. If an OSP does not have a repeat infringer policy, they should adopt and publicize one as soon as possible, or risk falling out of DMCA safe harbor eligibility. Note that all types of OSPs, whether passive or those which host user content, must adopt and publicize repeat infringer policies to qualify for their respective DMCA safe harbor provision.
The best practice for OSPs when dealing with takedown notices, repeat infringer policies or other aspects of maintaining their safe harbor under the DMCA is to be proactive – promptly respond to takedown requests and counternotices, publicly post the service’s takedown procedures on the main page of the website where it is visible and accessible or include them in the Terms of Service, and publicly circulate repeat infringer policies so all users are aware they could face service termination for repeated infringing conduct. OSPs should have an attorney, who is familiar with copyright law, review their Terms of Service or Copyright Policy to assess their risk.