Background
The plaintiff shared intimate images with her then-fiancé. After their relationship ended, he created fake Facebook profiles in her name and uploaded the intimate images without her consent — creating what is known as nonconsensual intimate imagery, or NCII. The plaintiff asked Facebook to remove the images, and when that failed to happen quickly, she obtained a search warrant directed at Facebook demanding removal. Eventually the images were removed, but not before the plaintiff alleged they had remained visible on Cloudflare’s infrastructure for months after she demanded their deletion.
Cloudflare does not operate Facebook. It provides content delivery network (CDN) services to Meta/Facebook — caching and routing content to make Facebook load faster for users worldwide. Critically, Cloudflare has no independent ability to remove specific content from Facebook’s servers. When it receives a takedown request about Facebook content, all it can do is forward the notice to Facebook. Nevertheless, the plaintiff sued Cloudflare as a third defendant in a putative class action, alleging liability under 15 U.S.C. § 6851, enacted as part of the Violence Against Women Act Reauthorization Act of 2022 (“VAWA”), which creates civil liability for disclosure of nonconsensual intimate images.
The Court’s Holding
The district court dismissed the claims against Cloudflare under Section 230 of the Communications Decency Act. The court relied on two Section 230 provisions:
First, under § 230(c)(1), a provider or user of an “interactive computer service” cannot be treated as the publisher or speaker of information provided by a third party. The court applied Doe v. Twitter‘s holding that Section 230 immunity covers “any content dissemination” — including CDN activity. The plaintiff argued that because Cloudflare lacked the ability to remove images, it wasn’t making any publisher decisions and therefore shouldn’t be shielded. The court rejected this: the fact that Cloudflare was disseminating the content through CDN services was enough to trigger § 230(c)(1).
Second, the court held Cloudflare qualified as an “access software provider” under § 230(f)(4) — a statutory category that covers “software” enabling users to access online services. Like a domain registrar (citing GoDaddy), Cloudflare “merely provided access to content created by a third party.” The plaintiff tried to turn this against Cloudflare, arguing that invoking “access software provider” status was an admission that Cloudflare had become an “information content provider” of the NCII. The court rejected this creative but unconvincing argument.
The court also addressed the § 6851 (VAWA) claim specifically: because the plaintiff did not allege copyright infringement over her intimate images — even though she presumably owned those copyrights — the § 230 statutory exception for intellectual property claims did not apply. A § 6851 VAWA claim “is not an intellectual property law,” the court noted, citing Doe v. X.
Key Takeaways
- Section 230 extends to content delivery networks acting as infrastructure for third-party platforms. A CDN’s inability to control the content it caches is irrelevant to immunity.
- The “access software provider” category under § 230(f)(4) protects CDNs the same way it protects domain registrars — as passive conduits to content they did not create.
- NCII victims face a structural problem: they often cannot sue the platform (Facebook) for failing to remove content, and now cannot sue the CDN provider (Cloudflare) that serves the platform. Their remedies run primarily against the uploader and, if applicable, the platform under state NCII laws or the Take It Down Act.
- The emerging “tertiary liability” theory — suing not just the platform but the platform’s infrastructure providers — has now taken another clear loss under § 230.
Why It Matters
This case illustrates the cascading problem at the heart of internet liability law. When abusive content spreads online, the most visible wrongdoer (the ex-partner who uploaded the images) is often judgment-proof. The platform (Facebook) is largely shielded by Section 230. Plaintiffs have increasingly tried to reach further upstream — suing CDNs, domain registrars, payment processors, and other infrastructure providers that support the platform. Courts have generally rejected those claims, and this decision continues that trend.
The ruling also intersects with the Take It Down Act, signed in 2025, which requires platforms to remove NCII within 48 hours of notice. The court did not apply the Act (it was analyzing § 230’s scope), but noted it as a relevant development. Whether CDNs like Cloudflare are “covered platforms” under the Act — or whether the 48-hour obligation runs only to the primary platform — is an open question that future cases will address.
Surfaced via Eric Goldman’s Technology & Marketing Law Blog.