Recently, while shopping around for a new credit card, I was surprised by how many people were eager to “refer” me. It’s a common promotional scheme – someone sends you a referral link or code, and if you use it, they score a bonus. Seems harmless enough, but a recent ruling out of the Western District of Washington has raised an important question—can the company behind these referral programs be held liable for the messages sent? Let’s find out.
Plaintiff Tamie Jensen alleged that she received a text message from a contact, containing content prepared by Defendant Capital One as part of its “Refer a Friend” program. Jensen filed this putative class-action lawsuit on behalf of herself and others who received a “Refer a Friend” text message – claiming that the transmission of this commercial text message violated Washington’s Commercial Electronic Mail Act (“CEMA”) and Consumer Protection Act (“CPA”).
According to the Complaint, users can click the referral button on Capital One’s app or website, prompting Capital One to generate a referral link and compose an editable text message. The user is then allegedly directed to copy and paste the message with the link and send it to their contacts. The Complaint states that on the app (but not the website), a notice underneath the referral button reads: “You confirm you have consent to send text messages to each recipient. You may edit the pre-filled message as desired.” Jensen claims the alleged text message she received had not been edited by her contact before she received it and contained only the pre-filled content composed by Capital One.
In its motion to dismiss the lawsuit, Capital One raised three contentions, including an argument that it is immune under Section 230 of the Communications Decency Act from liability for text messages it did not directly send.
Section 230 isn’t something we talk about here too often, so let me give you a little background – the operative part of Section 230(c)(1) specifies that “no provider or user of an interactive computer service shall be treated as the publisher or speaker of any information provided by another information content provider.” The statute essentially protects online platforms such as Google, Facebook, or Amazon, as well as companies that provide broadband internet access or web hosting from being held legally responsible for information posted by an “information content provider”, or the person or entity actually responsible for the creation or development of information. However, Section 230 does not prevent an interactive computer service from being held liable for information that it has developed. Section 230, therefore, distinguishes those who create content from those who provide access to that content, providing immunity to the latter group. An entity may be both an “interactive computer service” provider and an “information content provider,” but the critical inquiry for applying Section 230’s immunity is whether the service provider developed the content that is the basis for liability.
With that out of the way, let’s get into Jensen and Capital One’s specific contentions. Jensen argued that she complains of content provided—either entirely or mostly—by Capital One, not by a third party (the “friend” who sent her the referral text). Capital One, however, argued that because it merely provided suggested language, and its customers retained control over whether to or what to text to their friends, Capital One should not be liable for the text messages and language that its customers chose to send.
The Court agreed with Jensen, holding that the offending content for the purposes of the alleged CEMA violation is the referral link—which was composed in its entirety by Capital One with respect to the text Jensen received. Although Capital One emphasized that senders retain the ability to modify the content of the “Refer a Friend” texts, the text Jensen allegedly received was not modified. The Court distinguished the situation here from that in Carafano v. Metrosplash.com, Inc., 339 F.3d 1119, 1122 (9th Cir. 2003), where the defendant was an online dating site that required users to complete a multiple-choice survey to create a profile. A user created a false and defamatory profile for a celebrity, who then sued the site. The Ninth Circuit held that, although the site required its users to complete the survey, because the site did not play a significant role in creating, developing, or transforming the relevant information—the defamatory information—the dating site was protected by Section 230. Here, however, because Jensen alleged that Capital One is the sole author of the content of the text that she received, the Court held that Capital One is not entitled to Section 230 immunity.
The Court also rejected Capital One’s two other grounds for dismissing the Complaint – that Jensen’s claims seek to interfere with Capital One’s power to advertise and market its credit cards, and are therefore preempted by the National Bank Act (“NBA”), and that Jensen did not state a CEMA claim because she failed to allege that Capital One either initiated the text message or substantially assisted in transmitting the message.
Briefly, CEMA imposes liability for persons conducting business in Washington who “initiate” or “assist” in transmitting a commercial text message to a telephone number assigned to a Washington resident’s cell phone. CEMA defines “assist the transmission” as providing “substantial assistance or support.” WASH. REV. CODE § 19.190.010(1). Interestingly, Capital One essentially conceded that it assisted its customers in transmitting text messages but argued that the assistance it provided was not “substantial.” The Court disagreed, finding that Jensen’s allegations that Capital One generates a referral link and other content of a text message that customers are asked to copy and send to their contacts are sufficient to support a finding that Capital One substantially assisted its customers in formulating, composing, and sending commercial text messages. Although Capital One emphasized the part of the process that is outside its control (when to send messages, who to send messages to, whether Capital One’s provided language should be edited or sent as is), the Court held that these arguments go to the merits of the CEMA claim, rather than the sufficiency of Jensen’s allegations.
Capital One also attempted to argue that it notified its customers only to send texts to people who have consented to receive them and did not know that the text messages would be sent without consent. However, Capital One’s description of the notice was found to be only partially accurate: the notice on the mobile app indicates that the customer should have received consent to send “text messages” to the recipient, but not that the customer should have received consent to send the particular commercial text message. The Court rejected Capital One’s argument that a “natural reading” of the notice would tell a consumer to only send the specific commercial text with consent and instead concluded that the plain language of the notice suggests that the consent at issue is the consent to send text messages in general.
Lastly, the Court rejected Capital One’s contention that CEMA represents a significant restriction on Capital One’s ability to advertise its credit cards, and is thereby preempted by the NBA, which gives federally chartered banks the power “[t]o exercise … all such incidental powers as shall be necessary to carry on the business of banking.” 12 U.S.C. § 24. The Court held that CEMA’s generally applicable restrictions on the manner of advertising would not restrict all forms of Capital One’s advertising, or even all forms of advertising via text message. Accordingly, the Court found that requiring Capital One to comply with CEMA would not significantly impair its ability to advertise its credit cards and thus found no preemption here.
The Future of Section 230
A particularly interesting part of this decision is when the Court notes that “the purpose of Section 230 immunity—to encourage Internet service providers to voluntarily monitor and edit user-generated speech in internet traffic—would not be served by protecting Capital One from liability in this case.” As acknowledged by the Court, the “two basic policy reasons” for Section 230 immunity are “to promote the free exchange of information and ideas over the Internet and to encourage voluntary monitoring for offensive or obscene material.” Remember, this statute was enacted back in 1996. At the time, the feeling was that the threat of being sued into oblivion by anyone who felt wronged by something someone else posted would naturally disincentivize online platforms that were still very much in their nascent stage of growth – and not the tech giants we see today. Over the years, there have been numerous attempts to reform Section 230, ranging from outright repeal to reinterpreting the scope of protected activities (for example, limiting or eliminating protection of child sexual abuse material has been one of the few bipartisan efforts in recent years), placing conditions on platforms that wish to avail the immunity, and altering the “Good Samaritan” provisions to address what are perceived to be politically motivated content removals.
Of course, this brings us to the question of who actually decides the scope of Section 230 – until not too long ago, the clear answer was the FCC. However, the Supreme Court’s decision in Loper Bright v. Raimondo stripped the FCC of its ability to broadly interpret statutes. Nevertheless, FCC Chairman Brendan Carr made his views on Section 230 perfectly clear in his chapter of Project 2025, stating that, “The FCC should issue an order that interprets Section 230 in a way that eliminates the expansive, non-textual immunities that courts have read into the statute.” While the FCC’s authority to do this in a post-Loper world is questionable, Carr also adds, “The FCC should work with Congress on more fundamental Section 230 reforms […] ensuring that Internet companies no longer have carte blanche to censor protected speech while maintaining their Section 230 protections.”
Conclusion
So, to answer the question I started with – yes, a corporation can be held liable for the transmission of a message it developed. Even with a Section 230 shakeup on the horizon, it doesn’t look like Capital One will be offered any respite in this case.
However, it will be interesting to see what stance the FCC does take on the future of Section 230 – and we may find out sooner rather than later in light of the deregulation initiative announced on March 12, 2025.
Meanwhile, you can read the Court’s order here: Jensen v. Capital One Financial Corp., 2025 WL 606194 (W.D. Wash. Feb. 25, 2025).