In their zeal to curb Big Tech, regulators are crafting legislative reforms that make distinctions between Internet services based on size. A crucial Internet law, Section 230, is among the targets for such reforms. This essay discusses the nuanced considerations that regulators should address when drafting size-based distinctions for Internet services. It also raises concerns that such distinctions are not good policy in the context of Section 230.

By Eric Goldman & Jess Miers1


Regulators across the globe want to impose more stringent regulations on “Big Tech,” but that requires regulators to explain what “Big” Tech means. As it turns out, it’s not easy to craft sensible regulations that distinguish Internet services by size.

This essay will consider how regulators might incorporate a size-based regulation distinction into a critically important Internet law, Section 230,2 which says websites typically aren’t liable for third-party content.3 When Congress enacted Section 230 in 1996, the Internet looked quite differently than it does now.4 Now, with help from Section 230, Google and Facebook have emerged as two of the most valuable companies ever.5 In response, pending bills would reduce or eliminate Section 230 for large services.6 Other proposals at the federal7 and state8 level would impose greater duties on big Internet services.

This essay discusses the logistical considerations when drafting size-based distinctions for Internet services. The essay then discusses the policy pitfalls such distinctions can create for Section 230 reform.



Regulators might make size-based regulatory distinctions: (1) to target bigger producers of social harm; (2) to reduce barriers for new market entrants; or (3) because it feels fairer.

Social Harm. Social harm may scale with entity size.9 If so, curbing the harms caused by larger entities may provide the best cost-benefit return from the regulatory efforts — especially in consolidated markets.10

Entry Barriers. Incumbents may be able to afford compliance costs better than new entrants11 due to their greater economies of scale (such as have an existing team of compliance personnel),12 better access to capital, or greater profitability. In contrast, higher compliance costs increase the capital required to enter the market and make it harder for new entrants to achieve profitability.13 Thus, giving compliance breaks to new entrants can have pro-competitive benefits.

Fairness. When there are large profit or size disparities among competitors, it may not feel fair to treat them equally. It’s analogous to progressive tax schemes that impose higher tax rates on wealthier subjects.



This part discusses how regulators might configure size-based distinctions for Internet services. As the prior part showed, there are different motivations for making such distinctions, which means that there is no single optimal configuration. It depends on what regulators are trying to accomplish. Furthermore, this part will identify some traps and pitfalls regulators face when drafting these provisions.

A. Metric Options

This subpart looks at five alternatives to measure the “size” of Internet enterprises:

  1. Enterprise Age. A regulation could distinguish between enterprises based on their age. For example, Article 17 of the E.U. Copyright Directive provides favorable regulatory treatment for “new online content-sharing service providers” that are less than three years old.14 Age-based distinctions rely on the dubious stereotype that businesses become better-positioned to comply with regulations over time. However, a new corporate spinout can be massive; while many businesses (especially family businesses) can successfully remain small for years or decades without increasing their capacity to handle onerous regulations.
  2. Employees. Employee headcount is a common way to measure entity size. Headcount typically grows along with other size metrics like consumer demand, revenue, and market cap, and it’s comparatively easy to track and report. However, employee headcounts are not a great way to measure Internet services. First, Internet services do not necessarily add employees in proportion to usage. Operating “at scale” implies that the enterprise can handle increased consumer demand without concomitant growth in the number of employees.15 Second, some services (such as Wikipedia and Reddit) principally delegate content moderation to their user community, which enables them to leverage a small employee base. Third, Internet services can rely on business process outsourcers (“BPOs”) for labor-intensive tasks like content moderation,16 which artificially lowers their employee headcount.
  3. Market Capitalization. Market capitalization (“market cap”) is the total value of a company’s outstanding stock. It’s a commonly used metric for the size of publicly traded companies, though it’s less reliable for private companies because their stock prices aren’t set by a “market.” Market capitalization reflects investors’ predictions about the company’s future profitability, so it can change rapidly as investors revise their estimates based on new information. Further, small high-growth entrants can have higher market caps than mature industry giants.17 For these reasons, it’s not a great proxy for Internet service size.
  4. Revenues. Revenues (called “turnover” in Europe) are another common metric for measuring enterprise size. Higher revenues suggest that the enterprise has achieved greater economies of scale. Also, revenues are (imperfectly) correlated with profits, which signal the enterprise’s capacity to bear compliance costs. As an added advantage of this metric, public companies publish audited financial statements, including their revenues (though private companies don’t).
  5. Consumer Usage. Consumer usage is another way to measure Internet service size. Some of the most common consumer usage metrics include:
  • Users / Site Visitors / Monthly Active Users (MAU). There are several ways to measure the number of “eyeballs” exposed to the service18 Users/visitors can be measured as a cumulative all-time total or over a specified time period. A popular metric, MAU, describes “the number of unique customers who interacted with a product or service of a company within a month.”19 However, each service defines MAU a little differently.20 For these reasons, regulators using the terms “user,” “visitor,” or “MAU” need to precisely define those terms, including how to compute them.
  • Registered Accounts / Subscribers. For paywalled or subscription services, paid subscribers is a critical metric. Account registrations are a key number for services requiring registration before user-to-user engagement, but account numbers can be distorted by bots,21 spam accounts, and abandoned accounts.
  • Page Views / Page Impressions. A page view occurs each time a web page is viewed, a so it’s a good way of measuring readership; and ad-supported services routinely use “ad views”/“ad impressions” to measure payment obligation.22

B. Designing Appropriate Metrics

So which metric(s) should regulators adopt? There’s no ideal answer. Each metric measures different things and poses unique measurement challenges. Creating sensible size-based metrics for Internet services requires careful statutory drafting and a candid assessment of potential unintended outcomes. Some questions that regulators need to resolve:

  1. Is the Metric Published & Audited? Audited and published data provides the most reliable foundation for size-based metrics. Unaudited and unpublished data are less credible. Note that most usage metrics are unaudited and unpublished.23 Worse, each service computes their own usage metrics using proprietary formulae. For example, each service decides how to handle possibly inauthentic activity (such as bot engagement), which makes it hard to compare numbers across services and creates opportunities to game the numbers. Regulators could require Internet services to audit and publish their metrics, but regulators must supply precise definitions and specify the auditing method; plus the associated costs will hurt some services.
  2. What Constitutes the “Service”? Some metrics, like revenues and market cap, are typically measured, audited, and reported at the corporate level. Other metrics, like usage, are typically measured by domain name (or within-app). Regulators need to specify the service’s boundaries. For example, with respect to Alphabet, do the metrics apply to its corporate structure, service name (e.g. “Gmail” or “Google Search”), second-level domain name (e.g. “”), third-level domain name (e.g., or something else?

To avoid false positives, regulators should evaluate their “service” definition against a “test suite” that includes a diverse mix of Internet enterprises.24 Some examples to consider:

  • Enterprises may offer a UGC complement to their core offerings, such as retailers who accept consumer reviews on items they sell. These enterprises’ revenue and usage will reflect the non-UGC activity, making the enterprises appear large even if their UGC activity is quite small. In those circumstances, the enterprise may nix its UGC functionality in the face of costly regulation.
  • For example, traditional publishers like the New York Times may allow user comments but derive most of their revenues/profits from their editorial content, not UGC. Miscalibrated “service” definitions will prompt these enterprises to eliminate their UGC.
  • Wikimedia operates one of the most popular websites, but it has trivial revenues25 and a surprisingly small full-time staff.26 A usage-based metric may treat Wikimedia as a large service, even if it can’t bear the associated costs.

Regulators sometimes impose geographic qualifications on the designated metrics. For example, a state legislature might seek to measure activity only within its state. Unfortunately, services often cannot tell exactly where online activity takes place, especially with respect to sub-national borders;27 and they may not publish or audit their data based on that geographic boundary. Thus, geographic qualifications often exacerbate the metric’s unreliability.

  1. What is the Measurement Time Period? Regulators need to specify the measurement time. Employee headcount, market cap, and account registrations can be measured as snapshots. Revenue and other usage activity are measured over periods that need to be specified.

Shorter measurement periods are subject to greater volatility. For example, Internet services may experience seasonality (such as higher revenues or traffic during the holidays), non-repeating viral successes that lead to short-term spikes in usage/revenue,28 and short-term changes due to search engine algorithm updates. To smooth out this volatility, any metrics should be measured over sufficiently long time periods and averaged over multiple measurement periods. For example, MAUs should be averaged over at least twelve months to smooth out seasonality and viral spikes.

When a service initially crosses the applicable statutory threshold, it should be given a phase-in period for compliance. Otherwise, to avoid being non-compliant immediately upon reaching the threshold, the service must comply anticipatorily (and bear the associated costs) before they are legally required to do so. But if the service never actually reaches the threshold, those steps were never required at all.

  1. How Should Metrics Be Combined? To smooth out volatility and reduce false positives, any size-based regulatory distinction should rely on multiple metrics, such as both revenue and usage measures, so that compliance requirements only apply when the service meets all of the metrics.



Part I showed that size-based distinctions can make sense, but not when the underlying policy is bad.29 Good policy ideas should apply to all enterprises, regardless of size; bad policy ideas should be ditched rather than imposed only on large enterprises. With respect to Section 230, adding a new size-based distinction would increase adjudication costs, drive large services to make socially disadvantageous choices, and encourage unwanted countermoves.

A. Increased Adjudication Costs

Courts frequently grant early dismissals in Section 230 cases.30 These early dismissals promote free speech online by reducing defendants’ defense costs.31 Size-based distinctions in Section 230 would add another contestable element to Section 230 defenses. In some cases, especially when the metric isn’t subject to judicial notice, this new element would block motions to dismiss, increase defense costs,32 and undermine Section 230’s speech-enhancing function.

B. Services Without Section 230 Immunity Will Make Socially Disadvantageous Choices

Internet services, large and small, without Section 230 immunity will choose among three options:33

  • Option #1: aggressively moderate user content to reduce the liability risk. This raises the service’s costs in two ways. First, services will spend more to moderate content, plus it will cost more to do legal research/compliance (especially when facing exposure to heterogeneous state laws).34 Second, because they can’t moderate content perfectly,35 services will incur sizable legal defense costs and damages awards for their “mistakes.” To ameliorate these risks, these services will overremove socially beneficial content.36
  • Option #2: conduct minimal content moderation efforts with the hope that not moderating content will disqualify the service’s scienter and ultimate liability. The law supporting this approach is untested and probably won’t work. Worse, when services do less socially valuable content moderation work, trolls and spammers overrun their services. That drives away legitimate users and advertisers and accelerates their demise.37
  • Option #3: exit the industry because the other options aren’t profitable. Those services might swap in professionally produced content for UGC, which could change the nature of the Internet.38

Many regulators assume that, without Section 230, large services will invest more resources in content moderation and do a better job of it. Services might choose that route if they can afford it, but their overremovals will still hurt the community. Services that can’t afford option #1 will make choices that also hurt the community.

C. Unwanted Countermoves

To avoid the regulatory burdens, Internet services may make countermoves before reaching the statutory threshold.39 One countermove would be to “break up” the service to stay below the threshold. If the metric is corporate revenue, the service could split into multiple subsidiaries. If the metric is traffic measured by domain name, the service could shift to multiple domain names. These moves may undermine the service’s economies of scale and increase transactions costs.40

Another countermove would be to combine with other enterprises to achieve greater economies of scale.41 For example, a service below the statutory threshold might sell to an existing incumbent that has already implemented the required compliance mechanisms. Those combinations would remove competitors from the marketplace and reduce overall industry competition.42

Other possible countermoves: If the metric is based on employee headcount, services might use BPOs more extensively, which could be deleterious to workers43 and increase offshoring to cheaper labor markets. If the metric depends on consumer or geographic usage, services might collect additional user data that exacerbates privacy concerns.

The point is that regulators need to contemplate the services’ possible countermoves and how those moves could harm consumers, workers, marketplace competition,44 and society generally.



Many regulators assume that Section 230 originally sought to foster the nascent commercial Internet. With the Internet’s maturation and the emergence of Internet giants, that concern seemingly has evaporated.45 But since the beginning, Section 230 was designed to promote content moderation by all services, regardless of size.46 Section 230’s co-authors explained (emphasis added):47

Section 230…was designed to address the obviously growing problem of individual web portals being overwhelmed with user-created content. This is not a problem the internet will ever grow out of; as internet usage and content creation continue to grow, the problem grows ever bigger. Far from wishing to offer protection to an infant industry, our legislative aim was to recognize the sheer implausibility of requiring each website to monitor all of the user-created content that crossed its portal each day.

Critics of Section 230 point out the significant differences between the internet of 1996 and today. Those differences, however, are not unanticipated. When we wrote the law, we believed the internet of the future was going to be a very vibrant and extraordinary opportunity for people to become educated about innumerable subjects, from health care to technological innovation to their own fields of employment…

The march of technology and the profusion of e-commerce business models over the last two decades represent precisely the kind of progress that Congress in 1996 hoped would follow from Section 230’s protections for speech on the internet and for the websites that host it. The increase in user-created content in the years since then is both a desired result of the certainty the law provides, and further reason that the law is needed more than ever in today’s environment….

In the 1990s, when internet traffic was measured in the tens of millions, the implausibility of holding websites responsible for monitoring all of the user-created content they hosted was already apparent. Today, in the third decade of the 21st century, when billions of content creators are publishing their words, data, sounds, and images on some 200 million active websites, the reason for protecting websites from liability for other people’s content is more abundantly clear than ever.

The fact that Section 230 was designed to grow with the Internet provides a cautionary warning to any regulators contemplating making size-based regulatory distinctions among Internet services. Good regulatory policy like Section 230 makes sense for enterprises at all stages of the corporate life cycle. In contrast, hardwiring size-based limits into Section 230 undermines Section 230’s core policy payoffs to the detriment of all of us.

1 Eric Goldman is Associate Dean for Research, Professor of Law, and Co-Director of the High Tech Law Institute, Santa Clara University School of Law. Jess Miers graduated from Santa Clara University School of Law in 2021 and works at Google as a Government Affairs & Public Policy analyst. All opinions shared are her own and do not represent her previous or current employers. Thanks to Evan Engstrom, Daphne Keller, Jeff Kosseff, and Irina Raicu for their comments.

2 47 U.S.C. § 230.

3 See Eric Goldman, An Overview of the United States’ Section 230 Internet Immunity, The Oxford Handbook of Online Intermediary Liability 155 (Giancarlo Frosio, ed. 2020).

4 For example, in late 1995, industry leader America Online had a $4B market capitalization. At its April 1996 IPO, leading Internet directory Yahoo had a market capitalization under $1B. Wayne Duggan, This Day in Market History: The Yahoo! IPO, Benzinga, Apr. 12, 2021,

5 See Anupam Chander, How Law Made Silicon Valley, 63 Emory L.J. 639 (2014).

6 Two examples:

  • A bill would scale back Section 230 in specified circumstances except for services with “10,000,000 or fewer unique monthly visitors or users for not fewer than three of the preceding 12 months.” Protecting Americans from Dangerous Algorithms Act, H.R. 2154 (117th Cong. 2021), §2(C).
  • A bill would restrict Section 230 in some cases for “edge providers” with 30M+ U.S. users (or 300M+ users worldwide) and $1.5B+ in global revenue. Limiting Section 230 Immunity to Good Samaritans Act, H.R. 277 (117th Cong. 2021).

7 E.g. Platform Accountability and Consumer Transparency Act, S. 797 (117th Cong. 2021), §23(6) (imposing duties on Internet services with 1M+ unique monthly visitors and revenues of $50M+).

8 See, e.g. Florida SB 7072 (501.2041(g)), defining a “social media platform” as services with over $100M of annual revenues or “100 million monthly individual platform participants globally.” (As will be clear from Part II(A)(5) infra, the term “individual platform participants” is incoherent). State laws regulating Internet services may violate the Constitution or Section 230, but those concerns aren’t slowing many legislatures down.

9 C. Steven Bradford, Does Size Matter? An Economic Analysis of Small Business Exemptions from Regulation, 8 J. Small & Emerging Business L. 1 (2004).

10 The proposed EU Digital Services Act explains: “Very large online platforms may cause societal risks, different in scope and impact from those caused by smaller platforms. Once the number of recipients of a platform reaches a significant share of the Union population, the systemic risks the platform poses have a disproportionately negative impact in the Union.” Proposal for a Regulation of the European Parliament and of the Council on a Single Market For Digital Services (Digital Services Act) and amending Directive 2000/31/EC, Recital 54,

11 Bradford, supra note 9.

12 Id. at 11.

13 Higher capital requirements also dilute the entrepreneurs’ equity stakes, undercutting their personal risk-reward calculus.

14 Article 17, §6, Directive (EU) 2019/790 of the European Parliament and of the Council of 17 April 2019 on copyright and related rights in the Digital Single Market and amending Directives 96/9/EC and 2001/29/EC, This favorable treatment only applies when the entities also have less than €10M in annual revenues.

15 Internet entrepreneurs often aspire to build a service that can scale by “just adding servers.”

16 For example, Facebook’s BPOs have included Accenture, Arvato, CCC, Cognizant, CPL, Genpact, SamaSource, Teledirect, Telus, and Voxpro. See generally Justin Ofosky, Our Commitment to Our Content Reviewers, Facebook Newsroom, Feb. 25, 2019,

17 E.g. Michael Wayland & Lora Kolodny, Tesla’s Market Cap Tops the 9 Largest Automakers Combined — Experts Disagree About if That Can Last, CNBC, Dec. 14, 2020,

18 “User” and “visitor” are usually synonyms.

19 Monthly Active Users, Corporate Finance Institute (CFI),

20 Facebook’s MAU definition: a “registered active user who logged in and visited Facebook through the website, mobile app, or Messenger application in the last 30 days as of the date of measurement.” Twitter’s MAU definition: a “Twitter user who logged in or were otherwise authenticated and accessed Twitter through the website, mobile website, desktop or mobile applications, SMS, or registered third-party applications or websites in the 30-day period ending on the date of measurement.” Id.

21 For example, 10%+ of online Old School RuneScape players may be bots. OSRS is Over 70% of Total RS3/OSRS Players, GameFAQs,

22 Rebecca Tushnet & Eric Goldman, Advertising Law: Cases & Materials, ch. 17 (5th ed. 2020). A single pageview can generate multiple ad views/impressions when the page contains multiple ads.

23 With the possible exception of ad-related metrics. See Standards, Guidelines & Best Practices > Measurement, Interactive Advertising Bureau,

24 Mike Masnick, The Internet Is Not Just Facebook, Google & Twitter: Creating A ‘Test Suite’ For Your Great Idea To Regulate The Internet, Techdirt, Mar. 18, 2021,

25 In FY 2019-20, Wikimedia received $120M in donations/contributions and had other income of about $9M. Wikimedia Foundation Inc. Financial Statements, June 30, 2020 and 2019,

26 Wikimedia had about 250 employees, plus another 120 contractors, as of April 18, 2021. Wikimedia Foundation Staff and Contractors, Wikimedia,

27 Eric Goldman, Internet Law: Cases & Materials, ch. 1 (2020).

28 For example, the pandemic provided possibly non-permanent boosts to services like Zoom.

29 Bradford, supra note 9, at 25-29.

30 Eric Goldman & Jess Miers, Online Account Terminations and Content Removals, 1 J. Free Speech L. __ (forthcoming 2021) [hereinafter Goldman & Miers, Terminations/Removals]; see also David S. Ardia, Free Speech Savior or Shield for Scoundrels: An Empirical Study of Intermediary Immunity under Section 230 of the Communications Decency Act, 43 Loy. L.A. L. Rev. 373 (2010).

31 Eric Goldman, Why Section 230 Is Better Than the First Amendment, 95 Notre Dame L. Rev. Reflection 34 (2019).

32 A Section 230 case with discovery can cost $100,000+. Evan Engstrom, Primer: Value of Section 230, Engine, Jan. 31, 2019,

33 This choice is sometimes called the “moderator’s dilemma.” Eric Goldman, Internet Immunity and the Freedom to Code, 62 Comm. ACM 22 (2019).

34 Bradford, supra note 9, at 8 (discussing the “information costs” of regulation).

35 Eric Goldman & Jess Miers, Why Can’t Internet Companies Stop Awful Content?, Ars Technica, Nov. 27, 2019,

36 Eric Goldman, The U.K. Online Harms White Paper and the Internet’s Cable-ized Future, 16 Ohio State Tech. L.J. 351 (2020) [hereinafter Goldman, Cable-ized Future].

37 Goldman & Miers, Terminations/Removals, supra note 30.

38 Goldman, Cable-ized Future, supra note 36.

39 Bradford, supra note 9, at 22.

40 Many people would be thrilled to see “Big Tech” break itself up. However, threshold-induced breakups don’t necessarily spur greater competition or increase the number of competitors.

41 Bradford, supra note 9, at 23.

42 Mark A. Lemley & Andrew McCreary, Exit Strategy, 101 B.U. L. Rev. 1 (2021).

43 E.g. Casey Newton, The Trauma Floor: The Secret Lives of Facebook Moderators in America, Verge, Feb. 25, 2019,; Casey Newton, Bodies in Seats, Verge, June 19, 2019,

44 Bradford, supra note 9, at 22-23.

45 E.g. Fair Housing Council of San Fernando Valley v., LLC, 521 F.3d 1157 n.39 (9th Cir. 2008) (“the Internet has outgrown its swaddling clothes and no longer needs to be so gently coddled”) (en banc majority opinion by Judge Kozinski).

46 See Cathy Gellis, Is Section 230 Just For Start-ups? History Says Nope, Techdirt, Feb. 18, 2021,

47 Reply Comments of Co-Authors of Section 230 of the Communications Act of 1934, In the Matter of National Telecommunications and Information Administration Petition for Rulemaking to Clarify Provisions of Section 230 of the Communications Act of 1934, RM-11862, Federal Comm. Comm’n, Sept. 17, 2020,