Introduction

Insight: The passage of the Take It Down Act repositions civil liability as a primary engine of online accountability, breaking the long-standing federal preemption shield of Section 230.

The Take It Down Act, signed into law by President Trump in May 2025, carved out a landmark exception to Section 230 of the Communications Decency Act. By stripping immunity from online platforms that fail to remove flagged explicit images of minors within a mandated timeframe, the Act marked a turning point in the legal architecture of internet governance. More than just a statutory tweak, it signaled the emergence of a new phase in U.S. digital policy—one where civil liability, victim-centric remedies, and proactive governance are no longer theoretical but operational. This shift has direct implications for state-level digital safety laws, particularly Washington State's 2023 anti-doxxing statute and its retooled cyber harassment statute under RCW 9A.90.120.

I. The Take It Down Act: A Federal Signal of Change

Insight: By linking platform immunity to proactive content removal, the Act replaces blanket protection with conditional compliance—effectively redrawing the boundary of platform responsibility.

The Take It Down Act addresses the unique vulnerability of minors subjected to non-consensual intimate image distribution. By conditioning platform immunity on timely takedown compliance, it reframes Section 230 not as a blanket shield, but as a contingent privilege. This statutory innovation opens the door for states to design civil and criminal remedies tailored to specific digital harms—without being preempted.

Key features of the Act:

• Platforms must remove flagged images within 48 hours or lose immunity.

• Victims (or guardians) can submit removal requests via a centralized intake system.

• The Act preserves legitimate journalistic and educational use, carving nuanced exceptions.

This design suggests that liability risk is no longer a federal firewall. States now have clearer pathways to enforce accountability, particularly through doctrines of concurrent jurisdiction and federal deference to state tort law when federal immunity is removed, as exemplified by analogous frameworks in defamation and consumer protection around personal data misuse, harassment, and digital targeting—especially if they tailor laws to mirror the Act’s reasonableness and specificity.

II. Washington State’s 2023 Anti-Doxxing Law

Insight: Washington’s law sets a precedent by targeting recklessness, not just intent—lowering the burden for victims and strengthening enforceability in digital harassment cases.

Washington State passed one of the nation’s most expansive anti-doxxing statutes in mid-2023. Under the law:

• Victims can sue for up to $5,000 per violation plus actual damages and legal fees.

• Liability attaches when a person discloses personally identifiable information online with the intent—or reckless disregard—to cause harm.

• Exceptions exist for journalistic activities and constitutionally protected expression.

This statute aligns conceptually with the Take It Down Act in three ways:

1. Civil Liability with Teeth – It empowers victims directly.

2. Recklessness Standard – It targets behavior without needing malicious intent.

3. Digital Platform Role – While it doesn’t impose duties on platforms, it increases the risk landscape for those who allow harmful disclosures to persist.

The implication: as federal norms shift toward conditional immunity, state laws like Washington’s become more enforceable and less vulnerable to First Amendment or preemption challenges, particularly when statutes are content-neutral, narrowly tailored, and aligned with compelling government interests, as required under the constitutional framework established in cases like Reed v. Town of Gilbert and United States v. Alvarez. Plaintiffs have greater latitude to argue that digital harm deserves civil redress even in traditionally protected zones of speech.

III. RCW 9A.90.120 – Cyber Harassment Redefined

Insight: RCW 9A.90.120’s emphasis on content, frequency, and impact reshapes criminal thresholds for digital abuse, especially for threats against public servants or repeat victims.

Washington’s cyber harassment statute, revised after the earlier law was struck down for overbreadth, is now codified as RCW 9A.90.120. The law criminalizes electronic communication meant to harass, intimidate, or threaten, especially when it:

• Uses lewd or obscene content,

• Is anonymous or repeated,

• Contains threats of bodily harm or property damage.

The law escalates to a felony if threats involve public officials, repeat victims, or protective order violations. Like the anti-doxxing law, it also includes eligibility for the Address Confidentiality Program to shield victims’ contact information.

In a post–Take It Down context, RCW 9A.90.120 stands to benefit in legitimacy and enforceability:

• Precedent Rebalancing: The federal exception creates space for more aggressive state enforcement without running afoul of First Amendment doctrine.

• Civic Protection Argument: By aligning legal goals with the Take It Down Act (safeguarding vulnerable populations from digitally enabled harm), the state can frame the law as reinforcing—not limiting—democratic participation.

IV. Educational Platforms and Institutional Risk

Insight: The Act extends legal duty-of-care to educational tech environments, forcing schools to adopt the same content governance norms expected of private platforms.

Public school systems are not insulated from the ripple effects of the Take It Down Act. While originally aimed at commercial platforms, the law’s operational language covers any digital service that hosts user-uploaded content accessible to a defined group—including platforms like Microsoft Teams, Google Classroom, or school-managed Discord channels.

Why it matters:

• If explicit imagery involving a minor is shared through a school’s digital communication platform and not promptly removed, the school or district could potentially face liability, though this would depend on how courts interpret the applicability of educational exceptions, sovereign immunity doctrines, and distinctions between commercial and institutional platforms.

• The 48-hour takedown clock applies regardless of whether the platform is educational, private, or public.

Implications for schools:

• They must build or refine takedown protocols.

• Train staff, IT administrators, and legal departments on compliance.

• Consider technical safeguards like content filters or reporting triggers.

Most critically, the Act signals a shift in how digital harms are regulated—public schools are now subject to the same duties of care as major platforms, and must be prepared to act swiftly and transparently when violations occur.

V. Private Schools and Parallel Exposure

Insight: Without sovereign immunity, private schools face even greater exposure under the Act, necessitating policies that rival public sector diligence in digital content moderation.

While public schools face liability under the Take It Down Act, private schools are equally exposed if they operate digital platforms accessible to students and staff. The law’s scope does not hinge on public status; rather, it targets any service that:

• Enables user content sharing,

• Is open to a designated group (like enrolled students), and

• Fails to remove flagged minor-related content within 48 hours.

Private institutions must:

• Train personnel in rapid content takedown,

• Review platform agreements for compliance guarantees,

• Implement policies mirroring public standards of care.

Unlike public districts, private schools do not have sovereign immunity, which could make them even more vulnerable to lawsuits and reputational damage under the Act.

VI. Conclusion: Post-Platform Lawmaking

Insight: Federal and state convergence around conditional liability frameworks suggests the emergence of a new civic model for regulating digital harm, rooted in enforceable care duties rather than reactive censorship.

Washington State’s anti-doxxing and cyber harassment statutes are no longer isolated state experiments. In the wake of the Take It Down Act, they form part of a larger federal-state dialogue about the limits of speech, the rights of victims, and the duties of digital intermediaries. Where Section 230 once preempted, it now signals conditions. Where civil remedies once risked chilling effects, they now seem essential to a healthy digital public sphere.

A study of these three laws reveals a common legal architecture: intent or reckless disregard, harm-centric design, and narrowly tailored enforcement channels. Taken together, they sketch a future where the architecture of online trust is shaped not by platforms alone—but by laws, victims, and communities in shared civic space.