A litigation boutique based in Oakland, California, representing plaintiffs and defendants in complex civil litigation.
DMCA Section 1201 Claims: The New Battleground for AI and Data Scraping Litigation
By Jo Levy and Hayley Landman
Companies that scrape publicly available web data face a new legal threat. Recently, the battle over the right to use public web data to train AI models has shifted from copyright infringement cases to lawsuits alleging violations of Section 1201 of the Digital Millennium Copyright Act (the DMCA). Section 1201(a)(1)(A) prohibits persons from circumventing a technological protection measure or “TPM” that “effectively controls access” to a copyrighted work, an act described by Congress as “the electronic equivalent of breaking into a locked room in order to obtain a copy of a book.” Universal City Studios, Inc. v. Reimerdes, 111 F. Supp. 2d 294 at 316 (2000) (quoting H.R. Rep. no. 105-551 at 17 (1998)).
As of May 2026, more than twenty lawsuits have been filed asserting that defendants violated Section 1201 when they used automated tools to access and download YouTube videos and other web data. They allege that YouTube’s platform contains technological measures that identify bots and prevent them from accessing and downloading video files. Several defendants have filed responsive pleadings asserting that YouTube’s features are not technological measures that “effectively control access” to copyrighted works because the videos are accessible to anyone to view online and, with minimal effort, also accessible to download. Although many of the cases are still at an early stage, several key issues have emerged.
1. Is There a Technological Protection Measure?
The threshold issue for every case is whether the complaint has adequately alleged a TPM, yet Section 1201 does not define the term “technological protection measure.” Instead, Section 1201(a)(3)(B) provides that a “technological measure “effectively controls access to a work” if the measure, in the ordinary course of its operation, requires the application of information, or a process or a treatment, with the authority of the copyright owner, to gain access to the work.” A case in the Second Circuit Court of Appeals may soon shed more light on this question. In Yout, LLC v. Recording Industry Association of America, Inc., 633 F. Supp. 3d 650 (D. Conn. 2022), appeal docketed 22-2760 (2d Cir.), the Recording Industry Association of America sent a cease-and-desist letter to Yout, a company that provided software for stream-ripping YouTube. Yout sought a declaratory judgment that it was not violating the DMCA.
In dismissing Yout’s complaint, the district court defined “technological measure” as a measure that “controls access” to a copyrighted work, reasoning that a technological measure must encompass a broader range of measures than an “effective” measure. The court then concluded that YouTube’s platform contained an effective access control based on the lack of a download button on the YouTube screen, language in YouTube’s terms of service asserting that its platform contains features that restrict users to streaming content, and inferences the court drew from Yout’s description of how individual users can download entire audio or video files using an ordinary Chrome browser. The court concluded that, to download video files, a user has to modify a “range=” value, which the court inferred was a “‘signature value’ without which there is no stream.” Yout at 669. On appeal, Yout and several amici argued that the absence of a download button is not relevant to whether a technological measure is present, that the court conflated access controls and copy controls, and that the court’s reasoning would threaten a large number of beneficial software tools which operate in a similar manner.
More recently filed cases allege that YouTube’s platform uses a “rolling cipher” technology that defendants circumvented. Several courts have found allegations of rolling-cipher technology sufficient to support a Section 1201 claim, leaving the ultimate determination to a later stage of the case. See Sony Music Entertainment v. Uncharted Labs, Inc., 2026 WL 1019199 (S.D.N.Y. Apr. 15, 2026); Cordova v. Huneault, 2026 WL 184598, at (N.D. Cal. Jan. 23, 2026).
2. Distinguishing Access Control from Copy Control
Section 1201(a) targets measures that control access to a protected work, not measures that prevent copying one. The distinction is significant for parties accused of scraping YouTube in violation of the DMCA. In Hattler v. Ashton, 2017 WL 11634742, at *8 (C.D. Cal. Apr. 20, 2017), the court explained that “where § 1201(a)(1) refers to technological measure that control ‘access’ to a protected work, that section should be interpreted narrowly to exclude technologies that permit access to copyrighted work, but restrict copying.” Several of the amici briefs in the Yout appeal and pending district court motions to dismiss DMCA claims argue that the alleged measures are not access controls because YouTube allows users to freely view the videos and only restricts users’ ability to download the files. Instead, they contend the measures are copy controls, the circumvention of which is not actionable under Section 1201(a). Plaintiffs counter that a technological measure such as YouTube’s rolling cipher can be both an access control and a copy control.
3. Did the Defendant Circumvent an Effective Control?
Another key issue relates to whether the defendant’s conduct circumvented an effective control. Section 1201(a)(3)(B) of the DMCA provides that a TPM “effectively controls” access if “the measure, in the ordinary course of its operation, requires the application of information, or a process or a treatment, with the authority of the copyright owner, to gain access to the work.”
In describing what constitutes an effective control, the Sixth Circuit, in Lexmark Int’l, Inc. v. Static Control Components, Inc., 387 F.3d 522 (6th Cir. 2004), declined to find an effective access control where the measure prevented one method of access but allowed another, analogizing the measure to a lock on the front door of a building while leaving the back door open.
The Ninth Circuit, in MDY Indus. v. Blizzard Ent., Inc., 629 F.3d 928, 953 (9th Cir. 2010), adopted Lexmark’s analogy to a house with a lock on the front door but an open back door: “[T]he DMCA not only requires the technological measure to ‘control access’ but requires the measure to control that access ‘effectively’ . . . this provision does not naturally extend to a technological measure that restricts one form of access but leaves another route wide open.” In that case, MDY sought a declaratory judgement that its software program, which automatically played the early levels of World of Warcraft (WoW) for players, did not circumvent an anti-cheat technology Blizzard deployed to detect and prevent bots from playing WoW. The court held that Blizzard effectively controlled access to certain elements of WoW that resided on Blizzard’s server because its anti-cheat technology required “application of information or a process or treatment” to gain access to those elements of the game but did not violate 1201 with respect to other elements of WoW that MDY’s technology could access without interacting with Blizzard’s anti-cheat technology.
In Ziff Davis, Inc. v. OpenAI, Inc., No. 1:25-cv-04315-SHS-OTW (S.D.N.Y.), the court dismissed a DMCA claim based on failure to follow a robots.txt instruction because robots.txt files (machine-readable code that can be used to instruct some or all bots not to access certain areas within the website) “do not ‘effectively control’ access to that content any more than a sign requesting that visitors ‘keep off the grass’ effectively controls access to a lawn.”
Other courts have adopted a broader approach. In Ticketmaster v. RMG, 507 F. Supp. 2d 1096 (C.D. Cal. 2007), the court held that CAPTCHA can constitute a TPM because the ordinary course of its operation requires the application of information to gain access to the work in a way that prevents automated access. That is, the court concluded that CAPTCHA was an effective control because (at least at the time of its decision) bots were not able to complete CAPTCHAs. Time will tell if, as technology changes and bots and AI agents can more readily complete CAPTCHAs, future courts will follow Ticketmaster’s finding that such measures are “effective” controls.
Recently filed cases also allege that common scraping techniques, such as rotating IP addresses, constitute circumvention of a technological measure because they are used by website operators to block all bots from accessing the site. Defendants are likely to argue that rotating IPs, like CAPTCHA, are not TPMs because they are not implemented by copyright owners to control access to protected works. Rather, they are implemented by website owners to block all bots from accessing any part of a website, even parts that do not contain copyrighted works. How courts resolve the rotating-IP question may ultimately turn on the same threshold issue raised above: whether a general-purpose security tool not specifically implemented for copyright protection qualifies as a TPM.
We will continue to track developments in these and other cases alleging DMCA Section 1201 violations. For the latest updates, bookmark our Norton Law Firm DMCA Tracker.