This post is the third in a series following Sony Music Entertainment v. Cox Communications through the courts. In May 2024 I wrote about the Fourth Circuit’s decision, which reversed a $1 billion jury verdict against Cox on vicarious liability grounds while affirming a finding of contributory infringement, and sent the case back for a new trial on damages. Last November, when the Supreme Court agreed to hear Cox’s appeal, I warned that the stakes extended far beyond the parties themselves. On March 25, 2026, the Supreme Court brought the saga to a close, reversing the contributory infringement ruling and handing Cox a complete victory. But the real story here isn’t the billion dollars, or even Cox’s vindication. It’s what this decision does to the Digital Millennium Copyright Act (the “DMCA”).
Writing for a 7-2 majority, Justice Thomas held that an internet service provider (“ISP”) does not commit contributory copyright infringement merely by continuing to provide internet access to subscribers it knows have been identified as repeat infringers. The Court’s ruling rests on a straightforward principle: contributory liability requires either that the provider induced infringement through affirmative acts, or that it offered a service tailored to infringement – one incapable of substantial non-infringing use. Cox did neither. It sold broadband internet access, a service with countless lawful uses, and it never encouraged its customers to pirate music. That, said the Court, is the end of the matter. And in reaching that conclusion, the Supreme Court may have given every online service provider a reason to ask a very uncomfortable question: why bother complying with the DMCA at all?
To understand why this decision carries such sweeping implications, you need to understand how Cox ended up outside the DMCA’s safe harbor in the first place. As I explained in my earlier posts, the DMCA provides ISPs with powerful protection against secondary copyright liability. However, that protection comes with conditions. To qualify, a provider must adopt and reasonably implement a policy that terminates subscribers who are repeat infringers. This is not a technicality. It is the cornerstone of the bargain Congress struck in 1998: providers are granted a safe harbor if – and only if – they take meaningful steps to address chronic infringers on their networks.
Cox blew that bargain. In an earlier case, BMG Rights Management v. Cox (4th Cir. 2018), the Fourth Circuit found that Cox had a repeat infringer policy on paper but didn’t enforce it. Internal emails showed that Cox employees routinely reinstated known infringers rather than terminating them, prioritizing subscription revenue over copyright compliance. That finding disqualified Cox from DMCA safe harbor protection for the entire period covered by the Sony lawsuit. As a result, the Sony case was litigated entirely outside the DMCA framework, under the older judge-made doctrines of contributory and vicarious infringement. And it is precisely because Cox was stripped of DMCA protection – and still won – that this decision poses such a profound threat to the statute Congress carefully crafted almost three decades ago.
Which brings us to the uncomfortable question this decision raises for the entire online copyright enforcement regime. The DMCA is, at its core, a takedown statute. It was designed around a carefully constructed system of incentives and obligations: providers must adopt and implement repeat infringer policies, respond expeditiously to takedown notices, and act on “red flag” knowledge – that is, cases where infringement is obvious even without a formal notice. Comply with those requirements and you earn safe harbor protection. Ignore them, as Cox did, and you face secondary liability. That was the stick that was supposed to keep providers in line. The Supreme Court has just knocked it out of copyright holders’ hands.
After Sony v. Cox, the calculus has fundamentally changed – not just for the repeat infringer requirement, but for the entire DMCA compliance regime. Consider what this decision actually means in practice. A provider that ignores takedown notices faces no contributory liability, as long as it isn’t actively promoting infringement. A provider with clear “red flag” knowledge of specific infringing content – the court-made doctrine developed in cases like Capitol Records v. Vimeo – can apparently look the other way without consequence.
In a concurring opinion Justice Sotomayor makes exactly this point: after the majority’s decision, ISPs “no longer face any realistic probability of secondary liability for copyright infringement, regardless of whether they take steps to address infringement on their networks and regardless of what they know about their users’ activity.” She went further, noting that Cox’s own counsel conceded at oral argument that under the majority’s rule the DMCA safe harbor provision would not “do anything at all” going forward. That is a remarkable admission – and a remarkable thing for a Supreme Court decision to leave standing without serious engagement from the majority. Sotomayor’s conclusion is worth sitting with: Congress enacted the DMCA safe harbor as part of a carefully balanced incentive structure, premised on the assumption that providers faced real exposure if they didn’t comply. The majority, she wrote, has consigned that structure to obsolescence.
The irony of Sony v. Cox is that it was Cox’s own bad behavior – its cynical, revenue-driven failure to implement a meaningful repeat infringer policy – that put the case outside the DMCA framework and forced the Court to confront the outer limits of common law secondary liability. Had Cox simply complied with the statute, the case would never have raised these questions. But the Supreme Court, in ruling for Cox on the broadest possible grounds, has handed every online provider a roadmap that leads to the same destination without any of the effort: don’t induce infringement, don’t tailor your service to it, and you are free to ignore takedown notices, red flag knowledge, and repeat infringer policies alike. Justice Sotomayor is right that Congress did not enact the DMCA just so the Supreme Court could eviscerate it. But eviscerate it the Court has – and unless Congress acts to restore the incentive structure it so carefully built in 1998, the question in this post’s title – why bother with the DMCA? – will increasingly answer itself.