The DMCA's four safe harbors in 17 U.S.C. § 512 are the legal scaffolding that lets the user-generated internet exist. A qualifying online service provider is shielded from monetary liability for infringement committed by its users—but the shield is earned by compliance, not granted automatically. Copyright is a strict-liability tort and statutory damages run up to $150,000 per work for willful infringement (17 U.S.C. § 504(c)), so a platform that flunks the conditions and loses the harbor is thrown back on ordinary copyright law with potentially catastrophic exposure. The bargain: immunity in exchange for a fast, self-help takedown system and a promise not to ignore piracy you actually know about.

This checklist is for providers. For the full treatment see digital millennium copyright act safe harbors for online service providers; for the notice mechanics see how to file a DMCA takedown notice and respond to one; and for the adjacent platform-liability debate see section 230 reform and platform liability for user-generated IP infringement.

Phase 1 — Clear the universal gateway requirements (§ 512(i))

  • Adopt, publish, and actually enforce a repeat-infringer policy that terminates repeat infringers in appropriate circumstances, and inform users of it (17 U.S.C. § 512(i)(1)(A)).
  • Track "strikes," apply them consistently, document terminations, and never reinstate known repeat infringers for revenue.
  • Accommodate standard technical measures and do not interfere with them (§ 512(i)(1)(B)).
  • Treat the policy as a practice, not a document.

Why this matters / traps. This is the requirement that wrecks providers. In BMG Rights Management (US) LLC v. Cox Communications, Inc., 881 F.3d 293 (4th Cir. 2018), Cox had a thirteen-strike policy on paper but reactivated terminated subscribers to keep the revenue — the court held the policy was not reasonably implemented and Cox lost the § 512(a) harbor entirely. A "repeat infringer" can be a user who repeatedly uploads or downloads copyrighted material even without knowing it was infringing (EMI Christian Music Grp. v. MP3tunes, 844 F.3d 79 (2d Cir. 2016)).

Phase 2 — Designate and maintain a registered agent

  • Register a designated agent with the U.S. Copyright Office through its electronic system (37 C.F.R. § 201.38) — required for the § 512(c) hosting and § 512(d) linking harbors (and in some cases caching).
  • Post the agent's name and contact information (physical street address, phone, email) conspicuously on your site.
  • List all alternate names the public might search (DBAs, URLs, app names); each separate legal entity must file its own designation.
  • Calendar the three-year renewal — designations lapse if not renewed (37 C.F.R. § 201.38(e)).

Why this matters / traps. A lapsed or never-renewed designation can forfeit your hosting and linking harbors. A pre-2016 paper designation not re-filed in the electronic system by the end of 2017 is invalid. This is the single most common, and most avoidable, compliance failure.

Phase 3 — Identify which harbor(s) you occupy

  • § 512(a) conduit — pure transmission/routing without storage; no agent or takedown required, but the § 512(i) repeat-infringer gateway still applies.
  • § 512(b) system caching — temporary automatic storage; honor refresh rules, access conditions, and origin-site takedowns.
  • § 512(c) storage at the direction of a user — the hosting harbor for user-uploaded content (the big one).
  • § 512(d) information location tools — search/linking; remove or disable the link, not the underlying file.
  • Recognize each harbor stands on its own (§ 512(n)); a single company may occupy more than one.

Why this matters / traps. Being a "service provider" is rarely the hard part — the conditions are. The conduit harbor uses a narrower definition of "service provider" (§ 512(k)(1)(A)) than the other three.

Phase 4 — Manage knowledge correctly (§ 512(c)/(d))

  • Do not affirmatively monitor for infringement — you have no general policing duty (17 U.S.C. § 512(m)).
  • But do not be willfully blind — you cannot deliberately avoid confirming a high probability of specific infringement (Viacom Int'l, Inc. v. YouTube, Inc., 676 F.3d 19 (2d Cir. 2012)).
  • Understand that disqualifying knowledge requires awareness of specific, identifiable infringing material — actual knowledge (subjective) or red-flag knowledge (objectively apparent) — not general awareness that piracy occurs.
  • Avoid receiving a direct financial benefit from infringing activity you have the right and ability to control (both prongs must be present; § 512(c)(1)(B)) — do not let infringement become a "draw."
  • Train staff and keep internal communications clean (the Vimeo point: an employee merely seeing a video with a recognizable song is not, by itself, a red flag — Capitol Records v. Vimeo, 826 F.3d 78 (2d Cir. 2016)).

Why this matters / traps. A substantially compliant takedown notice supplies actual knowledge; a non-compliant one cannot be used to charge you with knowledge (§ 512(c)(3)(B)). Internal messages cheering infringement-driven traffic are willful-blindness evidence.

Phase 5 — Run the notice-and-counter-notice choreography by the book

  • On a compliant notice, respond expeditiously to remove or disable the identified material, and notify the affected user.
  • Decline to act on a notice that does not substantially comply (e.g., no locating information) — you do not lose the harbor for refusing a defective notice (Hendrickson v. eBay, 165 F. Supp. 2d 1082 (C.D. Cal. 2001)).
  • On a valid counter-notice, forward it to the original complainant, observe the 10-to-14-business-day window, and restore unless the complainant sues — preserving your § 512(g)(1) immunity from the uploader.
  • Do not become an editor or business partner of specific infringing content — light, purpose-based screening is fine; curating, licensing, or syndicating specific user uploads can cost you the harbor.

Why this matters / traps. Following this script lets you stay neutral and never adjudicate the merits — you shuttle documents and run timers. Good-faith takedown in compliance with the procedure shields you from suit by the uploader (§ 512(g)(1)).

Phase 6 — Keep § 512 straight from § 1201 and § 230, and watch the law

  • Do not strip rights holders' technical protection measures — that implicates the separate anti-circumvention rules of § 1201, not the safe harbors.
  • Remember Section 230 of the Communications Decency Act does not immunize intellectual-property claims (47 U.S.C. § 230(e)(2)) — § 512 is the load-bearing wall for copyright.
  • Treat cutting-edge questions — ISP termination duties, AI-generated/hosted content — as live and date-sensitive and confirm current law.

Why this matters / traps. The Cox line of cases (and the billion-dollar Sony Music Entertainment v. Cox, 93 F.4th 222 (4th Cir. 2024), since vacated on damages) shows the two-step danger: lose the harbor for an unenforced policy, then face the full force of secondary copyright liability. The contributory-liability and knowledge standards remain unsettled.

Common mistakes

  • A repeat-infringer policy on paper that is never enforced (the Cox trap).
  • A lapsed or never-renewed designated-agent registration.
  • Letting takedown notices fall into an unmonitored or changed inbox (Ellison v. Robertson, 357 F.3d 1072 (9th Cir. 2004)).
  • Reinstating known repeat infringers for revenue.
  • Monetizing or curating specific infringing content.
  • Confusing § 512 (safe harbors) with § 1201 (anti-circumvention) or § 230.

Primary authority

  • 17 U.S.C. § 512 (safe harbors (a)–(d); (i) gateway and repeat-infringer policy; (c)(3) notice; (g) counter-notice; (m) no-monitoring; (n) separate harbors); § 504(c) (statutory damages); § 1201 (anti-circumvention, distinguished).
  • 37 C.F.R. § 201.38 (electronic agent designation; three-year renewal).
  • BMG Rights Mgmt. (US) LLC v. Cox Commc'ns, Inc., 881 F.3d 293 (4th Cir. 2018); Sony Music Entertainment v. Cox Communications, Inc., 93 F.4th 222 (4th Cir. 2024); Viacom Int'l, Inc. v. YouTube, Inc., 676 F.3d 19 (2d Cir. 2012); Capitol Records, LLC v. Vimeo, LLC, 826 F.3d 78 (2d Cir. 2016); Perfect 10, Inc. v. CCBill LLC, 488 F.3d 1102 (9th Cir. 2007); Hendrickson v. eBay, Inc., 165 F. Supp. 2d 1082 (C.D. Cal. 2001).
  • 47 U.S.C. § 230(e)(2) (IP carve-out); U.S. Copyright Office, Section 512 of Title 17 (2020).

Related resources

This checklist provides general information and is not legal advice. The DMCA safe harbors and platform-liability law are fact-specific and rapidly evolving; confirm current law and consult qualified counsel.