On Friday, March 20, the White House unveiled its National Policy Framework for Artificial Intelligence, laying out legislative priorities on everything from child safety to energy infrastructure to workforce development. The framework was united by a single through line: cementing American leadership in artificial intelligence. Tucked into the seventh and final priority was a set of “dos” and “don’ts” for how states should regulate AI and, should Congress pass legislation based on the framework, instructions for when federal law could override state legislation entirely. This focus on state-level regulation of AI builds on Executive Order 14365, which set out an agenda for challenging state-level AI laws inconsistent with federal policy.
The framework carves out a distinction between federal and state regulation of AI: states can regulate how AI is used in public services, enforce consumer and child protection laws, and set AI infrastructure zoning – but they should not regulate AI development itself. In fact, the framework calls for a single national AI regulatory standard, preempting state laws on the grounds that “discordant” fragmentation would only hurt American competitiveness. Most notably, the framework recommends that states should not hold developers liable for “third parties’ unlawful use of their models.”
For generative AI outputs that resemble speech, like chatbot conversations or written text, this “third party” stipulation revives a long-running debate over platform liability and Section 230, one the recent March 18th Senate hearing addressed directly. But even Section 230 can’t answer the other, potentially more consequential, question the White House framework raises: when does a design obligation become liability for third-party conduct? As this blog explores, this question matters because product-focused liability is already emerging as the dominant pattern in legal decisions around AI harm: litigators are framing claims around product defects, states are writing design-obligation laws, and now the White House framework is aligning with that trajectory. But for a product like generative AI, whose outputs are co-produced by design and user input, that boundary is less clean than the framework’s language may suggest. Codifying that boundary into law before it has been tested may shape which state-level safeguards get written and which never do – in turn, affecting what developers understand to be their responsibility, and how they approach safety as a result.
What is Section 230?
Section 230, often referred to as “the 26 words that created the internet,” established that interactive computer services are not liable for material from “another information content provider.” In other words, platforms cannot be held responsible for what their users post; a defamatory comment, for example, is the legal burden of the user who authored it, not the host that carried it. In this sense, Section 230 has allowed the internet to become the open, participatory ecosystem it is today while retaining carve-outs for federal criminal law, intellectual property, and sex trafficking statutes.
Crucially, “another information content provider” is defined as any entity “responsible, in whole or in part, for the creation or development of information.” But what happens, for example, when an LLM fabricates a claim about a public figure? Who exactly is the provider of this information? The user initiated the interaction, but didn’t author or control the output. The developer built the model, but didn’t generate the specific response. The AI model produced the content, but it isn’t a legal person.
With generative AI, none of these actors, whether user, developer, or model, map neatly onto Section 230’s distinction between content provider and content host. Competing interpretations of these actors – including whether Section 230 applies to AI-generated content at all, and how the statute should be reformed if it does or does not – have divided legal scholars and subsequently produced numerous legislative amendments seeking to address the overlap.
How does Section 230 (not) apply to generative AI?
Yet for all these interpretations, Section 230 has never actually been materially raised in a legal case involving AI-generated text. Tortious speech claims are already incredibly difficult to bring to court in the United States. First Amendment jurisprudence substantially limits liability over speech, and Section 230 adds another limiting layer on top. AI companies have every incentive to keep both shields intact: if AI outputs are classified as “speech” and the companies qualify as “interactive computer services,” they’re doubly insulated. But testing that proposition in court risks a ruling that AI outputs aren’t speech at all, which would collapse both layers of protection at once.
Walters v. OpenAI illustrates this calculus. When ChatGPT fabricated a false connection between a popular radio host and an embezzlement scheme, OpenAI had the option to invoke Section 230 but chose instead to win on traditional defamation standards, arguing the output couldn’t be reasonably understood as a statement of fact. Why risk a ruling that could collapse both layers of protection when you can win without touching them?
Plaintiffs, meanwhile, have framed claims around product liability and design defects. In Garcia v. Character Technologies, the plaintiffs, representing a teenager who took his own life after months of emotionally manipulative chatbot conversations, argued that the chatbot was a defectively designed product rather than a channel for harmful speech. By classifying AI outputs as products rather than speech, plaintiffs bypass both the First Amendment bar and the possibility of Section 230 immunity and gain access to standards of care, design obligations, and manufacturing oversight that speech claims don’t offer.
Interestingly in this case, the presiding judge observed that Character Technologies “fail[ed] to articulate why words strung together by an LLM are speech,” a finding that, if upheld, could dissolve the entire framework that makes Section 230 attractive to defendants. If AI outputs aren’t speech, there’s no First Amendment shield and no basis for Section 230 immunity, which is precisely the outcome defendants are trying to defer.
In Context: The White House Framework, Section 230, and Liability
With at least one court suggesting that AI outputs may not constitute speech at all, the case for engaging Section 230 directly looks uncertain. Recently, states have instead written AI laws through product safety and consumer protection frameworks. California’s SB 243, for example, doesn’t explicitly hold AI companions liable for harmful generated speech. Rather, it outlines how AI companion chatbot operators must implement crisis-prevention protocols, provide disclosures, and prevent sexually explicit content involving minors.
The White House’s framework actually validates the product design-obligation approach at the federal level. For example, it calls on Congress to require AI platforms likely to be accessed by minors to implement age-assurance requirements. Rather than resolving whether Section 230 applies to AI-generated content, the framework proposes a new federal standard, recommending that states should not be permitted to impose liability on AI developers for unlawful conduct carried out by third parties using their systems. In doing so, it functionally sidesteps the need to resolve Section 230 in the near term: there is no longer need to ask whether the old internet law shields AI companies, because the new federal standard would do that work directly. But the federal standard introduces its own unresolved question: where does product design end and responsibility for user-caused harm begin? That matters because the framework preserves states’ rights to enforce existing fraud, consumer protection, and child safety laws. What’s more, the way that those state-level design obligations will interact with a federal “no liability for third-party conduct” standard is far from settled.
Consider California’s SB 243 again. Requiring a chatbot operator to build crisis-prevention protocols is a straightforward design obligation; the developer had a legal requirement and failed to meet it, regardless of what any user did. There is also a well-established principle that companies are not liable for third-party use of their legally marketed products.
In Garcia v. Character Technologies, the facts were stark enough that the court resolved the question cleanly as a design defect. But whereas that particular case involved a teenager’s death after months of harmful chatbot interactions, not every case will present such a clear-cut instance of design failure. As AI systems become more open-ended and their outputs are more dynamically shaped by sustained user interaction, deciphering whether the failure was a foreseeable one tied to the product’s design or an unanticipated one connected to how it was used will become increasingly challenging. Courts can likely work through these cases using existing design defect and foreseeable misuse frameworks, but in the age of generative AI, the line between product design and user conduct may genuinely be contested in ways the framework’s language may not anticipate. This is the grey area that will likely surface more and more frequently as we enter a new generation of AI litigation.
If Congress codifies the framework’s broad “no liability for third-party conduct” standard, it is state legislatures, not courts, who will likely feel the immediate effect. Of course, states always weigh federal preemption when writing new regulations as a matter of routine federalism. But because the boundary of “third-party conduct” is less obvious for generative AI, Congress’s codification of this standard would force states writing new AI safety laws to anticipate whether their design mandates might be recharacterized as third-party liability. A more specific law, like California’s SB 243 and its crisis-prevention protocols, would likely survive that challenge. But broader obligations, such as those that require ongoing monitoring or mandate that systems adapt their safeguards as user patterns evolve, offer more surface area for a developer to argue the state is in reality penalizing them for user conduct. As a result, states may gravitate toward narrow, clearly defensible mandates. In practice, this could mean either sharper, more effective regulation, or a ceiling on how ambitiously states can address emerging harms. Whether that’s a feature or a flaw depends on whether one views state-level design mandates: are they necessary safeguards, or regulatory fragmentation? The new White House framework does answer this question firmly, but courts and legislatures may revisit it as the technology evolves.
Conclusion
These unresolved tensions within AI liability haven’t gone unnoticed. During a March 18 Senate hearing, one witness contemplated new potential consequences of an unreformed Section 230, suggesting that leaving Section 230 unchanged could effectively enshrine it as a “meta law” – one that doesn’t establish how generative AI should be governed, but instead lets whoever moves fastest in its absence set the terms.
Product-focused liability is emerging as the dominant regulatory approach. Its emergence is not necessarily a coordinated strategy, but the cumulative result of litigators and state legislatures each reaching for familiar legal ground. The White House’s framework largely follows that trajectory, proposing a federal standard that shields developers from third-party misuse while preserving certain state enforcements. But for a technology with already blurry lines between product design and user conduct – lines that are only growing more so as autonomous agents introduce questions of attribution and cascading downstream harms – codifying that distinction may do more than resolve a legal question. It may determine which state-level safeguards are worth attempting in the first place. If the Senate hearing’s “meta law” warning that the first law to shape governance of a technology is often the last holds true, that’s a distinction worth getting right.
This commentary is written and published in accordance with IST’s Intellectual Independence Policy. The authors are solely responsible for its analysis and recommendations. The Institute for Security and Technology and its supporters do not determine, nor do they necessarily endorse or advocate for, any of this blog’s conclusions.
