This chapter examines the extent to which e-commerce platforms may be held liable for problematic goods sold by third-party sellers on their websites. Several courts have hesitated to find e-commerce platforms liable under products liability and warranty law for products sold on their marketplaces by third-party sellers. This chapter argues that the increasing shift from in-person sales of goods to online sales necessitates a shift in current interpretations of key principles under state products liability and warranty law under Article 2 of the Uniform Commercial Code to better protect consumer interests. E-commerce platforms should, upon meeting certain criteria, be viewed as sellers and merchants for purposes of Article 2 warranties and products liability law. This chapter also highlights the role of state consumer law mandating product warnings and the federal Communications Decency Act, which, in some cases, may pose a hurdle to successful consumer claims against e-commerce platforms. The chapter concludes by offering a path forward.

Data about consumers has long been a prized asset of organizations. As Paul Schwartz has observed, the “monetary value” of consumer data continues to grow significantly and companies eagerly profit from consumer data.1 The IoT will foster an exponential growth in the volume, quality, and variety of consumer-generated data. As a result, there will be more of our data available for companies to analyze, exploit, and extract value from. As we have seen in previous chapters, several legal scholars have highlighted the limits of companies’ privacy policies and conditions of use, and the role of these documents in enabling data disclosures.

As we have seen so far in this book, the IoT comprises various connected devices, services, and systems. Connecting regular devices to the Internet has made it much easier for companies to protect their interests in consumer transactions. New technologies allow companies to continue to wield significant control over us and our devices beyond the point of sale, license, or lease. As Aaron Perzanowski and Jason Schultz have observed, the IoT “threatens our sense of control over the devices we purchase.”1 Of chief concern is companies’ use of technology to control our devices and actions and digitally restrain our activities in lending transactions.

Unlike privacy law discourse, which has primarily explored questions related to others’ knowledge, access, and use of information about us, commercial law’s central focus has been on issues related to trade involving persons, merchants, and entities. In the commercial law context, questions about knowledge and information are primarily connected to the exchange and disclosure of information needed to facilitate transactions between parties.1 This distinct historical focus has likely contributed to commercial law’s failure to adequately account for and address privacy, security, and digital domination harms. In some cases, commercial law also defers to corporate commercial practices as well.

Most of the existing privacy and security legal frameworks at both the federal and state level provide incomplete safeguards against many of the privacy and information security harms highlighted in earlier chapters. Many of these frameworks have long been critiqued by privacy law experts for their lack of effectiveness. The IoT amplifies these inadequacies as it compounds existing privacy and security challenges.

At the state level, the patchwork of privacy and security legislation creates varying obligations for businesses without consistently ensuring that individuals receive adequate privacy and cybersecurity protection. State legislation also suffers from several shortcomings and is often replete with gaping privacy and security holes. Even the CCPA, the first privacy statute of its kind in the United States, has several limitations. Further, varying state privacy and security legislation also enables unequal access to privacy and security between citizens of different states.