There is a phrase that keeps appearing in AI litigation that I think deserves more attention than it usually gets: “without consent.” It shows up in almost every complaint filed against a technology company for using human-generated content to train an AI model, and it appears prominently in the class-action suit against Nvidia filed in November 2025. The plaintiffs, including the channels behind H3H3 Productions, Mr.ShortGame Golf, and Golfholics, allege that Nvidia scraped millions of YouTube videos to train its Cosmos AI model without authorization and without compensating the people who made them.
The phrase matters because it reveals what is actually at stake in this litigation. This case is not, at its core, a technical dispute about how machine learning works. It is a dispute about whether the people who create and share content online have any meaningful say in what happens to it afterward. From a privacy practitioner’s perspective, that is a question with implications that extend well beyond the copyright claims currently driving the headlines.
What Nvidia Built and How It Got There
Cosmos is Nvidia’s world foundation model platform, designed to understand and simulate the physical world well enough to train robots, autonomous vehicles, and industrial AI systems. Nvidia described the Cosmos models as having been trained on 20 million hours of real-world data, a staggering volume that illustrates exactly why companies in this space treat data acquisition as an existential competitive priority.
Internal communications obtained and published by 404 Media in August 2024 showed Nvidia employees discussing an initiative to aggregate a massive curated video dataset for generative modeling, with CEO Jensen Huang responding to an update with “Great update. Many companies have to build video FM. We can offer a fully accelerated pipeline.” According to the lawsuit, Nvidia had downloaded 38.5 million video URLs and was scraping the equivalent of a human lifetime’s worth of video content every single day.
The plaintiffs allege that Nvidia bypassed YouTube’s internal measures protecting its video files, in violation of the anti-circumvention provisions of the Digital Millennium Copyright Act. YouTube’s terms of service expressly prohibit scraping or unauthorized mass downloading of video content. Nvidia has stated that its business practices are in full compliance with copyright law, a claim it will need to defend in court as the case proceeds. By February 2026, a third class action had been filed in the same California federal court, naming both Nvidia and YouTube as defendants and expanding the allegations to include Nvidia’s Omniverse platform alongside Cosmos.
Why YouTube Is Also Named
The inclusion of YouTube as a defendant is one of the more interesting legal choices in this litigation, and it is worth pausing on. YouTube did not train the AI model. YouTube did not scrape its own content. But YouTube is the platform that housed the material, set the terms of service that Nvidia allegedly violated, and arguably had both the capability and the responsibility to prevent unauthorized mass downloading at scale.
From a platform accountability standpoint, this raises a question that the industry has been quietly avoiding: at what point does a platform become liable not for what it publishes but for what it fails to protect? If a platform’s technical infrastructure is bypassed at scale to harvest content for commercial AI training, does the platform bear any responsibility for that outcome, particularly when the creators on that platform had no independent means of knowing it was happening?
This is not entirely new legal territory. Platform liability has been contested under Section 230 of the Communications Decency Act for decades. But Section 230 was designed to insulate platforms from liability for content that users publish, not from liability for failures to protect the data those users entrust to the platform. That distinction may prove significant as the courts work through the YouTube aspect of this case.
The Copyright Framework and Its Limits
The primary legal theory in the Nvidia lawsuit is violation of the DMCA’s anti-circumvention provisions, specifically Section 1201, which prohibits bypassing technological measures that control access to a copyrighted work. This is a meaningful choice by the plaintiffs’ legal team. Direct copyright infringement claims against AI companies have a complicated history: courts have not yet definitively resolved whether training a model on copyrighted content constitutes infringement, and fair use arguments remain legally viable even if they are far from settled.
The fair use analysis for AI training involves a case-by-case examination of factors including the purpose of the use, the amount of copyrighted material used, and the potential effect on the market for the original work. AI developers frequently argue that training is transformative because the model does not reproduce the content directly but learns patterns from it. Whether courts will accept that argument, and in what circumstances, remains genuinely open.
The DMCA circumvention claim sidesteps some of that uncertainty. If Nvidia bypassed technical access controls to obtain the content in the first place, the question of whether training on that content is fair use becomes secondary. You cannot invoke fair use as a defense to obtaining material through unlawful means. The US Copyright Office’s pre-publication report on generative AI training, released in 2025, noted this explicitly: unlawful access is a factor that weighs against a finding of fair use, which significantly weakens one of the most commonly asserted defenses in this category of litigation.
The Privacy Dimension That Gets Underplayed
Copyright is getting most of the attention in coverage of this lawsuit, and that is understandable: it is the primary legal theory, and the DMCA framework provides concrete statutory damages that make the litigation commercially meaningful. But the privacy dimension of what allegedly happened here deserves considerably more scrutiny than it is receiving.
When individuals upload content to YouTube, they do so within a set of understood expectations: the content will be viewable by audiences, it may be used by YouTube for recommendation algorithms and advertising, and it is subject to YouTube’s terms of service. What most creators do not expect, and what YouTube’s own terms of service explicitly prohibit, is that their content will be harvested at industrial scale and used to train a commercial AI model that will be sold to third parties developing robots, self-driving cars, and manufacturing systems.
This gap between what people reasonably expect when they share content online and what actually happens to that content is a foundational privacy problem, and it is one that existing legal frameworks address imperfectly at best. GDPR requires a lawful basis for processing personal data, and scraping video content without consent clearly cannot rely on the data subject’s agreement. But GDPR applies primarily to personal data in the European sense, and the US has no equivalent federal framework that would give content creators a privacy-based cause of action against the kind of collection alleged here.
The existing legal frameworks governing data usage were largely developed before the current AI boom and may not adequately address the unique considerations of machine learning training regimes. Companies operating in this ambiguous legal landscape face difficult choices about how aggressively to pursue data acquisition strategies that may later be deemed improper. That framing is polite. The less polite version is that a significant number of AI companies have made a calculated bet that the value of the training data outweighs the legal and reputational risk of obtaining it through methods that would not survive scrutiny, precisely because the law has not yet caught up with the practice.
The Consent Architecture No One Built
If you zoom out from the specific facts of the Nvidia case and look at the broader pattern of AI training data litigation, a structural problem becomes visible. The internet was not built with consent architecture for machine learning. When platforms set their terms of service in the early 2000s, they were thinking about competitors scraping content for search indexing or competitive intelligence, not about AI companies scraping hundreds of millions of items to teach a model to simulate physical reality.
The result is that content creators exist in a kind of legal limbo. They retain copyright in what they create, in theory. But the practical mechanisms for enforcing that copyright against a company with Nvidia’s resources are expensive, slow, and uncertain. They have no right under US federal law to be notified before their content is used for AI training. They have no statutory right to opt out. And the platforms that host their content have commercial relationships with AI companies that create at minimum an ambiguity of interest, even when those platforms nominally prohibit the very scraping that is at issue.
The class action mechanism is doing some of the work that regulation should be doing, which is part of why this case matters beyond its immediate facts. Legal analysts expect more high-stakes settlements in 2026, particularly in cases where there is evidence of illegal downloading of training data, which could motivate AI companies to settle rather than risk jury verdicts. Settlements, however, resolve individual cases. They do not create the durable consent infrastructure that would change how the industry operates at scale.
What Precedent This Case Could Set
The Nvidia-YouTube litigation is proceeding alongside a cluster of related cases: the ongoing New York Times suit against OpenAI, class actions against Meta, Anthropic, and others for text training data, and an expanding docket of cases involving specific categories of creator content. Each of these cases is carving out a small piece of the legal landscape. None of them, individually, resolves the underlying question.
The question is this: does the commercial imperative to train better AI models create a license to use other people’s creative work without permission, compensation, or notice? If the answer is yes, even in qualified form, it fundamentally reorders the relationship between platforms, creators, and AI companies. If the answer is no, it requires the industry to develop licensing frameworks at a scale and speed that most legal and business infrastructure is not currently equipped to support.
From a privacy practitioner’s standpoint, there is a third dimension to that question that courts are not yet squarely addressing: even if a use is found to be lawful under copyright law, is it consistent with the reasonable expectations of the people whose data was used? Those are not the same question. Copyright protects expression. Privacy protects expectations. A legal ruling that training on scraped video content is permissible as a copyright matter tells us nothing about whether it is acceptable as a matter of information ethics.
The US Copyright Office’s ongoing work on AI training, the legislative proposals currently pending in Congress, and the regulatory activity in the EU under the AI Act are all moving toward an answer. They are moving slowly. The litigation is moving faster. And the content creators whose channels built audiences, livelihoods, and communities on YouTube are waiting for a legal system that was not designed for this moment to tell them whether what happened to their work was wrong, and if so, what it is worth.
That is not a satisfying place to leave it. But it is where we are.
