Beyond the source code: one GPL violation, five compounding legal exposures

I. Introduction

Ninety-seven percent of commercial applications contain open source components. The decision to integrate them is almost always made by developers, under deadline pressure, for sound technical reasons. It rarely passes through legal review.

That would matter less if “free” software came free of legal obligations. It does not.

Open source licences impose specific conditions on how software may be used, modified, and redistributed. The most consequential of these is the GPL v2: a copyleft licence that requires any derivative work to be released under the same open terms, including the corresponding source code. A company that integrates a GPL-licensed component into a proprietary product and distributes it without complying? In the eyes of courts across multiple jurisdictions, that is copyright infringement.

The enforcement trajectory over the past two decades has moved in one direction: broader enforcement, stronger remedies, a wider range of parties capable of bringing claims.

Courts in the United States and the European Union have now confirmed that GPL violations are actionable as both breach of contract and copyright infringement. The practical consequences of that dual classification are significant. The remedies differ. The jurisdictional reach differs. The categories of potential plaintiffs differ.

But the real problem is not that these risks exist. It is that they compound.

A single act of GPL non-compliance can simultaneously expose a company to:

⚖️ Court orders halting product distribution.

💰 Financial damages benchmarked against the commercial licence fee it chose not to pay.

🔒 Moral rights claims in every civil law jurisdiction where the product is present.

🌍 Proceedings in jurisdictions it never expected to face.

👥 Lawsuits brought by parties with whom it has no contractual relationship.

The financial and operational consequences of this combined exposure are of a different order of magnitude than what a simple “breach of licence terms” framing might suggest.

II. Executive summary

The enforcement of GPL licence terms has evolved from a theoretical question into a well-established body of case law that creates multiple, compounding risk categories for non-compliant companies.

On court-ordered product withdrawal, since the United States Court of Appeals for the Federal Circuit held in Jacobsen v Katzer (535 F.3d 1373, Fed. Cir. 2008) that open source licence conditions are enforceable copyright conditions, copyright holders have had access to injunctive remedies that can compel a company to cease distributing its product entirely. Settlement terms in enforcement actions have consistently required product withdrawal, source code publication, and the appointment of internal compliance officers.

On monetary liability, courts in both the United States and France have identified the same damages benchmark despite arriving through different legal paths. Where the GPL-licensed component is offered under a dual-licensing model, the commercial licence fee that the infringer chose not to pay serves as the natural measure of damages. In Entr’ouvert v Orange (Cour d’appel de Paris, 14 February 2024, n°22/18071), the court awarded over €800,000 in combined economic damages, unjust enrichment, and moral damages. In civil law jurisdictions, the classification of a GPL violation as copyright infringement means that contractual limitations on liability do not cap the damages available to the rightholder.

On cross-border exposure, the dual nature of GPL violations as both contractual breaches and copyright infringements creates distinct jurisdictional pathways. Contract claims may provide broader geographic reach, while copyright infringement claims give access to stronger remedies. Both pathways are now available in the United States, in the European Union, and in Germany and the Netherlands, where cumulative enforcement was already permitted before the Court of Justice ruled in IT Development v Free Mobile (C-666/18, 2019).

On the expanding range of enforcers, the ongoing case of Software Freedom Conservancy v Vizio (Orange County Superior Court, California) may extend GPL enforcement standing to end users as third-party beneficiaries. In Europe, individual enforcement is already a reality: in Steck v AVM (Berlin, 2024), a single developer successfully compelled a major manufacturer to provide LGPL source code.

III. GPL v2 mechanics: a brief overview

The GNU General Public Licence version 2 is a copyleft licence, which conditions the right to modify and distribute the licensed software on the requirement that the resulting derivative work is itself distributed under the same GPL terms. The core obligations can be summarised as follows:

• Modification and distribution (Article 2): any work that contains or is derived from a GPL-licensed program must, when distributed, be licensed as a whole under the GPL at no charge to all third parties, and must include prominent notices of modification.
• Source code availability (Article 3): distribution of the program in object code or executable form must be accompanied by the corresponding source code, or by a written offer to provide it.
• Automatic termination (Article 4): any attempt to copy, modify, sublicence, or distribute the program in violation of the licence terms automatically terminates the licensee’s rights under the GPL.
• No additional restrictions (Article 10): the licensee may not impose any further conditions on the recipients’ exercise of the rights granted under the licence.

Two concepts are essential for understanding the risk analysis that follows. The first is the derivative work threshold: the question of whether a company’s proprietary software is sufficiently intertwined with the GPL-licensed component to qualify as a derivative work, which would trigger the copyleft obligation to release the entire proprietary codebase under GPL terms. In Entr’ouvert v Orange, a court-appointed expert report found that Lasso constituted 57% of the source code of Orange’s IDMP platform, with deep functional dependencies: the question of whether IDMP was a derivative work was not seriously in dispute.

The second concept is dual licensing: many GPL projects offer an alternative commercial licence for companies that wish to use the software without complying with the copyleft obligations. Ghostscript, Lasso, and MySQL are well-known examples. The existence of this commercial alternative is what makes financial damages quantifiable, as will be seen in Section V.

IV. Product distribution at risk: injunctions and business impact

The most immediate operational risk of GPL non-compliance is not a damages award: it is a court order, known in legal terms as an injunction, compelling the infringing company to stop distributing its product.

This risk became legally concrete in 2008, when the United States Court of Appeals for the Federal Circuit held in Jacobsen v Katzer (535 F.3d 1373, Fed. Cir. 2008) that the conditions of an open source licence are enforceable as copyright conditions, not merely as contractual obligations. The distinction is critical: a breach of a contractual obligation typically gives rise to a claim for damages, whereas a violation of a copyright condition constitutes copyright infringement, which opens the door to injunctive relief. A court can order the infringing party to stop distributing the product altogether.

For a company whose revenue depends on a product that embeds GPL-licensed components, an injunction is not merely a legal inconvenience: it is a direct threat to the revenue stream. The product cannot be sold, shipped, or made available until the company either achieves compliance by releasing its own source code under GPL terms, negotiates a commercial licence with the copyright holder, or removes the GPL-licensed component entirely and replaces it with an alternative.

The enforcement record bears this out. Between 2007 and 2013, the Software Freedom Law Center filed a series of copyright infringement lawsuits on behalf of the developers of BusyBox, a suite of Unix utilities licensed under GPL v2. A number of consumer electronics companies were named as defendants, and all cases settled except one, where a default judgment was entered. The settlement terms followed a consistent pattern: cessation of distribution of non-compliant products, publication of complete source code, and payment of financial settlements. In the FSF v Ciscomatter (2008–2009), the settlement additionally required Cisco to appoint an internal Free Software Compliance Officer: a structural remedy that signalled the expectation of ongoing governance rather than a one-off correction.

V. The cost of non-compliance: how damages are assessed across jurisdictions

A. How the commercial licence fee becomes the damages measure

Where a GPL-licensed component is offered under a dual-licensing model, a company that integrates the software has two lawful paths available: comply fully with the GPL’s copyleft obligations, or purchase a commercial licence. The company that does neither creates a quantifiable measure of harm: the commercial licence fee it chose not to pay.

This damages logic was established in the United States in Artifex Software v Hancom (N.D. Cal. 2017). Hancom, a Korean software company, integrated the Ghostscript PDF interpreter into its office suite without purchasing a commercial licence or complying with the GPL. The court rejected Hancom’s argument that the GPL’s royalty-free nature precluded any claim for damages, holding that royalty-free licensing does not preclude damageswhere the licensee fails to comply with the licence conditions.

The same analytical framework appeared in Entr’ouvert v Orange (Cour d’appel de Paris, 14 February 2024, n°22/18071), through an entirely different legal system. Orange had been offered a commercial licence for Lasso before integrating it into its government portal platform. Orange declined. The court awarded over €800,000 in combined damages, including economic loss, unjust enrichment representing the savings from not paying the commercial licence, and moral damages. Both jurisdictions arrived at the same practical conclusion through different legal paths: in a dual-licensing context, the commercial fee the infringer avoided paying serves as the starting point for any damages assessment.

B. Why the legal classification of the violation changes the financial exposure

The classification of a GPL violation as copyright infringement rather than breach of contract has direct consequences for the damages available to the rightholder.

Under the copyright infringement path, the rightholder benefits from the protections of the Enforcement Directive (Directive 2004/48/EC), transposed in France into Article L.331–1–3 of the Code de la propriété intellectuelle. That provision establishes three distinct and cumulative categories of recoverable harm: (1) the actual economic loss suffered by the rightholder, (2) the unfair profits made by the infringer, and (3) the moral prejudice caused by the infringement. That these categories are cumulative, and not alternative, is essential: they are assessed and awarded together, as the Entr’ouvert decision demonstrates.

Under the contractual path, by contrast, French law limits recoverable damages to harm that was foreseeable at the time the contract was formed. This is the point at which the legal classification has its most direct financial consequence: once a GPL violation is classified as copyright infringement, contractual limitations on liability are irrelevant. The infringement action operates outside the contractual framework entirely. The Court of Justice of the European Union made this explicit in IT Development v Free Mobile (C-666/18, 18 December 2019), holding that the rightholder must be able to benefit from the guarantees of the Enforcement Directive regardless of the liability regime applicable under national law. A company cannot contractually cap its liability for what is now classified as copyright infringement.

C. Moral rights as a risk multiplier

Moral rights exist under the copyright frameworks of virtually all civil law jurisdictions, including France, Germany, Italy, Spain, and the Netherlands. In the context of GPL non-compliance, they add a distinct category of damages on top of economic harm.

In Entr’ouvert v Orange, the court awarded €150,000 specifically for moral prejudice, linked to Orange’s concealment of Entr’ouvert’s authorship: Orange had distributed the platform under the France Telecom name alone, entirely obscuring the original developer’s role. This was held to violate the droit de paternité, the author’s right to be identified as the creator of the work. German copyright law provides equivalent protections under §§ 12–14 of the Urheberrechtsgesetz (UrhG), including the inalienable right to recognition of authorship (§13). These rights cannot be waived or contracted away, even by the author.

The significance for compliance teams, particularly those trained in common law traditions, is that moral rights represent a risk category that does not exist in the United States. Any risk assessment drawn exclusively from the US legal framework will underestimate the financial exposure in civil law jurisdictions.

VI. Multi-jurisdictional exposure: the reach of GPL enforcement

A. How global distribution creates multi-jurisdictional exposure

Open source software is distributed globally, often embedded in products sold across multiple jurisdictions. A company headquartered in one country, distributing a product that contains a GPL-licensed component, may face enforcement proceedings in a jurisdiction it never anticipated. The legal classification of the violation, as a breach of contract, as copyright infringement, or as both, determines where the company can be sued and what remedies are available.

This is not a theoretical concern. In Artifex v Hancom, a California federal court exercised jurisdiction over a Korean company in a dispute over Ghostscript’s GPL licence. The breach of contract claim was instrumental in establishing jurisdictional reach: Hancom had publicly represented that its use of Ghostscript was licensed under the GPL, which the court found sufficient to establish a contractual relationship with a California-based licensor. Had the claim been limited to copyright infringement, the jurisdictional analysis would have followed a different, and potentially narrower, set of connections to the forum. A detailed analysis of the interplay between contract and copyright claims in establishing cross-border jurisdiction has been developed by Shuji Sado, whose work traces the evolution of dual enforcement across the US case law.

The same dynamic operates in reverse: a copyright infringement claim provides access to stronger substantive remedies, including injunctive relief and, in civil law jurisdictions, moral damages, but its jurisdictional reach may be limited to the territory where the infringement occurred. A contract claim, conversely, may reach further geographically but with a narrower set of remedies.

B. The dual nature of GPL violations is now established across jurisdictions

In the United States, the combined effect of Jacobsen v Katzer (2008) and Artifex v Hancom (2017) established that GPL violations can be pursued as both copyright infringement and breach of contract in a single proceeding. In Germany and the Netherlands, cumulative enforcement was already permitted under national law. In France, the doctrinal shift was more complex: the principle of non-cumul des responsabilités (non-cumulation of contractual and tortious liability) had traditionally prevented a copyright infringement action where a contractual relationship existed between the parties. The CJEU’s ruling in IT Development v Free Mobile (C-666/18, 2019) forced the change, holding that the Enforcement Directive’s protections must be available to the rightholder regardless of the national liability regime. The French Cour de cassation applied this in October 2022, and the Cour d’appel condemned Orange for contrefaçon in February 2024.

For a company distributing products internationally, the practical consequence is that its GPL compliance exposure must be assessed against the most demanding enforcement regime in any jurisdiction where its products are distributed, not merely the regime of its home jurisdiction.

VII. Beyond the copyright holder: who can now enforce the GPL

Historically, GPL enforcement depended entirely on the willingness and resources of the copyright holders to pursue legal action. Many lacked either the resources or the inclination to litigate, and companies could calculate that the probability of enforcement was low.

That calculation is becoming obsolete. The case of Software Freedom Conservancy v Vizio (Orange County Superior Court, California) is testing whether end users, not just copyright holders, can enforce GPL terms:

• SFC purchased a Vizio smart television running Linux-based software governed by GPL v2. Vizio did not provide the corresponding source code despite years of requests;
• SFC sued not as a copyright holder, but as a purchaser and third-party beneficiary of the GPL;
• In May 2022, a federal court confirmed the GPL functions as both a copyright licence and a contractual agreement;
• In December 2023, the court denied Vizio’s motion for summary judgment, finding SFC has standing as a third-party beneficiary. The court’s reasoning was direct: copyright holders have no economic incentive to bear the cost of enforcing source code obligations that benefit downstream users, and recipients of GPL-licensed software will only be assured of their rights if they can enforce them independently;
• A trial is expected in 2026, following Walmart’s acquisition of Vizio for $2.3 billion in 2024, an acquisition that transferred rather than resolved the GPL compliance exposure.

If this theory is upheld at trial, any purchaser of a product containing GPL-licensed software could potentially have standing to require source code disclosure through litigation: not only the original developers, but enterprise buyers, consumers, and advocacy organisations.

In Europe, individual enforcement is already a reality. In Steck v AVM (Berlin, 2023–2024), a single developer purchased a consumer router, requested the LGPL source code, and when AVM did not provide the complete materials, sued with SFC funding. The Berlin court ruled in Steck’s favour. The financial amount was modest, but the principle it confirmed is not: an individual can enforce copyleft licence terms against a major manufacturer through the courts.

VIII. Risk mitigation in practice

The technical scanning of codebases, through software composition analysis (SCA) tools, is a necessary starting point for identifying which open source components are present and which licences govern them. What these tools cannot assess is the legal risk layer: the jurisdictional exposure, the damages implications of dual licensing, or the moral rights dimension in civil law jurisdictions. The technical audit and the legal risk assessment are complementary, and neither replaces the other.

Several principles emerge from the case law examined in this article.

First, a company must understand the licence before integration, and specifically must recognise the distinctionbetween permissive and copyleftlicences. A permissive licence, such as the MIT licence or the Apache Licence 2.0, permits the licensee to use, modify, and redistribute the software, including in proprietary products, with minimal obligations: typically limited to retaining the copyright notice and licence text. A copyleft licence such as the GPL imposes a fundamentally different regime: any derivative work that is distributed must itself be licensed under the GPL, and the corresponding source code must be made available. Integrating a permissively licensed component into a proprietary product is generally straightforward; integrating a copyleft-licensed component triggers a cascade of obligations that may be incompatible with the company’s business model. A company that treats all open source as interchangeable has not understood its own risk exposure.

Second, dual-licensed components warrant a deliberate licensing decision at the point of integration. As _Artifex v Hancom_and _Entr’ouvert v Orange_demonstrate, the existence of a commercial licensing alternative establishes the damages measure in any subsequent enforcement action. A company that integrates a dual-licensed component, declines the commercial licence, and fails to comply with the copyleft conditions has created the worst possible evidentiary position. The decision to use a dual-licensed component should be documented, and the compliance path, whether copyleft or commercial, should be formally selected and recorded.

Third, documentation is essential, and its importance extends beyond the moment of integration. In the context of mergers and acquisitions, embedded open source compliance exposure is an intellectual property liability that transfers with the acquisition. Vizio’s GPL issues became Walmart’s problem. For any company that may be acquired, or that acquires software-intensive businesses, the state of open source compliance is a due diligence item that belongs alongside patent portfolios and trade secrets.

IX. Conclusion

The risk landscape for GPL non-compliance has changed. What began as a question of theoretical enforceability is now a well-established, multi-jurisdictional body of case law, and the direction of that case law is unambiguous.

Each risk category examined in this article represents an independent exposure, but in practice they interact. A company found to have violated the GPL may simultaneously face a court order halting distribution, financial damages calculated against the commercial licence fee it chose not to pay, moral rights claims in every civil law jurisdiction where its product is present, proceedings in jurisdictions it never anticipated, and actions initiated not by the original developer but by a purchaser of the product. The financial and operational consequences of this combined exposure are of a different order of magnitude than what a simple “breach of licence terms” framing might suggest.

The most significant development in this space is not any single ruling but the recognition, across the United States and the European Union, that GPL violations carry a dual nature: actionable as both breach of contract and copyright infringement, with each track providing its own remedies, its own jurisdictional logic, and its own category of potential plaintiffs. Companies that rely on the assumption that GPL compliance is a low-priority concern are operating on an understanding of the law that is a decade out of date.