Against a background of extensive literature examining how digital platforms are regulated through ‘soft’ mechanisms, this paper analyses the ‘hard law’ techniques, such as sanctions, which are also very much used on digital platforms to police undesirable behaviours. It illustrates the use of these sanctions, suggesting that it is possible to find three different categories of sanctions: sanctions that find their source in hard (international and domestic) law, sanctions that find their source in digital platforms' own normative production, and sanctions used in the course of disputes. Platform operators can have an intense power of norm-setting and sanctions, with a tendency to concentrate power within themselves or with unclear arrangements for dividing it across different entities. This can deeply affect individual freedoms. This paper suggests that the ways in which the power to set, decide and enforce sanctions is exercised in the digital space transform the public–private divide: the allocation of roles between sovereign public bodies and free private actors is reshaped to become ‘hybrid’ when it comes to enforcing rules and monitoring compliance through a wide range of sanctions on digital platforms. This paper frames the legitimacy questions arising from sanctions and suggests that the public–private divide may have to be bridged in order to locate a possible source of legitimacy. A future framework for assessing how platform operators set norms and ensure compliance through sanctions needs to start from individual users to see how best to protect their freedom when checks and balances around platforms' powers and sanctions are developed. These individual users are the ones who suffer from the economic, social and reputational consequences of sanctions in both the digital world and the physical world.