Online background report providers have proliferated on the Internet. Consumers with claims against these sites arising under the Fair Credit Reporting Act (FCRA) have faced hurdles under Section 230(c)(1) of the Communications Decency Act (CDA). Because the sites collect and organize publicly available data from third parties, they assert Section 230 immunity. The sites argue that they are not credit reporting agencies subject to FCRA, but rather online service providers.
Although some lower courts have tried to answer the question of whether Section 230 immunity applies to FCRA claims brought against online background report retailers,1 Henderson v. Source for Public Data2—decided in November 2022—was the first time any U.S. court of appeals addressed the issue. While Section 230 may still immunize some claims asserted against the sites, the Fourth Circuit's decision in Henderson suggests that such immunity is not categorical and depends on how the sites present third-party data.
Section 230 and FCRA
FCRA was enacted in 1970 to promote accuracy, fairness, and privacy in consumer information prepared by consumer reporting agencies.3 It was intended to get consumer reporting agencies to "adopt reasonable procedures" in how they handle consumer credit information in order to promote confidentiality, accuracy, and proper use of data.4
FCRA created a cause of action for consumers to sue credit reporting agencies for violations of its requirements.5 Among its requirements are the following: Section 1681g requires credit agencies to provide a consumer with a copy of the information in their file when the consumer requests it.6 Section 1681b(b)(1) states that when an employer requests a consumer report on someone for employment purposes, the credit reporting agency must obtain certification from the employer that it has complied with and will comply with FCRA's requirements governing their request and use of the report.7 Section 1681k(a) requires a consumer reporting agency that is providing a report for employment purposes that contains items based on public record which are "likely to have an adverse effect upon the consumer's ability to obtain employment" to inform the consumer and to take extra precautions to ensure accuracy and completeness of those items.8 Section 1681e(b) requires a consumer reporting agency to "follow reasonable procedures to assure maximum possible accuracy" of the information in a consumer report.9
Section 230 of the CDA states: "No provider or user of an interactive computer service shall be treated as the publisher or speaker of any information provided by another information content provider."10 It provides broad immunity from liability to internet platforms based on claims treating them as a publisher of third-party content.
District Court Opinion
PublicData.com ("Public Data") is a website which provides third parties with information about individuals. While Public Data, like most of these online providers, avoids touting its service for credit reporting purposes in order to avoid being deemed a credit reporting agency, its customers often use the information it provides to conduct credit checks as well as background checks for employment purposes.
Public Data acquires publicly available data including criminal and civil records, voting records, driving information, and professional licensing from local, state, and federal authorities. Public Data then processes and alters the data and presents it in its own format, which it believes is more user-friendly. For example, Public Data produces its "own internally created summaries" of criminal charges.11 Public Data uploads the information it generates onto a database which may be accessed from its website. It sells access to the information to third-party customers. It neither looks for nor fixes inaccuracies and it disclaims any responsibility for inaccurate information.
Plaintiffs brought four FCRA claims against Public Data alleging violations of Sections 1681g, 1681b(b)(1), 1681k(a), and 1681e(b). The district court concluded that Section 230 blocked the claims and granted Public Data's motion for judgment on the pleadings.12 It explained that Public Data is an interactive computer service provider, and plaintiffs' claims sought to hold it liable for content created by a third party, so Section 230 immunized Public Data for the claims.
Fourth Circuit Opinion
The Fourth Circuit reversed the district court's decision.13 It held that Public Data was not entitled to Section 230 immunity for any of the four claims. These claims, according to the ruling, did not treat Public Data as a publisher or speaker of others' information, and Public Data created the harmful information itself, so Section 230 did not apply.
The Section 1681g claim. Plaintiffs alleged that Public Data violated Section 1681g by failing to provide plaintiffs with a copy of their own employment records and a notice of their FCRA rights when requested.14 The circuit court held that Section 230 did not apply because the claim did not treat Public Data as the publisher or speaker of the content about which plaintiffs complained.
The Section 1681b(b)(1) claim. This claim alleged that Public Data violated Section 1681b(b)(1) by failing to get required certifications from the employers to which it provided reports, and by failing to provide those employers with a consumer rights summary. Section 230 did not bar this claim because it did not treat Public Data as a publisher or speaker of content. Alleging that Public Data failed to obtain certification "is in no way based on the improper content of any information spoken or published by Public Data."15 Same for the alleged failure to provide a summary of the consumer's FCRA rights. That claim, according to the circuit court, did not depend on harm flowing from that content within the summary of a consumer's FCRA rights.
The Section 1681k(a) and Section 1681e(b) claims. Plaintiffs alleged that Public Data violated Section 1681k(a) by failing to notify them when it provided their employment records for employment purposes and by failing to establish adequate procedures to ensure complete and
up-to-date information in those records. There was also an alleged violation of Section 1681e(b) for not implementing sufficient procedures to ensure accuracy in its reports. The circuit court concluded that Section 230 did not immunize Public Data because it created the content at issue.
In coming to this determination, the court adopted the "material contribution" test that other circuits (including the Second, Sixth and Ninth) use to determine whether an online platform is the creator of content. An internet computer service is not the creator of unlawful content unless it has "gone beyond the exercise of traditional editorial functions and materially contributed to what made the content unlawful."16 "An interactive service provider becomes" the creator of content "whenever [its] actions cross the line into substantively altering the content at issue" in ways that produce the harm which plaintiff alleges.17 Traditional editorial functions include deciding whether to publish, withdraw, postpone, or alter content.
Plaintiffs here "alleged enough facts to show that Public Data's own actions contributed in a material way to what made the content at issue" in these two claims "inaccurate and thus improper."18 It was plausible that Public Data's own actions in how it summarized and omitted information related to a plaintiff's criminal history made its reporting misleading. Thus, Public Data's actions materially contributed to the content's impropriety.
Takeaway
The Fourth Circuit concluded that Section 230 might not shield some FCRA claims brought against online consumer data providers. But whether or not Section 230 provides immunity against FCRA claims is a case-by-case, fact-specific inquiry. The Fourth Circuit adopted no categorical rules.
Additionally, the Fourth Circuit has joined other circuits?including the Second, Sixth, and Ninth Circuits?in adopting the "material contribution" test for determining whether an entity is the creator of content for purposes of Section 230 immunity.
Footnotes
1. See, e.g., Dennis v. MyLife.Com, Inc., No. 20-CV-954, 2021 WL 6049830 at *5–7 (D.N.J. Dec. 20, 2021) (concluding that Section 230 shields an online background report retailer from liability under FCRA); Robins v. Spokeo, Inc., No. CV10-05306 ODW AGRX, 2011 WL 1793334 (C.D. Cal. May 11, 2011), superceded by No. CV10-05306 ODW AGRX, 2011 WL 11562151 (C.D. Cal. Sept. 19, 2011), rev'd and remanded, 867 F.3d 1108 (9th Cir. 2017) (declining to reach the issue). Some courts have also addressed whether Section 230 immunity applies to online background report retailers in other contexts. See, e.g., Kellman v. Spokeo, Inc., No. 3:21-CV-08976-WHO, 2022 WL 1157500, at *2, *12–13 (N.D. Cal. Apr. 19, 2022) (concluding that Section 230 does not shield online background report retailers from liability against state tort law causes of action); Knapke v. PeopleConnect Inc., 553 F. Supp. 3d 865, 872, 874–75 (W.D. Wash. 2021), vacated on other grounds, 38 F.4th 824 (9th Cir. 2022) (same); Sessa v. Ancestry.com Operations Inc., 561 F. Supp. 3d 1008 (D. Nev. 2021) (denying motion to dismiss state tort law claim on Section 230 grounds because there existed a material issue of fact as to whether Section 230 shielded liability).
2. No. 21-1678, 2022 WL 16643916 (4th Cir. Nov. 3, 2022).
3. 15 U.S.C. §§ 1681(a)(1), (4).
4. See § 1681(b).
5. § 1681n.
6. § 1681g.
7. § 1681b(b)(1).
8. § 1681k(a).
9. § 1681e(b).
10. 47 U.S.C. § 230(c)(1).
11. Henderson, 2022 WL 16643916, at *1.
12. Henderson v. Source for Public Data, 540 F. Supp. 3d 539, 549 (E.D. Va. 2021), rev'd, No. 21-1678, 2022 WL 16643916 (4th Cir. Nov. 3, 2022).
13. Henderson, 2022 WL 16643916, at *4.
14. 15 U.S.C. § 1681g.
15. Henderson, 2022 WL 16643916, at *8.
16. Id. at *10 (emphasis added).
17. Id. at *11.
18. Id.
Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.
© Morrison & Foerster LLP. All rights reserved
