The CFPB, FTC, and the North Carolina Department of Justice filed an amicus brief with the U.S. Court of Appeals for the Fourth Circuit urging it to reverse a district court decision that found Section 230 of the Communications Decency Act made a consumer reporting agency immune from FCRA claims.

In Henderson v. The Source for Public Data, L.P., the plaintiffs alleged that Public Data qualified as a “consumer reporting agency” under the FCRA because it collected, sorted, summarized, and assembled public records information into reports that third parties could purchase on its website.  They alleged that the defendants’ practices led them to provide reports containing inaccurate criminal history information and claimed that Public Data violated the FCRA by failing to comply with various FCRA requirements, including the requirement to follow reasonable procedures to assure accuracy in the preparation of consumer reports.  Public Data raised Section 230 as a defense to the claims.  Section 230 immunizes providers of internet services from liability for the content posted by their users.  It provides that “No provider or user of an interactive computer service shall be treated as the publisher or speaker of any information provided by another information content provider.”

In dismissing the complaint, the court found that, based on Section 230’s plain language, FCRA claims did not fall within the statutory exemptions from immunity and that Section 230 creates federal immunity to any non-exempt claim that would make internet service providers liable for information originating with a third party.  It found that Public Data qualified as the operator of an “interactive computer service” because it uploaded information on its server for its customers to access.  According to the court, Public Data did not lose its status as an interactive computer service because it purchased the data or edited the data as would a publisher or distributor in its traditional capacity.  The court also found that Public Data was not an “information content provider” because it did not produce the content of its reports.  In the court’s view, the information that Public Data uploaded to its website and collected into reports was created by the sources of such information (i.e. vendors, state agencies, and courthouses).

In their amicus brief, amici argue that the district court erred by analyzing the application of Section 230 as if the plaintiffs’ claims sought to impose liability on Public Data for the content of its reports rather than for its failure to comply with specific FCRA requirements.  The district court therefore incorrectly viewed the key questions to be whether Public Data qualified as an “information content provider” by providing reports over the internet and whether it created the content of its reports or the information had instead been provided by third parties.

According to amici, the district court should have analyzed whether the plaintiffs’ FCRA claims sought to impose liability on Public Data as a “publisher or speaker” of information and, if so, whether the information that formed the basis of the claims was provided by another information content provider.  Amici assert that none of the claims against Public Data sought to treat it as a publisher or speaker of information provided by another content provider.  They argue that none of the claims involve a duty that derives from Public Data’s status or conduct as a publisher or speaker but instead involve duties that the FCRA imposes on consumer reporting agencies which are specific to the function of a consumer reporting agency.

Amici also argue that even if the plaintiffs’ FCRA claims are based on the content of Public Data’s reports, Pubic Data is not immune because it is an “information content provider” as to the content of its reports.  An “information content provider” is an entity that is “responsible, in whole or in part, for the creation or development” of content.  According to amici, the allegations show that Public Data is an information content provider because it is responsible in whole or in part for the development of its reports.  The complaint alleged that Public Data “manipulates the data it collects, curates it to match specific individual consumers, puts it into a different format for reporting to customers, draws inferences from the data, and creates original summaries of the data.”

In their joint statement about the amicus brief, CFPB Director Chopra and FTC Chair Khan stated:

This case highlights a dangerous argument that could be used by market participants to sidestep laws expressly designed to cover them.  Across the economy such a perspective would lead to a cascade of harmful consequences.  As tech companies expand into a range of markets, they will need to follow the same laws that apply to other market participants.  The CFPB and FTC will be closely scrutinizing tech companies’ efforts to use Section 230 to sidestep applicable laws and will seek to ensure that this legal shield is not being used or abused to gain an undue competitive advantage over law-abiding businesses.