The Fourth Circuit Court of Appeals in Henderson v. Source For Pub. Data, L.P., No. 21-1678, 2022 U.S. App. LEXIS 30534 (4th Cir. Nov. 3, 2022) found that the protections of Section 230 of the Communications Decency Act did not extend to a public data aggregation company.  The ruling reversed the district court’s order dismissing all claims in a putative class action alleging Fair Credit Reporting Act (“FCRA”) violations against the data aggregator, (“Public Data”), based on Section 230.

Public Data purchases, collects, and assembles public record information into reports that which potential employers can purchase on the company’s website.  These records are typically gathered from government sources such as court filings, and may include information about an individual’s property ownership, criminal history, and bankruptcies.  Plaintiffs alleged four separate causes of action under the FCRA that Public Data’s practices resulted in it providing reports containing inaccurate criminal history information and claimed that Public Data violated the FCRA by failing to comply with various requirements, including the requirement to follow reasonable procedures to assure accuracy in the preparation of consumer reports.

The sole focus of the appeal was whether Public Data was protected from plaintiffs’ claims under Section 230.  Section 230 immunizes providers of internet services from liability for the content posted by their users.  It provides that “No provider or user of an interactive computer service shall be treated as the publisher or speaker of any information provided by another information content provider.”  In order to be afforded protection under Section 230, Public Data was required to establish (1) it is a “‘provider or user of an interactive computer service’”; (2) the plaintiffs’ claim holds Public Data “responsible ‘as the publisher or speaker of any information’”; and (3) the relevant information was “‘provided by another information content provider.’”

The Fourth Circuit found that Public Data was not afforded Section 230 immunity because plaintiffs’ first and third causes of action under the FCRA did not treat Public Data as a publisher or speaker of information (and therefore Public Data could not establish the second element of the Section 230 immunity test).  For instance, Public Data’s liability under the first cause of action hinged on whether it failed to provide consumers a copy of their consumer report upon request.  Further, Public Data’s liability under the third cause of action rested on whether it failed to provide the requisite summary of consumer rights to the putative employer.

The Fourth Circuit further found that Public Data was not protected by Section 230 from plaintiffs’ second and fourth causes of action, both of which seek to impose liability based on Public Data’s failure to maintain proper procedures to ensure accurate information under the FCRA.  The third element of the Section 230 immunity test requires that the disputed information was provided by a third party.  However, unlike digital hosts of content (i.e., Facebook and Twitter), Public Data itself was the “information content provider” for the allegedly inaccurate information at-issue.

Thus, all four of plaintiffs’ causes of action under the FCRA survived dismissal.  The Henderson decision could have legal implications for other companies that compile and sell information gathered from public records.

The CFPB, FTC, and the North Carolina Department of Justice filed a joint amicus brief in support of the position adopted by the Fourth Circuit, which we covered in a prior blog.