Section 230 Preempts Fair Credit Reporting Act (FCRA) Claims–Henderson v. Source for Public Data
Section 230 and the Fair Credit Reporting Act (FCRA) have always had an implicit conflict. The FCRA is an old-school regulation of electronic databases run by credit reporting agencies, who gather and republish third-party data. As a result, any FCRA liability for that data seems inconsistent with Section 230’s rule that electronic databases aren’t liable for third-party content.
This opinion addresses that tension head-on, and Section 230 comes out on top. But unfortunately, the opinion reaches this conclusion without clarity about how the FCRA obligations tried to hold the defense liable for third-party content, or whether the defendants even qualified as credit reporting agencies. Worse, the court uses a mangled articulation of the Section 230 defense. It’s possible these defendants should qualify for Section 230, but the court’s legal analysis doesn’t give us a lot of comfort in that answer. Furthermore, because the implications of Section 230 preempting the FCRA are so significant, this opinion will cause extra, and possibly avoidable, friction for Section 230.
* * *
This lawsuit relates to a website called PublicData.com. It aggregates various government records and makes them available for a subscription fee. The plaintiffs allege the website contains inaccurate third-party records and didn’t comply with the FCRA.
The court summarizes the Section 230 issue: because of Zeran, “an interactive computer service shall not be held liable for content they do not create…in this circuit, § 230 provides interactive computer services immunity from suit regarding information originating from third parties.”
As for FCRA claims, “Congress plainly chose five exceptions to § 230 immunity and did not include the FCRA among them. Accordingly, by its plain language, § 230 can apply to FCRA claims.” The court identifies other federal claims preempted by Section 230, including the Fair Housing Act (Chicago Lawyers v. Craigslist), Title III of the ADA (NAD v. Harvard), and Title II of the Civil Rights Act (Noah v. AOL).
Having established the general principle that Section 230 can apply to FCRA claims, the court applies a bastardized version of the standard three-element test for a Section 230(c)(1) defense. The court (incorrectly) says the elements are: “(1) a defendant is an interactive computer service; (2) the content is created by an information content provider; and (3) the defendant is alleged to be the creator of the content.”
1. ICS Provider. In the standard Section 230 defense, this factor considers whether the defendant is a provider or user of an interactive computer service. The court says the defendants “are an access software provider and operate an interactive computer service because they upload the information onto their servers for their clients to access on the internet. Defendants’ status as an interactive computer service is not lost merely because they have purchased the data or edit it like a publisher or distributor in its traditional capacity.” This is the right result but the court’s wording is janky.
2. Content Created by an ICP. All content is created by an “information content provider” by definition, so the court’s articulation of this factor is a tautology. The actual test is whether the ICP was a third party. The court makes a highly unusual move by distinguishing ICPs from “access software providers”:
Plaintiffs clearly state that Defendants do not create the content; they obtain it “from vendors, state agencies, and courthouses.” It is those entities that create the records Defendants upload to their website and collect into a report. Specifically, Plaintiffs aver that Defendants “create summaries of the charges” and “sort, manipulate and infer information.” In fact, Plaintiffs state that Defendants’ “primary and only business function involves purchasing, collecting, and assembling the information contained on [Defendants’] servers.” These allegations fall within the statute’s definition of an access software provider because they “pick, choose, analyze, or digest content.” Plaintiffs do not allege that Defendants materially contribute information or create content. At most, Plaintiffs state that they “strip out or suppress” information. That function falls within § 230(f)(4)(A), which allows access software providers to “filter, screen, allow, or disallow content.” Thus, Defendants are not information content providers as they do not produce the content of the reports at issue in this litigation
(Section 230 protection for stripping out information brought to mind People v. Ferrer, though the Backpage defendants are having a tough time replicating that argument in the federal prosecution).
I believe this interpretation of “access software provider” is novel. I can’t think of another case that essentially treated a typical website as an “access software provider”–and for good reason, because the statutory definition of the term would require websites to provide “software (including client or server software) or enabling tools.” If this court’s treatment of “website = access software provider” sticks, I’m not sure how that interpretation would ripple through the statute.
3. Defendant Allegedly Created the Content. The court’s articulation of this factor, in combination with the prior one, is messed up. The second factor should confirm that the content came from a third party; this factor should examine if the claim treats the defendant as a publisher/speaker. Despite messing up the factor’s characterization, the court reaches the right issue, saying without further analysis that “Plaintiffs treat Defendants as if they are the publisher and distributer of third-party content.” The court rejects the plaintiffs’ allegations that the website improperly remixes the third-party content: “Although Plaintiffs allege that Defendants manipulate and sort the content in a background check report, there no explicit allegation that Defendants materially contribute to or create the content themselves.”
Section 230 and People Search. In general, Section 230 has applied to people search engines (which I think fairly characterizes the defense). See, e.g., Prickett v. InfoUSA, Nasser v. Whitepages, and Merritt v. Lexis Nexis. However, the more recent ruling in Lukis v. Whitepages suggested that plaintiffs could get around Section 230. See also Sweet v. LinkedIn.
This Result Probably Won’t Stand. The court’s distorted Section 230 test makes this ruling vulnerable on appeal or in further proceedings. If this ruling survives, it will provide additional fuel for Section 230 reform in Congress. Several reform bills have proposed to exclude federal claims from Section 230, so there’s already suspicion on the Hill about the Section 230/federal statute overlap. Congress will not let the Big 3 credit agencies work around the FCRA using Section 230.
Case citation: Henderson v. The Source for Public Data, 2021 WL 2003550 (E.D. Va. May 19, 2021)
Pingback: Security News for the Week Ending May 28, 2021 | mtanenbaum()