InfoBytes Blog

4th Circuit says website does not qualify for Section 230 immunity

On November 3, the U.S. Court of Appeals for the Fourth Circuit reversed and remanded a district court’s summary judgment ruling that a public records website, its founder, and two affiliated entities (collectively, “defendants”) could use Section 230 liability protections under the Communications Decency Act (CDA) to shield themselves from credit reporting violations. As previously covered by InfoBytes, plaintiffs alleged, among other things, that because the defendants’ website collects, sorts, summarizes, and assembles public record information into reports that are available for third parties to purchase, it qualifies as a consumer reporting agency (CRA) under the FCRA, and as such, must follow process-oriented requirements that the FCRA imposes on CRAs. However, the district court determined that the immunity afforded by Section 230 of the Communication and Decency Act applied to the FCRA and that the defendants qualified for such immunity and could not be held liable for allegedly disseminating inaccurate information and failing to comply with the law’s disclosure requirements.

On appeal, the 4th Circuit reviewed whether a consumer lawsuit alleging violations of the FCRA’s procedural and disclosure requirements and seeking to hold the defendants liable as the publisher or speaker of information provided by a third party is thereby preempted by Section 230. The appellate court agreed with an amicus brief filed in 2021 by the FTC, CFPB, and the North Carolina Department of Justice, which urged the appellate court to overturn the district court ruling on the basis that the court misconstrued Section 230—which they assert is unrelated to the FCRA—by extending immunity to “claims that do not seek to treat the defendant as the publisher or speaker of any third-party information.” According to the amicus brief, liability turns on the defendants’ alleged failure to comply with FCRA obligations to use reasonable procedures when preparing reports, to provide consumers with a copy of their files, and to obtain certifications and notify consumers when reports are furnished for employment purposes.

The 4th Circuit held that Section 230(c)(1) of the CDA “extends only to bar certain claims, in specific circumstances, against particular types of parties,” and that the four claims raised in this case were not subject to those protections. “Section 230(c)(1) provides protection to interactive computer services,” the appellate court wrote, “[b]ut it does not insulate a company from liability for all conduct that happens to be transmitted through the internet.” Specifically, the appellate court said two of the counts—which allege that the defendants failed to give consumers a copy of their own report when requested and did not follow FCRA requirements when providing reports for employment purposes—do not seek to hold the defendants liable as a speaker or publisher, and therefore fall outside Section 230 protections. As for the remaining two counts related to claims that the defendant failed to ensure records for employment purposes were complete and up-to-date, or adopt procedures to assure maximum possible accuracy when preparing reports, the 4th Circuit concluded that the defendants “made substantive changes to the records’ content that materially contributed to the records’ unlawfulness. That makes [defendants] an information content provider, under the allegations, for the information relevant to Counts Two and Four, meaning that it is not entitled to § 230(c)(1) protection for those claims.”

Courts Appellate Fourth Circuit FCRA Communications Decency Act Consumer Reporting Agency