Fourth Circuit Addresses Whether the CDA Bars Fair Credit Reporting Act Claims Against Online Background Report Site
Fourth Circuit Addresses Whether the CDA Bars Fair Credit Reporting Act Claims Against Online Background Report Site
Websites offering online background reports have proliferated on the Internet. Consumers asserting claims against such sites under the Fair Credit Reporting Act (FCRA) have faced hurdles under Section 230(c)(1) of the Communications Decency Act (CDA). Operators of the sites argue that they are online service providers rather than credit reporting agencies subject to FCRA, and that because the sites collect and organize publicly available data obtained from third parties, Section 230 immunizes them from liability with respect to the background reports generated using such data.
Although some lower courts have considered the question of whether Section 230 immunity applies to FCRA claims brought against online background report providers, Henderson v. Source for Public Data—decided in November 2022—is the first time any U.S. Court of Appeals has addressed the issue. While Section 230 may still provide immunity against some claims asserted against such sites, the Fourth Circuit’s decision in Henderson suggests that such immunity is not categorical and depends on how such sites present third-party data.
FCRA was enacted in 1970 to promote accuracy, fairness, and privacy in consumer information prepared by consumer reporting agencies. It was intended to incentivize consumer reporting agencies to “adopt reasonable procedures” in how they handle consumer credit information in order to promote confidentiality, accuracy, and proper use of data.
FCRA created a cause of action for consumers to sue credit reporting agencies for violations of its requirements. Among FCRA’s requirements are the following: Section 1681g requires credit agencies to provide a consumer with a copy of the information in their file when the consumer requests it. Section 1681b(b)(1) states that when a person requests a consumer report on someone for employment purposes, the credit reporting agency must obtain certification from the employer that it has complied with and will comply with FCRA’s requirements governing their request and use of the report. Section 1681k(a) requires a consumer reporting agency providing a report for employment purposes that contains items based on public record which are “likely to have an adverse effect upon the consumer’s ability to obtain employment” to inform the consumer and to take extra precautions to ensure accuracy and completeness of those items. Section 1681e(b) requires a consumer reporting agency to “follow reasonable procedures to assure maximum possible accuracy” of the information in a consumer report.
Section 230 of the CDA states: “No provider or user of an interactive computer service shall be treated as the publisher or speaker of any information provided by another information content provider.” Courts have interpreted Section 230 to provide broad immunity to online service providers with respect to claims arising from information and content provided by third parties.
PublicData.com (“Public Data”) is a website that provides its customers with information about individuals. While Public Data, like most online providers of such information, avoids promoting use of its service for these purposes so as to avoid being deemed a credit reporting agency, its customers often use the information it provides to conduct credit checks as well as background checks for employment purposes.
Public Data acquires publicly available data including criminal and civil litigation records, voting records, driving information, and professional licensing records from local, state, and federal authorities. Public Data then processes and manipulates the data and presents it in a format intended to be more user-friendly. For example, Public Data produces its “own internally created summaries” of criminal charges. Public Data uploads the processed data to a database that its customers can access through its website for a fee. Public Data neither looks for, nor fixes, inaccuracies in the data, and it disclaims any responsibility for inaccurate information.
Plaintiffs brought four FCRA claims against Public Data alleging violations of Sections 1681g, 1681b(b)(1), 1681k(a), and 1681e(b). The district court concluded that Section 230 blocked the claims and granted Public Data’s motion for judgment on the pleadings. It explained that Public Data is an interactive computer service provider, and plaintiffs’ claims sought to hold it liable for content created by a third party, so Section 230 immunized Public Data for the claims.
The Fourth Circuit reversed. It held that Public Data was not entitled to Section 230 immunity for any of the four claims. These claims, according to the ruling, did not treat Public Data as a publisher or speaker of others’ information, and Public Data created the harmful information itself, so Section 230 did not apply.
The Section 1681g claim. Plaintiffs alleged that Public Data violated Section 1681g by failing to provide plaintiffs with a copy of their own employment records and a notice of their FCRA rights when requested. The court held that Section 230 did not apply because the claim was not based on treating Public Data as the publisher or speaker of the publicly available data. Rather, the FCRA violation arose from Public Data’s failure to provide the relevant information to the consumer as required by the FCRA. The court emphasized that, while publishing the reports may have been a but-for cause of the FCRA claim, that causal relationship alone was not sufficient to bring the claim within the scope of Section 230. In order for Section 230 to apply, the Fourth Circuit “require[d] that liability attach to the defendant on account of some improper content within their publication.” In this case, the FRCA claim was based on Public Data’s failure to provide the required information at all, not on “improper” content within the background reports.
The Section 1681b(b)(1) claim. This claim alleged that Public Data violated Section 1681b(b)(1) by failing to get required certifications from the employers to which it provided reports, and by failing to provide those employers with a consumer rights summary. Section 230 did not bar this claim either because, here again, the claim “does not treat Public Data as a publisher.” Alleging that Public Data failed to obtain certification “is in no way based on the improper content of any information spoken or published by Public Data.” The court applied essentially the same analysis with respect to the alleged failure to provide a summary of the consumer’s FCRA rights. Applying the “improper content” analysis, the court noted that “[e]ven if Public Data’s decision to not provide the required summary could be described as a publisher’s decision, the information it failed to provide is proper and lawful content.”
The Section 1681k(a) and Section 1681e(b) claims. Plaintiffs alleged that Public Data violated Section 1681k(a) by failing to notify them when it provided their employment records for employment purposes and by failing to establish adequate procedures to ensure complete and up-to-date information in those records. There was also an alleged violation of Section 1681e(b) for not implementing sufficient procedures to ensure accuracy in its reports. The court concluded that Section 230 did not immunize Public Data because it created the content at issue.
In coming to this determination, the court adopted the “material contribution” test that other circuits (including the Second, Sixth and Ninth) use to determine whether an online platform is the creator of content. For Section 230 purposes, the interactive computer service provider will not be deemed to be “an information content provider” unless it has “gone beyond the exercise of traditional editorial functions and materially contributed to what made the content unlawful.” A service provider becomes an information content provider “whenever its actions cross the line into substantively altering the content at issue” in ways that produce the harm which plaintiff alleges.
The court held that the plaintiffs in Henderson “alleged enough facts to show that Public Data’s own actions contributed in a material way to what made the content at issue” in these two claims “inaccurate and thus improper.” In particular, the plaintiffs alleged that Public Data’s background reports were inaccurate because they summarized and omitted criminal history information in a way that made the reports misleading. Based on these allegations, the court held, “it is plausible that [plaintiff]’s report was misleading based on Public Data’s own actions,” and therefore was not within the scope of the Section 230 safe harbor.
The Fourth Circuit concluded that Section 230 might not shield some FCRA claims brought against online consumer data providers. But whether or not Section 230 provides immunity against FCRA claims is a case-by-case, fact-specific inquiry. While the Fourth Circuit adopted no categorical rules with respect to application of Section 230 to FCRA claims, the court’s “functional approach” requiring that a claim be based on publication of “improper” content rather than merely a but-for causal connection to publishing activity in order for Section 230 to apply is potentially significant.
Additionally, the Fourth Circuit has joined other circuits—including the Second, Sixth, and Ninth Circuits—in adopting the “material contribution” test for determining whether an entity is an information content provider for purposes of Section 230 immunity.
 See, e.g., Dennis v. MyLife.Com, Inc., No. 20-CV-954, 2021 WL 6049830 at *5–7 (D.N.J. Dec. 20, 2021) (concluding that Section 230 shields an online background report retailer from liability under FCRA); Robins v. Spokeo, Inc., No. CV10-05306 ODW AGRX, 2011 WL 1793334 (C.D. Cal. May 11, 2011), superceded by No. CV10-05306 ODW AGRX, 2011 WL 11562151 (C.D. Cal. Sept. 19, 2011), rev’d and remanded, 867 F.3d 1108 (9th Cir. 2017) (declining to reach the issue). Some courts have also addressed whether Section 230 immunity applies to online background report retailers in other contexts. See, e.g., Kellman v. Spokeo, Inc., No. 3:21-CV-08976-WHO, 2022 WL 1157500, at *2, *12–13 (N.D. Cal. Apr. 19, 2022) (concluding that Section 230 does not shield online background report retailers from liability against state tort law causes of action); Knapke v. PeopleConnect Inc., 553 F. Supp. 3d 865, 872, 874–75 (W.D. Wash. 2021), vacated on other grounds, 38 F.4th 824 (9th Cir. 2022) (same); Sessa v. Ancestry.com Operations Inc., 561 F. Supp. 3d 1008 (D. Nev. 2021) (denying motion to dismiss state tort law claim on Section 230 grounds because there existed a material issue of fact as to whether Section 230 shielded liability).
 No. 21-1678, 2022 WL 16643916 (4th Cir. Nov. 3, 2022).
 15 U.S.C. §§ 1681(a)(1), (4).
 See § 1681(b).
 § 1681n.
 § 1681g.
 § 1681b(b)(1).
 § 1681k(a)
 § 1681e(b)
 47 U.S.C. § 230(c)(1).
 Henderson, 2022 WL 16643916, at *1.
 Henderson v. Source for Public Data, 540 F. Supp. 3d 539, 549 (E.D. Va. 2021), rev’d, No. 21-1678, 2022 WL 16643916 (4th Cir. Nov. 3, 2022).
 Henderson, 2022 WL 16643916, at *4.
 15 U.S.C. § 1681g.
 Henderson, 2022 WL 16643916, at *5.
 It is worth noting that the actual language of Section 230(c)(1) refers to “any information provided by another information content provider,” not to “improper” information. The Henderson court appears to have imported this additional requirement from traditional defamation law in order to derive what is describes as a “functional approach” to the Section 230 analysis.
 Henderson, 2022 WL 16643916, at *7.
 Id. at *8.
 Id. at *10 (emphasis added).
 Id. at *11.