53 F.4th 110

4th Cir.

2022

TYRONE HENDERSON, SR.; GEORGE I. HARRISON, JR.; ROBERT MCBRIDE, on behalf of himself and others similarly situated v. THE SOURCE FOR PUBLIC DATA, L.P., d/b/a Publicdata.com; SHADOWSOFT, INC.; HARLINGTON-STRAKER STUDIO, INC.; AND DALE BRUCE STRINGFELLOW

No. 21-1678

UNITED STATES COURT OF APPEALS FOR THE FOURTH CIRCUIT

November 3, 2022

PUBLISHED

FEDERAL TRADE COMMISSION; CONSUMER FINANCIAL PROTECTION BUREAU; NORTH CAROLINA; TEXAS; ALABAMA; ARIZONA; ARKANSAS; CONNECTICUT; GEORGIA; IOWA; MAINE; MICHIGAN; MINNESOTA; MISSISSIPPI; NEBRASKA; NEVADA; NORTH DAKOTA; OHIO; SOUTH CAROLINA; SOUTH DAKOTA; UTAH; VERMONT; VIRGINIA; NATIONAL CONSUMER LAW CENTER; NATIONAL FAIR HOUSING ALLIANCE; LAWYERS’ COMMITTEE FOR CIVIL RIGHTS UNDER LAW

Amici Supporting Appellants.

Appeal from the United States District Court for the Eastern District of Virginia, at Richmond. Henry E. Hudson, Senior District Judge. (3:20-cv-00294-HEH)

Argued: May 3, 2022 Decided: November 3, 2022

Before AGEE, RICHARDSON, and QUATTLEBAUM, Circuit Judges.

Reversed and remanded by published opinion. Judge Richardson wrote the opinion, in which Judge Agee and Judge Quattlebaum joined.

ARGUED: Jennifer D. Bennett, GUPTA WESSLER, San Francisco, California, for Appellants. Kyle David Highful, OFFICE OF THE ATTORNEY GENERAL OF TEXAS, Austin, Texas, for Amici States. Theodore (Jack) Metzler, FEDERAL TRADE COMMISSION, Washington, D.C., for Amicus Federal Trade Commission. Misha Tseytlin, TROUTMAN PEPPER HAMILTON SANDERS LLP, Chicago, Illinois, for Appellees. ON BRIEF: Leonard A. Bennett, Craig C. Marchiando, CONSUMER LITIGATION ASSOCIATES, P.C., Newport News, Virginia; Kristi C. Kelly, KELLY GUZZO PLC, Fairfax, Virginia; Matthew W.H. Wessler, GUPTA WESSLER, Washington, D.C., for Appellants. Timothy J. St. George, Richmond, Virginia, Ronald I. Raether, Jr., TROUTMAN PEPPER HAMILTON SANDERS LLP, Irvine, California, for Appellees. Steven Van Meter, Acting General Counsel, Steven Y. Bressler, Acting Deputy General Counsel, Laura Hussain, Assistant General Counsel, Derick Sohn, Senior Counsel, CONSUMER FINANCIAL PROTECTION BUREAU, Washington, D.C.; James Reilly Dolan, Acting General Counsel, Joel Marcus, Deputy General Counsel, FEDERAL TRADE COMMISSION, Washington, D.C.; Joshua H. Stein, Attorney General, Daniel P. Mosteller, Deputy General Counsel, NORTH CAROLINA DEPARTMENT OF JUSTICE, Raleigh, North Carolina, for Amici Federal Trade Commission, Consumer Financial Protection Bureau, and North Carolina. John G. Albanese, Ariana Kiener, BERGER MONTAGUE PC, Minneapolis, Minnesota, for Amici National Consumer Law Center, Upturn, American Civil Liberties Union, National Housing Law Project, National Employment Law Project, and National Low Income Housing Coalition. Ken Paxton, Attorney General, Brent Webster, First Assistant Attorney General, Judd E. Stone II, Solicitor General, Bill Davis, Deputy Solicitor General, OFFICE OF THE ATTORNEY GENERAL OF TEXAS, Austin, Texas, for Amicus State of Texas. Steve Marshall, Attorney General, OFFICE OF THE ATTORNEY GENERAL OF ALABAMA, Montgomery, Alabama, for Amicus State of Alabama. Mark Brnovich, Attorney General, OFFICE OF THE ATTORNEY GENERAL OF ARIZONA, Phoenix, Arizona, for Amicus State of Arizona. Leslie Rutledge, Attorney General, OFFICE OF THE ATTORNEY GENERAL OF ARKANSAS, Little Rock, Arkansas, for Amicus State of Arkansas. William Tong, Attorney General, OFFICE OF THE ATTORNEY GENERAL OF CONNECTICUT, Hartford, Connecticut, for Amicus State of Connecticut. Christopher M. Carr, Attorney General, OFFICE OF THE ATTORNEY GENERAL OF GEORGIA, Atlanta, Georgia, for Amicus State of Georgia. Tom Miller, Attorney General, OFFICE OF THE ATTORNEY GENERAL OF IOWA, Des Moines, Iowa, for Amicus State of Iowa. Aaron M. Frey, Attorney General, OFFICE OF THE ATTORNEY GENERAL OF MAINE, Augusta, Maine, for Amicus State of Maine. Dana Nessel, Attorney General,

OFFICE OF THE ATTORNEY GENERAL OF MICHIGAN, Lansing, Michigan, for Amicus State of Michigan. Keith Ellison, Attorney General, OFFICE OF THE ATTORNEY GENERAL OF MINNESOTA, St. Paul, Minnesota, for Amicus State of Minnesota. Lynn Fitch, Attorney General, OFFICE OF THE ATTORNEY GENERAL OF MISSISSIPPI, Jackson, Mississippi, for Amicus State of Mississippi. Douglas J. Peterson, Attorney General, OFFICE OF THE ATTORNEY GENERAL OF NEBRASKA, Lincoln, Nebraska, for Amicus State of Nebraska. Aaron D. Ford, Attorney General, OFFICE OF THE ATTORNEY GENERAL OF NEVADA, Las Vegas, Nevada, for Amicus State of Nevada. Wayne Stenehjem, Attorney General, OFFICE OF THE ATTORNEY GENERAL OF NORTH DAKOTA, Bismarck, North Dakota, for Amicus State of North Dakota. Dave Yost, Attorney General, OFFICE OF THE ATTORNEY GENERAL OF OHIO, Columbus, Ohio, for Amicus State of Ohio. Alan Wilson, Attorney General, OFFICE OF THE ATTORNEY GENERAL OF SOUTH CAROLINA, Columbia, South Carolina, for Amicus State of South Carolina. Jason R. Ravnsborg, Attorney General, OFFICE OF THE ATTORNEY GENERAL OF SOUTH DAKOTA, Pierre, South Dakota, for Amicus State of South Dakota. Sean D. Reyes, Attorney General, OFFICE OF THE ATTORNEY GENERAL OF UTAH, Salt Lake City, Utah, for Amicus State of Utah. Thomas J. Donovan, Jr., Attorney General, OFFICE OF THE ATTORNEY GENERAL OF VERMONT, Montpelier, Vermont, for Amicus State of Vermont. Mark R. Herring, Attorney General, OFFICE OF THE ATTORNEY GENERAL OF VIRGINIA, Richmond, Virginia, for Amicus Commonwealth of Virginia. Jon Greenbaum, David Brody, Noah Baron, Adonne Washington, LAWYERS’ COMMITTEE FOR CIVIL RIGHTS UNDER LAW, Washington, D.C.; D. Scott Chang, Morgan Williams, NATIONAL FAIR HOUSING ALLIANCE, Washington, D.C.; Zarema A. Jaramillo, Joshua E. Morris, Washington, D.C., Mary J. Hildebrand, Sydney J. Kaplan, LOWENSTEIN SANDLER LLP, New York, New York, for Amici the Lawyers’ Committee for Civil Rights Under Law and the National Fair Housing Alliance.

RICHARDSON, Circuit Judge:

Section 230(c)(1) of the Communications Decency Act protects some parties operating online from specific claims that would lead to liability for conduct done offline. But it is not a license to do whatever one wants online. Protection under § 230(c)(1) extends only to bar certain claims imposing liability for specific information that another party provided.

Public Data sought § 230(c)(1) protection against four claims brought against it for violating the Fair Credit Reporting Act (“FCRA“). The district court agreed that the claims were precluded by § 230(c)(1). Plaintiffs appealed, arguing that § 230(c)(1) does not apply. We agree. Plaintiffs have alleged facts that, if true, render § 230(c)(1) inapplicable to their four claims. So we reverse the district court and remand for further proceedings.

I. Background

Defendants are The Source of Public Data, L.P.; ShadowSoft, Inc.; Harlington-Straker Studio, Inc.; and Dale Bruce Stringfellow. Defendants’ relation to each other and to the website PublicData.com is complex but unimportant to this appeal. Rather than break out the white board and red string to understand how they fit together, we accept on appeal Plaintiffs’ allegation that all Defendants are alter egos jointly responsible for any FCRA liability arising from the business activities conducted on PublicData.com.¹ So we refer to Defendants collectively as “Public Data.”

Public Data‘s business is providing third parties with information about individuals. Plaintiffs allege that it involves four steps.

First, Public Data acquires public records, such as criminal and civil records, voting records, driving information, and professional licensing. These records come from various local, state, and federal authorities (and other businesses that have already collected those records).

Second, Public Data “parses” the collected information and puts it into a proprietary format. This can include taking steps to “reformat and alter” the raw documents, putting them “into a layout or presentation [Public Data] believe[s] is more user-friendly.” J.A. 16. For criminal records, Public Data “distill[s]” the data subject‘s criminal history into “glib statements,” “strip[s] out or suppress[es] all identifying information relating to the charges,” and then “replace[s] this information with [its] own internally created summaries of the charges, bereft of any detail.” J.A. 30.

Third, Public Data creates a database of all this information which it then “publishes” on the website PublicData.com. Public Data does not look for or fix inaccuracies in the database, and the website disclaims any responsibility for inaccurate information. Public Data also does not respond to requests to correct or remove inaccurate information from the database.

Fourth, Public Data sells access to the database, “disbursing [the] information . . . for the purpose of furnishing consumer reports to third parties.” J.A. 19. All things told, Plaintiffs allege that Public Data sells 50 million consumer searches and reports per year. Public Data knows that traffic includes some buyers using its data and reports to check creditworthiness and some performing background checks for employment purposes.

Plaintiffs allege that Public Data‘s activities injured them. Plaintiffs Henderson, Harrison, and McBride have each requested a copy of the records Public Data keeps on them, but Public Data has not provided those records. Plaintiff McBride also alleges that he applied for a job that required a background check. As part of that check, his potential employer used a background report from Public Data. Public Data‘s report on McBride was inaccurate because it contained misleading and incomplete criminal history. McBride was not hired.²

Plaintiffs bring four claims against Public Data alleging it violated four provisions of the FCRA.³ Underlying each claim is the contention that Public Data must comply with

the FCRA because they produce “consumer report[s]” and are a “consumer reporting agency” under the Act.⁴

In Count One, Plaintiffs allege that Public Data violated § 1681g⁵ by failing to provide them a copy of their own records and a notice of their FCRA rights when requested. In Count Three, Plaintiff McBride alleges that Public Data violated § 1681b(b)(1)⁶ by failing to get certain certifications from employers it provided reports to, and by failing to provide those employers with a consumer-rights summary. Counts Two and Four both seek to impose liability for Public Data‘s failure to maintain proper procedures to ensure accurate information. Count Two alleges that Public Data violated § 1681k(a)⁷ by failing

to notify Plaintiffs when it provided their records for employment purposes and by failing to establish adequate procedures to ensure complete and up to date information in those records. And in Count Four, Plaintiff McBride alleges, for himself only, that Public Data violated § 1681e(b)⁸ by not implementing sufficient procedures to ensure accuracy in its reports.

Public Data moved for judgment on the pleadings, arguing that each claim was barred by § 230(c)(1). The district court agreed and granted judgment for Public Data. See Henderson v. Source for Pub. Data, 540 F. Supp. 3d 539, 543 (E.D. Va. May 19, 2021). Plaintiffs appealed, and we have jurisdiction under 28 U.S.C. § 1291.

II. Discussion

Section 230 provides internet platforms with limited legal protections. See generally Adam Candeub, Reading Section 230 as Written, 1 J. Free Speech L. 139 (2021). Subsection 230(c)(1) prohibits treating an interactive computer service as a publisher or speaker of any information provided by a third party. And § 230(c)(2) bars liability for a platform‘s actions to restrict access to obscene, lewd, lascivious, filthy, excessively violent, harassing, or otherwise-objectionable material.

On appeal, this case deals exclusively with the protection provided by § 230(c)(1): “No provider or user of an interactive computer service shall be treated as the publisher or speaker of any information provided by another information content provider.” Read plainly, this text requires that a defendant like Public Data must establish three things to claim protection: (1) The defendant is a “provider or user of an interactive computer service“; (2) the plaintiff‘s claim holds the defendant “responsible ‘as the publisher or speaker of any information‘“; and (3) the relevant information was “provided by another information content provider.” Nemet Chevrolet, Ltd. v. Consumeraffairs.com, Inc., 591 F.3d 250, 254 (4th Cir. 2009) (quoting § 230(c)(1)).⁹ These three requirements look first to the defendant‘s status (i.e., are they a provider or user of an “interactive computer service“), then to the kind of claim the plaintiff has brought (i.e., does the plaintiff treat the defendant as a publisher or speaker of information), and finally to the source of the information underlying the plaintiff‘s claim (i.e., who provided the information).

Public Data asserts that its activities, as described in Plaintiffs’ FCRA claims, satisfy all three § 230(c)(1) requirements, so that § 230(c)(1) bars those claims. Plaintiffs disagree. For this appeal, they admit that Public Data is an interactive computer service¹⁰ but challenge the other two requirements necessary for § 230(c)(1) protection. On the second requirement, Plaintiffs argue their claims do not treat Public Data as the publisher or speaker of the offending information. And on the third requirement, Plaintiffs allege that Public Data itself acted as an “information content provider” of the offending information such that the information did not come solely from “another information content provider.”

We conclude that § 230(c)(1) does not bar Counts One and Three because those claims do not treat Public Data as a publisher or speaker of information. For Counts Two and Four, we need not determine whether this second requirement is met because we conclude that Plaintiffs have alleged enough facts to plausibly infer that Public Data is an information content provider that provided the improper information. As Public Data cannot establish at this stage that it meets the third requirement for Counts Two and Four, § 230(c)(1) does not now apply. So we reverse, and all claims are remanded for further proceedings consistent with this opinion.

A. Requirement Two: Publisher or Speaker of Information

Section 230(c)(1)‘s second requirement asks whether the plaintiff‘s legal claim requires that the defendant be “treated as the publisher or speaker of any information.” In other words, for protection to apply, the claim must turn on some “information,” and must treat the defendant as the “publisher or speaker” of that information. See § 230(c)(1) (No internet platform “shall be treated as the publisher or speaker of any information . . .“); see also Zeran, 129 F.3d at 330 (describing § 230(c)(1) as protecting a defendant from being “liable for information” when the defendant acts in the “publisher‘s role” for that information). A claim treats the defendant “as the publisher or speaker of any information” when it (1) makes the defendant liable for publishing certain information to third parties, and (2) seeks to impose liability based on that information‘s improper content.

Our precedent demands that we ask whether the claim “thrust[s]” the interactive service provider “into the role of a traditional publisher.” Zeran, 129 F.3d at 332. The term “publisher” as used in § 230(c)(1) “derive[s] [its] legal significance from the context of defamation law.” Id.¹¹ Thus, the scope of “the role of a traditional publisher,” and

therefore the scope of what § 230(c)(1) protects, is guided by the common law. See id. (“[Defendant] falls squarely within this traditional definition of a publisher and, therefore, is clearly protected by § 230‘s immunity.” (citing W. Page Keeton et al., Prosser and Keeton on the Law of Torts § 113, at 803 (5th ed. 1984)).¹²

At common law, a publisher was someone who intentionally or negligently disseminated information to third parties.¹³ In this context, a third party is someone other than the subject of the information disseminated.¹⁴ Thus, for a claim to treat someone as a

publisher under § 230(c)(1), the claim must seek to impose liability based on the defendant‘s dissemination of information to someone who is not the subject of the information.

But that alone is not enough. To meet the second requirement for § 230(c)(1) protection, liability under the claim must be “based on the content of the speech published” by the interactive service provider. Erie Insurance Co., 925 F.3d at 139. At common law, defamation required publishing a “false and defamatory statement.” Restatement (Second) of Torts § 558(a), at 155 (Am. L. Inst. 1965). The publisher was held liable because of the improper nature of the content of the published information.¹⁵ In other words, to hold someone liable as a publisher at common law was to hold them responsible for the content‘s

improper character. We have interpreted “publisher” in § 230(c)(1) in line with this common-law understanding. Thus for § 230(c)(1) protection to apply, we require that liability attach to the defendant on account of some improper content within their publication. See Erie Ins. Co., 925 F.3d at 139–40 (“There is no claim made based on the content of speech published by [Defendant]—such as a claim that [Defendant] had liability as the publisher of a misrepresentation of the product or of defamatory content.“).

This improper-content requirement helps dispel Public Data‘s notion that a claim holds a defendant liable as a publisher anytime there is a “but-for” causal relationship between the act of publication and liability. See Appellee‘s Response Brief 20–21 (“Put another way, had Public Data not published court records on its website, Plaintiffs could not have brought their Section 1681g(a) claim.“). This “but-for” publication test would say a claim treats an entity as a “publisher” under § 230(c)(1) if liability hinges in any way on the act of publishing. This but-for test bears little relation to publisher liability at common law. To be held liable for information “as the publisher or speaker” means more than that the publication of information was a but-for cause of the harm. See Erie Ins. Co., 925 F.3d at 139–40; HomeAway.com, 918 F.3d at 682.

Erie Insurance is a good example. There, we held that Amazon was not protected by § 230(c)(1) in a product-liability suit even though publishing information was a but-for cause of the harm—i.e., the product was bought from Amazon‘s website, making the advertisement‘s publication a necessary link in the causal chain that led to setting the buyer‘s house on fire. See Erie Insurance Co., 925 F.3d at 138–40. Though publishing information was a but-for cause, we refused to apply § 230(c)(1) protection because the

plaintiff‘s product-liability claim was based on Amazon “as the seller of the defective product . . . [not] the content of speech published by Amazon.” Id. at 139–40.

So, to paraphrase the test we began with, a claim only treats the defendant “as the publisher or speaker of any information” under § 230(c)(1) if it (1) bases the defendant‘s liability on the disseminating of information to third parties and (2) imposes liability based on the information‘s improper content.

Based on these two requirements, we can see that § 230(c)(1) does not provide blanket protection from claims asserted under the FCRA just because they depend in some way on publishing information. Yes, the FCRA imposes procedural obligations on any “consumer reporting agency.” See Ross v. FDIC, 625 F.3d 808, 812 (4th Cir. 2010) (“The FCRA is a comprehensive statutory scheme designed to regulate the consumer reporting industry.“). And each claim here alleges that Public Data ignored those obligations as a member of that regulated industry.¹⁶ So publishing information online is a but-for cause

of Public Data being a consumer reporting agency subject to the FCRA‘s requirements. Most of what Public Data allegedly does, after all, is publish things on the internet. That means that publishing information is one but-for cause of these FCRA claims against Public Data. If Public Data is a “consumer reporting agency” subject to FCRA liability, it is one because it is the publisher or speaker of consumer report information. Yet that alone is not sufficient, as we do not apply a but-for test. See Erie Ins. Co., 925 F.3d at 139–40; HomeAway.com, 918 F.3d at 682. We must instead examine each specific claim.¹⁷

It is also true that, at a high level, liability under the FCRA depends on the content of the information published. Both the definition of “consumer reporting agency” and the definition of “consumer reports” reference “credit information” or “information . . . bearing on a consumer‘s credit worthiness.” § 1681a(d)(1), (f). If Public Data and its activities did not meet these definitions, there could be no liability under these FCRA claims. In this way, liability for each claim hinges on the published information‘s content. Yet, while the informational content matters, § 230(c)(1) protects Public Data only from claims that demand the information‘s content be improper before imposing liability. And, as a class, there is nothing improper about “credit information” or

“information . . . bearing on a consumer‘s credit worthiness.” Again, we must examine each specific claim in context to see if the claim treats Public Data as a publisher under § 230(c)(1).

Finally, when considering whether any claim treats Public Data as a publisher, our precedent teaches that we must look beyond the claim‘s formal elements. Beginning in Zeran, our Court has stressed a functional approach. In our functional analysis, we ask whether holding this defendant liable requires treating them as a publisher, not whether every abstract violation requires it. See Zeran, 129 F.3d at 332; Erie Ins. Co., 925 F.3d at 139. To make this determination, we look to see what the plaintiff in our case must prove. If the plaintiff‘s recovery requires treating the defendant as a publisher, then the defendant has satisfied § 230(c)(1)‘s second requirement.

Zeran itself is instructive. There, Kenneth Zeran made a negligence claim against AOL. Zeran, 129 F.3d at 332. A defendant can, of course, be negligent without publishing anything. Yet Zeran asserted that AOL was negligent “because it communicated to third parties an allegedly defamatory statement.” Id. at 333. That is, Zeran‘s specific negligence claim treated the defendant as a publisher. So while not every negligence claim treats a defendant as a publisher, Zeran‘s negligence claim did; so we held that claim was foreclosed by § 230(c)(1). Id. at 332–33.

We thus turn to the four specific claims asserted.

Count One is based on FCRA § 1681g and does not seek to impose liability on Public Data as a speaker or publisher of any information. Section 1681g requires consumer reporting agencies to give consumers a copy of their own consumer report along with an

FCRA notice upon request.¹⁸ So it is based on a failure to disseminate information about an individual to that same individual, not a third party. Recall that “[p]ublication of defamatory matter is its communication intentionally or by a negligent act to one other than the person defamed.” See Restatement (Second) of Torts § 577, at 201 (emphasis added). So Section 1681g does not seek to hold Public Data liable “as the publisher” under § 230(c)(1), and § 230(c)(1) does not bar Count One.

Like Count One, Count Three does not treat Public Data as a speaker or publisher. Count Three seeks to impose liability on Public Data for violating § 1681b(b)(1), which lays out two requirements that a consumer reporting agency must meet before they may provide a consumer report “for employment purposes.” § 1681b(b)(1). First, the employer who gets the report must certify both that they have complied with the FCRA‘s requirements and that they will not use the information in violation of state or federal law. § 1681b(b)(1)(A)(i)–(ii). And, second, the consumer reporting agency must also provide a summary of the consumer‘s FCRA rights to the employer. § 1681b(b)(1)(B).

The requirement that a consumer reporting agency obtain certification from an employer is easily disposed of because liability is in no way based on the improper content of any information spoken or published by Public Data. Here, if liability is based on information, it is only Public Data‘s failure to obtain the required information (certification) from the employer that matters.

Slightly more vexingly, Count Three also does not treat Public Data as a publisher because liability depends on Public Data‘s failure to provide a summary of consumer rights to the putative employer (§ 1681b(b)(1)‘s second requirement). Even if Public Data‘s decision to not provide the required summary could be described as a publisher‘s decision, the information it failed to provide is proper and lawful content. And § 230(c)(1) applies only when the claim depends on the content‘s impropriety. Therefore, Public Data‘s failure to summarize consumer rights cannot fall within § 230(c)(1) protection.

Unlike Counts One and Three, Counts Two and Four may seek to hold Public Data liable as the publisher of information. Section 1681e(b), the basis for Count Four, requires that a consumer reporting agency “follow reasonable procedures to assure maximum possible accuracy of the information concerning the individual about whom the report relates.” Likewise, liability under § 1681k(a), the gravamen of Count Two, requires that a consumer reporting agency that is selling consumer reports “for employment purposes” which “are likely to have an adverse effect on a consumer‘s ability to obtain employment” must “maintain strict procedures” to ensure that any consumer information “is complete

and up to date.” §§ 1681k(a), 1681k(a)(2).¹⁹ Thus, both claims seek to impose liability based on an agency‘s failure to maintain proper procedures to ensure accurate information. On its face, liability for failing to maintain proper procedures does not seem to fall within § 230(c)(1)‘s ambit as we have described it. After all, the FCRA‘s statutory language here requires neither dissemination of information to third parties nor improper content. Yet a little digging uncovers two levels of complexity.

First, current Fourth Circuit precedent requires that a plaintiff bringing a claim under both § 1681e(b), and by implication § 1681k(a), show the defendant‘s “consumer report contains inaccurate information.” Dalton, 257 F.3d at 415. Though the textual basis for requiring an inaccuracy is unclear, Dalton provided that liability under Counts 2 and 4 depend on inaccurate information.²⁰ And that suggests that Counts 2 and 4 thus functionally impose liability on the defendant based on the information‘s impropriety.

Second, a private plaintiff bringing a claim in federal court, as is the case here, under § 1681e(b) or § 1681k(a) must show that Public Data disseminated information to third parties to satisfy Article III standing. TransUnion LLC v. Ramirez, 141 S. Ct. 2190, 2214

(2021). The statutory provisions might be violated without the dissemination of any information, as the FCRA itself does not condition these provisions on disseminating the report but on failing to follow proper procedures to ensure a report‘s accuracy. But a private plaintiff lacks standing to bring a reasonable-procedures claim unless the plaintiff‘s report was provided to a third party. Id. So it may be that these reasonable-procedures claims turn on Public Data providing the inaccurate information to a third party.²¹ See id; Spokeo, Inc. v. Robins, 578 U.S. 330, 342 (2016) (providing “entirely accurate” information without complying fully with the FCRA‘s procedures is a “bare procedural violation” that cannot “satisfy . . . Article III“). Considering past precedent and the Constitution‘s limited judicial power, perhaps Counts Two and Four functionally depend on Public Data disseminating inaccurate information to a third party. But we need not, and do not, decide whether our functional approach can stretch the meaning of being “treated as the publisher or speaker of any information” far enough to cover Counts Two and Four. For as we will see, Public Data was “another information content provider” for the information at issue in Counts 2 and 4. So, based on the third requirement, § 230(c)(1) protection fails for those two counts.

B. Requirement Three: Provided by Another Information Content Provider

The third and final requirement for § 230(c)(1) protection is that the information at issue in the plaintiff‘s claim be “provided by another information content provider.”

§ 230(c)(1) (emphasis added). An “‘information content provider’ means any person or entity that is responsible, in whole or in part, for the creation or development of information provided through the Internet or any other interactive computer service.” § 230(f)(3).

Plaintiffs argue that this third requirement is not met because Public Data itself is an “information content provider” for the relevant information.²² We agree. The plaintiffs’ complaint plausibly alleges that Public Data is an information content provider for the information that creates liability under these two counts. So, on these alleged facts, § 230(c)(1) does not bar Counts Two and Four.²³

Public Data is an “information content provider” if they are “responsible, in whole or in part, for the creation or development” of the information at issue. This Court has never fully defined the terms “creation” or “development” as they are used in the statute.

But we have explained that “lawsuits seeking to hold a service provider liable for its exercise of a publisher‘s traditional editorial functions—such as deciding whether to publish, withdraw, postpone or alter content—are barred.” Zeran, 129 F.3d at 330; see also Nemet, 591 F.3d at 258 (“creation” or “development” of information requires “something more than [what] a website operator performs as part of its traditional editorial function“).

Other circuits have put more flesh onto these definitions, determining that an interactive computer service provider or user is responsible for the development²⁴ of the information at issue in the case if they “directly and ‘materially’ contributed to what made the content itself ‘unlawful.‘” Force v. Facebook, 934 F.3d 53, 68 (2d Cir. 2019) (quoting LeadClick, 838 F.3d at 174); see Fair Hous. Council of San Fernando Valley v. Roommates.Com, LLC, 521 F.3d 1157, 1168 (9th Cir. 2008) (explaining that a defendant is an information content provider if they “contribute[d] materially to the alleged illegality of the conduct“); Jones, 755 F.3d at 413 (“Consistent with our sister circuits, we adopt the material contribution test.“). And while this Court has never explicitly adopted “material contribution” as the test, we applied it in Nemet to determine that the website operator there was not an information content provider. See Nemet, 591 F.3d at 257–58 (noting that the plaintiff failed to allege that the website operator “contributed to the allegedly fraudulent nature of the comments at issue“).

Additionally, the material-contribution test fits well within our broader § 230(c)(1) jurisprudence. Zeran and Nemet rest on the principle that liability for an interactive computer service user or provider must turn on “something more than . . . its traditional editorial function.” Nemet, 591 F.3d at 258 (citing Zeran, 129 F.3d at 330). All the material-contribution test does is put a more helpful name to this “something more” standard. And defining “something more” as a material contribution makes sense. As Zeran notes, § 230 bars liability against “companies that serve as intermediaries for other parties’ potentially injurious messages.” Zeran, 129 F.3d at 330–31. But where a company materially contributes to a message‘s unlawful content, that company stops being a mere “intermediary” for another party‘s message. Instead, the company is adding new content to the message that harms the plaintiff. We thus hold that an interactive computer service is not responsible for developing the unlawful information unless they have gone beyond the exercise of traditional editorial functions and materially contributed to what made the content unlawful.

Whether a defendant developed information such that they are an “information content provider” turns on whether the defendant has materially contributed to the piece(s) of information relevant to liability. Section 230(c)(1) applies if a defendant has materially contributed only to parts of the disseminated information that do not make the disseminated information unlawful (if § 230(c)(1) is otherwise applicable). For example, in Jones, the Sixth Circuit determined that a website had not materially contributed to defamatory content that it hosted. Jones, 755 F.3d at 416. This was so even though the website operator had authored his own comments underneath the alleged defamatory material. Id.

In drawing this conclusion, the court noted that “[t]o be sure, [the operator] was an information content provider as to his comment . . . [b]ut [Plaintiff] did not allege that [the operator‘s] comments were defamatory.” Id. In other words, the § 230(c)(1)‘s third requirement did not turn on whether the defendant materially contributed to some part of the total information disseminated—i.e., the entire post—but on whether the defendant materially contributed to the defamatory aspect of the information. Id.; see La Liberte v. Reid, 966 F.3d 79, 89 (2d Cir. 2020) (applying liability when defendant was responsible for the content‘s defamatory portion). Our approach is the same. See Nemet, 591 F.3d at 255-60 (discussing twenty allegedly defamatory posts in separate groups based on the defendant‘s involvement with the posts before concluding that the plaintiff failed to show that defendant “was responsible for the creation or development of the allegedly defamatory content at issue“).

Plaintiffs have alleged enough facts to show that Public Data‘s own actions contributed in a material way to what made the content at issue in Counts Two and Four inaccurate and thus improper. Plaintiff McBride claims that the report Public Data sent to his potential employer was inaccurate because it omitted or summarized information in a way that made it misleading. And, from Plaintiffs’ allegations, it is plausible that McBride‘s report was misleading based on Public Data‘s own actions.

As a general matter, Plaintiffs claim that Public Data handles criminal matters by “strip[ping] out or suppress[ing] all identifying information relating to the charges . . . [including] dispositions” and that it then “replace[s] this information with [its] own internally created summaries of the charges, bereft of any detail.” J.A. 30. As to McBride‘s

report specifically, Plaintiffs allege that the report “suggest[ed] that Plaintiff McBride had been convicted of each of the offenses listed,” but that “the report was inaccurate and incomplete as it failed to indicate that several of the offenses listed had been nolle prossed.” J.A. 37–38. These allegations, and all reasonable inferences, sufficiently allege that the inaccuracies in McBride‘s report resulted from Public Data‘s stripping out the nolle prosequi disposition for McBride‘s charges and adding in its own misleading summaries.

Thus, on Plaintiffs’ allegations, Public Data‘s summaries and omissions materially contribute to the report‘s impropriety. They are not merely an exercise of traditional editorial functions. When Zeran proclaimed that § 230(c)(1) barred claims based on a defendant‘s exercise of traditional editorial functions, it also provided a suggestive list including “deciding whether to publish, withdraw, postpone or alter content.” Zeran, 129 F.3d at 330. Of course, in a sense, omitting the criminal charge dispositions is just “altering” their content, as is creating new charge summaries. Yet, Zeran‘s list of protected functions must be read in its context, and that context cabins that list to merely “editorial” functions. It cannot be stretched to include actions that go beyond formatting or procedural alterations and change the substance of the content altered.²⁵ An interactive service

provider becomes an information content provider whenever their actions cross the line into substantively altering the content at issue in ways that make it unlawful.²⁶

Applying these principles to Counts Two and Four, Public Data—according to Plaintiffs’ allegations—has materially contributed to what makes the content at issue unlawful. The content relevant to Counts Two and Four is only unlawful because it is inaccurate. But, as alleged, the content provided to Public Data about McBride was not inaccurate. Instead, through Public Data‘s actions, the records were changed so as to introduce the inaccuracies. Public Data thus made substantive changes to the records’ content that materially contributed to the records’ unlawfulness. That makes Public Data an information content provider, under the allegations, for the information relevant to Counts Two and Four, meaning that it is not entitled to § 230(c)(1) protection for those claims.

Section 230(c)(1) provides protection to interactive computer services. Zeran, 129 F.3d at 331. But it does not insulate a company from liability for all conduct that happens to be transmitted through the internet. Instead, protection under § 230(c)(1) extends only to bar certain claims, in specific circumstances, against particular types of parties. Here, the district court erred by finding that § 230(c)(1) barred all counts asserted against Public Data. To the contrary, on the facts as alleged, it does not apply to any of them. Counts One and Three are not barred because they do not seek to hold Public Data liable as a publisher under the provision. Counts Two and Four are not barred because Public Data is itself an information content provider for the information relevant to those counts.

REVERSED AND REMANDED

RICHARDSON

UNITED STATES CIRCUIT JUDGE

Notes

This case comes to us on appeal from the district court‘s grant of a motion for judgment on the pleadings under Federal Rule of Civil Procedure 12(c). Our review is de novo, and we apply the same standards as we would for a Rule 12(b)(6) motion. . This means that we accept all well-pleaded facts in the complaint as true. . Given the procedural posture, our factual summary takes Plaintiffs’ Second Amended Complaint at face value.

McBride alleges that he learned about the inaccurate information included in the report when he sued his potential employer and obtained the report in discovery.

Plaintiffs together represent a putative class for Count One, Plaintiff McBride alone represents a class for Counts Two and Three, and Count Four is an individual claim brought by Plaintiff McBride. Given the posture of this case, we express no opinion on the class allegations or propriety of class certification.

These terms are defined in 15 U.S.C. § 1681a(d) and (f), respectively. Since the only issue on appeal is whether 47 U.S.C. § 230(c)(1) bars Plaintiffs’ claims, we do not address whether Public Data qualifies as a “consumer reporting agency” under the FCRA.

“Every consumer reporting agency shall, upon request . . . clearly and accurately disclose to the consumer” certain information including “[a]ll information in the consumer‘s file at the time of the request,” “[t]he sources of the information,” and the “[i]dentification of each person . . . that procured a consumer report” within the two years before the request, if procured “for employment purposes,” or within one year otherwise. 15 U.S.C. § 1681g(a)(1)–(3).

Section 1681b(b)(1) requires that a consumer reporting agency obtain certifications from its employer-customers stating they will comply with § 1681b(b)(2)(A), and that the consumer reporting agency provide those employer-customers with a summary of the consumer‘s rights. 15 U.S.C. § 1681b(b)(1).

“A consumer reporting agency which furnishes a consumer report for employment purposes and which for that purpose compiles and reports items of information on consumers which are matters of public record and are likely to have an adverse effect upon a consumer‘s ability to obtain employment shall—(1) at the time such public record information is reported to the user of such consumer report, notify the consumer of the fact that public record information is being reported by the consumer reporting agency, together with the name and address of the person to whom such information is being reported; or (2) maintain strict procedures designed to insure that whenever public record information which is likely to have an adverse effect on a consumer‘s ability to obtain employment is reported it is complete and up to date.” 15 U.S.C. § 1681k(a).

“Whenever a consumer reporting agency prepares a consumer report it shall follow reasonable procedures to assure maximum possible accuracy of the information concerning the individual about whom the report relates.” 15 U.S.C. § 1681e(b).

There was some confusion below about these requirements. See . And that is understandable given that we have not been clear about separating (c)(1)‘s three distinct requirements. See (discussing the protection in broad terms, without separating into distinct prongs). But when grappling with § 230(c)(1), we have applied these ideas, if not always in a neat and ordered row. See (discussing (1) “service providers” being (3) held “liable for information originating with a third-party user of the service,” (2) “in a publisher‘s role“); see also ; . To avoid confusion, we follow our sister circuits and read the statute to create three requirements. See ; ; .

“The term ‘interactive computer service’ means any information service, system, or access software provider that provides or enables computer access by multiple users to a computer server, including specifically a service or system that provides access to the Internet and such systems operated or services offered by libraries or educational institutions.” § 230(f)(2). Hosting a website “enables computer access by multiple users to a computer server.” See (“Courts typically have held that internet service providers, website exchange systems, online message boards, and search engines fall within this definition.“).

When “a word is obviously transplanted from another legal source, whether the common law or other legislation, it brings the old soil with it.” (internal citation and quotation marks omitted). “Publisher” is just such a transplanted word. Section 230(c)(1) altered the way common-law-defamation claims would apply to users and providers of interactive computer services that the common law would otherwise hold liable as publishers. (Thomas, J., statement respecting denial of certiorari) (discussing Stratton Oakmont, Inc. v. Prodigy Services Co., 1995 WL 323710, at *3–*4 (N.Y. Sup. Ct. May 24, 1995)); (“Section 230 marks a departure from the common-law rule that allocates liability to publishers of tortious material written or prepared by others.“).

Defamation at common law distinguished between publisher and distributor liability but Zeran did not make this distinction. Instead, Zeran determined that distributor liability “is merely a subset, or a species, of publisher liability” and so treated them the same under § 230(c)(1). . The decision has been questioned for failing to make this distinction. See, e.g., (Thomas, J., statement respecting denial of certiorari). But the approach taken in the Fourth Circuit since Zeran has been clear, and the parties have made no arguments based on this distinction.

See Restatement (Second) of Torts § 577, at 201 (Am. L. Inst. 1965) (“Publication of defamatory matter is its communication intentionally or by a negligent act to one other than the person defamed.“); Publish, Black‘s Law Dictionary 1268 (8th ed. 2004) (defining “publish” as including “[t]o distribute copies . . . to the public” and “[t]o communicate (defamatory words) to someone other than the person defamed“); (“The cases . . . uniformly hold that . . . the sending of a communication containing defamatory language directly to the person defamed, without any proof that, through the agency or in pursuance of the intention of the sender, it has come to the knowledge of any one else, does not show such publication as to render the sender liable in damages.“).

See Restatement (Second) of Torts § 577 cmt. b, at 202 (Am. L. Inst. 1965); (“[P]ublication, does not mean merely uttering or writing. Rather, ‘publication’ . . . means to communicate the defamatory material to a third party (that is, a party who is not the subject of the defamatory material) . . .“); (asserting that there can be no publication unless the words spoken were heard by third persons).

Other information-based torts at common law follow this mold, imposing liability on publishers for the improper nature of their disseminated content. For example, false-light claims hold a publisher liable only when there is “at least an implicit false statement of objective fact.” . And publisher liability at common law did not always require that the “impropriety” of the content be that it was false and defamatory. Claims based on publicity given to private life impose liability on a publisher for information that is “highly offensive to a reasonable person.” Restatement (Second) of Torts § 652D, at 383 (Am. L. Inst. 1965). Reaching further back, publishers in England were prosecuted under a fourteenth century statute banning “constructive treason” for printing “seditious, poisonous, and scandalous” information even if that information was not false and defamatory. William T. Mayton, Seditious Libel and the Lost Guarantee of a Freedom of Expression, 84 Colum. L. Rev. 91, 100-101 (1984); Geoffrey R. Stone et al., Constitutional Law 1009–10 (8th ed. 2018). Similarly, while libel required that the published information dishonor another or provoke violence, “truth was no defense.” Philip Hamburger, The Development of the law of Seditious Libel and the Control of the Press, 37 Stan. L. Rev. 661, 712 (1985). While it is commonly accepted that Congress passed § 230 in part as reaction to a case involving a defamation suit against an internet company, see (Thomas, J., statement respecting denial of certiorari) (discussing Stratton, 1995 WL 323710), § 230(c)(1) protection is not limited to defamation suits.

Each FCRA claim here is triggered by a defendant‘s status as a “consumer reporting agency” as defined in 15 U.S.C. § 1681a(f). See 15 U.S.C. §§ 1681g(a) (“Every consumer reporting agency shall“); 1681k(a) (“A consumer reporting agency . . . shall“); 1681b(b)(1) (“A consumer reporting agency may furnish a consumer report for employment purposes only if“); 1681e(b) (“Whenever a consumer reporting agency prepares a consumer report it shall“). A “consumer reporting agency” is defined as “any person which, for monetary fees . . . regularly engages . . . in the practice of assembling or evaluating consumer credit information . . . for the purpose of furnishing consumer reports to third parties.” § 1681a(f). Circular as it is, “companies that regularly prepare consumer reports” are consumer reporting agencies. . The district court did not determine whether Plaintiffs made sufficient allegations to prove that Public Data is a “consumer reporting agency,” and we take no position on that question. Of course, Public Data may contest that claim below. But here we only consider the preliminary question of whether § 230 bars Plaintiffs’ FCRA claims even if Public Data is a “consumer reporting agency.”

Section 230(e) catalogues other laws for which § 230(c)(1) must not be construed to impair. And the FCRA is not on the that list. But that tells us little about whether § 230(c)(1) can bar specific FCRA claims because § 230(e) does not establish “an exception to a prohibition that would otherwise reach the conduct excepted.” . Instead, it suggests a “clarification of the meaning of [§ 230] rather than an exception” to its coverage. at 586. In other words, a FCRA claim must first impose liability on the defendant as the publisher or speaker of information to trigger the FCRA in the first place. If it does, then § 230(c)(1) can apply to FCRA claims. And if it does not, then § 230(c)(1) will not apply.

Zeran left the door open to finding § 230(c)(1) protection applies when a claim holds a party liable for a decision not to publish, , 129 F.3d at 330, and we need not decide here if we should shut it. Zeran suggested that it might allow § 230(c)(1) to bar claims whenever avoiding liability under those claims would require acting as a publisher. In other words, it is possible to read Zeran as applying § 230(c)(1) protection when an interactive service provider would be held liable for failing to publish information. See id.; see also (implying that not providing a warning can be an act of publishing by considering whether § 230(c)(1) could bar a negligent-failure-to-warn claim). Since even in those circumstances the failure to publish would still need to relate to information meant to be disseminated to third-parties, we need not reach this question here.

Liability under § 1681k(a) also requires that the defendant fail to provide notifications to the consumer that the report was provided to a potential employer. § 1681k(a)(1). We have already explained why a consumer-notification requirement like this does not impose liability on Public Data as a publisher or speaker of information—it is a failure to disseminate information about an individual to that same individual, not a third party.

held that violating § 1681e(b) requires inaccurate information. While Dalton did not address § 1681k(a)‘s reasonable-procedures requirement, we see no principled way to distinguish the two provisions and so read Dalton to require the same inaccuracy.

Again, at least in federal court. See (Thomas, J., dissenting) (suggesting a non-publication claim could be brought in state court).

Public Data can be both “a provider or user of an interactive computer service” and also the “information content provider.” And when a defendant is both, § 230(c)(1) provides no protection. Section 230(c)(1) applies only when the information for which liability is being imposed on the provider or user of an interactive computer service is “provided” by “another” information content provider. § 230(c)(1). The use of the modifier another shows that an interactive computer service provider can be an information content provider at the same time. See § 230(c)(1) (“No provider or user of an interactive computer service shall be treated as the publisher or speaker of any information provided by another information content provider.” (emphasis added)). And when a provider of an interactive computer service also provides the information at issue in a claim, it receives no protection under § 230(c)(1). See . In other words, § 230(c)(1) does not protect entities for their own speech, it protects them only when they serve as a conduit for other‘s speech. See .

Since we determine that Public Data is an information content provider, we do not address Plaintiffs’ argument that “provided” in the statute means “provided to the internet user” not “provided to the internet company.” Appellee‘s Brief 34–35; see, e.g., (“The structure and purpose of § 230(c)(1) indicate that the immunity applies only with regard to third-party information provided for use on the Internet.“).

Since we find that Public Data has “developed” the information at issue we need not consider whether it might also have “created” that information.

An extreme example helps illustrate this point. Take a writer of a ransom note who cuts letters out of a magazine to list his demands. That writer might be said to be “altering” content. Yet, the note‘s writer is hardly acting as an “editor” of the magazine. Instead, he has substantively changed the magazine‘s content and transformed it from benign information about sports or entertainment into threatening information about bags of cash and ultimatums.

Drawing this line here is reinforced by another contextual reading of Zeran‘s list of traditional editorial functions. After listing some traditional editorial functions for which liability is barred, Zeran then said that § 230(c)(1) prevents suits that “cast [the defendant] in the same position as the party who originally posted the offensive messages.” at 333. Zeran saw § 230(c)(1) as vicarious liability protection that could not be used as a shield when the offensiveness of the message comes from the defendant themselves rather than a third party. See id.; see also (“Congress thus established a general rule that providers of interactive computer services are liable . . . for speech that is properly attributable to them“); cf. (holding that there is no § 230 immunity for a defendant who posted a third-party‘s photo, but who supplied her own defamatory commentary to it). So we may not read the traditional editorial functions listed in Zeran so broadly as to include a defendant‘s substantive alterations that introduced the inaccuracy or falsity at issue in the claim.

Read the detailed case summary