Fourth Circuit Could Weaken Social Media’s 230 Protections

Section 230 of the Communications Decency Act provides broad immunity for entities that publish and disseminate information—even inaccurate information from third parties. It reflects the judgment of Congress—affirmed by the courts repeatedly—that the website, platform, social media site or other channel of dissemination is not the “speaker” or publisher of the information that was created by the third party. As a result, Twitter, Facebook, Instagram, Youtube and others are permitted to—but are not required to—moderate what others say on their platforms and are immune from liability for proving a platform for unwanted speech—even if that speech is defamatory, actionable or dangerous. While there are certain exceptions (e.g., for republishing child pornography) the scope of this immunity has been historically very broad. This term, in Gonzalez v. Google, the U.S. Supreme Court has agreed to consider whether Google (the parent company of YouTube) is protected under Section 230 from liability for allegedly permitting the posting of ISIS recruitment videos which allegedly resulted in the death of an American woman killed in Paris in 2015 in an ISIS terrorist attack. In general, the courts have agreed that YouTube and Google would have no duty to remove the content and would not be liable to the family for the content posted by third-parties in most circumstances, but the high court may change that.

One other law that imposes a form of “publishing” or “dissemination” liability is the Fair Credit Reporting Act, which limits the nature of the data that “consumer reporting agencies” may disseminate and the purposes for which that data may be disseminated. A “consumer reporting agency” is defined as an entity:

“… that regularly engages in the practice of assembling or evaluating, and maintaining, for the purpose of furnishing consumer reports to third parties bearing on a consumer’s credit worthiness, credit standing, or credit capacity, each of the following regarding consumers residing nationwide: (1)Public record information; (2)Credit account information from persons who furnish that information regularly and in the ordinary course of business.”

Public Data, operating under various trade names, is one of the many companies that collect and sell public information about individuals. These data brokers find public records—such as criminal and civil records, voting records, driving information, and professional licensing information—from various local, state and federal authorities (and other businesses that have already collected those records). They then parse the data, collate it, provide search tools to find the data and sell access to the search tool or data set to third parties. They do not create the data they sell and they do not vouch for its accuracy. All they warrant and represent is that this data exists in the public record.

On November 3, 2022, the United States Court of Appeals for the Fourth Circuit in Richmond, Virginia held that Public Data was not entitled to rely on the immunity provisions of Section 230 of the CDA in its act of publishing (or republishing) consumer data, and that it had to comply with the notice, accuracy, right to review and use limitations for consumer credit reports under the FCRA. The appellate court held that Public Data failed to provide consumers with copies of their own “reports,” failed to get certifications about the use of the reports (and provide consumer rights summaries) to any potential employers who reviewed the data and that they failed to ensure that the data in the database was accurate, complete and up-to-date.

The main issue in the case was whether Public Data was being held liable as an “information content provider” itself or whether it was merely being held liable as the provider of information from another. If Public Data is transmitting the communications or information of another party (that is, they are not the “publisher” of the data, but merely a conduit) then they are entitled to immunity if the alleged liability is “based on the content of the speech published” by the interactive service provided.

The appeals court held that the data broker was not being held liable based on the “content” of the publication—a necessary element for Section 230 immunity. Rather, the court found, Publc Data was being held liable for dissemination of “credit information” defined in the statute, irrespective of whether the data was defamatory or not. In other words, Public Data was being held liable not as a publisher of something defamatory, but as a credit reporting agency with the duties of such an agency, irrespective of the content of what they were disseminating.

Of course, what makes Public Data an alleged “credit reporting” agency is precisely the content of the data they are disseminnating and what makes them potentially liable is the assertion that this data is, in some way, inaccurate or incomplete. While not strictly defamation liability, it is a reasonably close analog. In fact, the reason the FCRA has restrictions on credit reporting agencies is precisely because of the potential harm to consumers as a result of the dissemination of false credit information, and the class of plaintiffs asserted that the data that Public Data disseminated was, in fact, false and that falsehood caused them harm. Other provisions of the FCRA—like obtaining certification from a potential employer that they will use the (consumer reporting) data for permitted purposes, or a requirement that the consumer reporting agency provide a summary of consumer rights—are all based on the assumption that Public Data is a consumer reporting agency—and that assumption is based on the nature and character of the data that is disseminated. Thus, the potential liability clearly arises from the nature of the data that Public Data alleges to have “published.”

The court also determined that Public Data was not simply publishing data “provided by another information content provider” but that they were themselves “an information content provider” because they were “responsible, in whole or in part, for the creation or development of information provided through the Internet or any other interactive computer service.” 47 USC 230(f)(3). Public Data creates a database (aggregation) of data from other sources. While they may format (or reformat) that data, they do not “create” the data—but they do “create” the database. The court observed that “plaintiff’s complaint plausibly alleges that Public Data is an information content provider for the information that creates liability …” But the opinion does not go beyond the bare allegations in the complaint. The court seems to suggest that the act of compiling or collecting third-party data into one pool makes the aggregator an “information content provider” of that information, and therefore removes Section 230 immunity. But data aggregation is precisely what all interactive computer services do. Certainly it is possible that the data could be transformed by the aggregator in such a way that the aggregator/collector becomes a publisher of that data, but the court failed to lay out any clear reason for this conclusion in this case.

All told, this case represents a significant weakening of the immunity provisions of Section 230. How far this will go remains to be seen.

Avatar photo

Mark Rasch

Mark Rasch is a lawyer and computer security and privacy expert in Bethesda, Maryland. where he helps develop strategy and messaging for the Information Security team. Rasch’s career spans more than 35 years of corporate and government cybersecurity, computer privacy, regulatory compliance, computer forensics and incident response. He is trained as a lawyer and was the Chief Security Evangelist for Verizon Enterprise Solutions (VES). He is recognized author of numerous security- and privacy-related articles. Prior to joining Verizon, he taught courses in cybersecurity, law, policy and technology at various colleges and Universities including the University of Maryland, George Mason University, Georgetown University, and the American University School of law and was active with the American Bar Association’s Privacy and Cybersecurity Committees and the Computers, Freedom and Privacy Conference. Rasch had worked as cyberlaw editor for SecurityCurrent.com, as Chief Privacy Officer for SAIC, and as Director or Managing Director at various information security consulting companies, including CSC, FTI Consulting, Solutionary, Predictive Systems, and Global Integrity Corp. Earlier in his career, Rasch was with the U.S. Department of Justice where he led the department’s efforts to investigate and prosecute cyber and high-technology crime, starting the computer crime unit within the Criminal Division’s Fraud Section, efforts which eventually led to the creation of the Computer Crime and Intellectual Property Section of the Criminal Division. He was responsible for various high-profile computer crime prosecutions, including Kevin Mitnick, Kevin Poulsen and Robert Tappan Morris. Prior to joining Verizon, Mark was a frequent commentator in the media on issues related to information security, appearing on BBC, CBC, Fox News, CNN, NBC News, ABC News, the New York Times, the Wall Street Journal and many other outlets.

mark has 203 posts and counting.See all posts by mark