The Virginia Defamation Law Blog
You’ve heard by now that companies like Facebook and Twitter are not liable for defamation when their platforms are used to circulate false and defamatory content. The law most often cited as the source of this protection is known as Section 230 of the Communications Decency Act. Section 230 provides protection to companies that supply the platform, forum, or other technology that others can use to communicate information, provided the companies are not involved in creating the content that gets posted on their sites. Section 230 generally allows such companies to moderate and delete content without losing immunity, but not create content themselves. Although Section 230 protects internet companies from liability as a publisher of speech, it does not protect them in situations where liability is sought on some other theory, such as intellectual property infringement or liability as the seller of a defective product.
In the case of Tyrone Henderson v. The Source for Public Data, the Eastern District of Virginia was faced with the question of whether Section 230 could apply to claims raised under the Fair Credit Reporting Act. The issue had apparently never come up before, but the court readily determined that Section 230 did apply because the defendants were being sued for publishing content created by others and were not involved in creating that content themselves. Section 230 is not limited to defamation claims and can be invoked in any case where its requirements are satisfied.
There are three requirements to successfully assert Section 230 immunity: (1) a defendant is an “interactive computer service”; (2) the content is created by an “information content provider”; and (3) the defendant is alleged to be the creator of the content.
An “interactive computer service” is “any information service, system, or access software provider that provides or enables computer access by multiple users to a computer server, including specifically a service or system that provides access to the Internet and such systems operated or services offered by libraries or educational institutions.” (See 47 U.S.C. § 230(f)(2)). These are sites that do not generate original content but rather allow 
users to access the website in order to post information. (See Baldino’s Lock & Key Serv., Inc. v. Google, Inc., 88 F. Supp. 3d. 543, 547 (E.D. Va. 2015)).
An “information content provider” is “any person or entity that is responsible, in whole or in part, for the creation or development of information provided through the Internet or any other interactive computer service.” (See 47 U.S.C. § 230(f)(3)).
The facts of the case went something like this. The plaintiffs were a group of individuals who sought to bring a class action against The Source for Public Data, L.P., and other defendants involved in the operation of a website called publicdata.com. Publicdata.com allows visitors to search through various databases of public-record data, typically compiled into reports that employers can purchase when doing background checks on prospective employees. The plaintiffs complained that publicdata.com had included inaccurate criminal information about them that resulted in preventing them from obtaining employment or housing. They claimed the factual errors violated certain provisions of the FCRA.
In finding that Section 230 protected the defendants from FCRA liability, the court looked to the plain language of the statute, which states: “[n]o provider or user of an interactive computer service shall be treated as the publisher or speaker of any information provided by another information content provider.” The court took this to mean that an interactive computer service may not be held liable for content they did not create. As an access software provider, the defendants met the definition of “interactive computer service.” They were not information content providers as they did not produce the content of the reports. And the plaintiffs claimed the defendants created the content at issue, satisfying the third element required for Section 230 immunity.
In short, because publicdata.com merely collected information from other sources to make it more easily searchable and because the operators of the site were not the ones responsible for the alleged factual errors contained in that data, they were entitled to assert Section 230 immunity.
Notably, there are five exceptions to Section 230 immunity. The statute itself states expressly that it will not apply to any “federal criminal statute,” “intellectual property law,” “state law that is consistent with this section,” the Electronic Communications Privacy Act, or “sex trafficking law.” (See Section 230(e)(1)-(5)). Applying a canon of statutory construction, the court found that Congress must not have intended an exception for the FCRA; had they intended to create such an exception, it would have been listed here.