Tyrone Henderson, Sr. v. The Source for Public Data, L.P. ( 2022 )

USCA4 Appeal: 21-1678         Doc: 88         Filed: 11/03/2022   Pg: 1 of 28
PUBLISHED
UNITED STATES COURT OF APPEALS
FOR THE FOURTH CIRCUIT
No. 21-1678
TYRONE HENDERSON, SR.; GEORGE I. HARRISON, JR.; ROBERT MCBRIDE, on
behalf of himself and others similarly situated,
Plaintiffs-Appellants,
v.
THE SOURCE FOR PUBLIC DATA, L.P., d/b/a Publicdata.com; SHADOWSOFT,
INC.; HARLINGTON-STRAKER STUDIO, INC.; AND DALE BRUCE
STRINGFELLOW,
Defendants-Appellees.
------------------------------
FEDERAL TRADE COMMISSION; CONSUMER FINANCIAL PROTECTION
BUREAU; NORTH CAROLINA; TEXAS; ALABAMA; ARIZONA;
ARKANSAS; CONNECTICUT; GEORGIA; IOWA; MAINE; MICHIGAN;
MINNESOTA; MISSISSIPPI; NEBRASKA; NEVADA; NORTH DAKOTA;
OHIO; SOUTH CAROLINA; SOUTH DAKOTA; UTAH; VERMONT;
VIRGINIA; NATIONAL CONSUMER LAW CENTER; NATIONAL FAIR
HOUSING ALLIANCE; LAWYERS' COMMITTEE FOR CIVIL RIGHTS
UNDER LAW
Amici Supporting Appellants.
Appeal from the United States District Court for the Eastern District of Virginia, at
Richmond. Henry E. Hudson, Senior District Judge. (3:20-cv-00294-HEH)
Argued: May 3, 2022                                           Decided: November 3, 2022
1
USCA4 Appeal: 21-1678     Doc: 88        Filed: 11/03/2022    Pg: 2 of 28
Before AGEE, RICHARDSON, and QUATTLEBAUM, Circuit Judges.
Reversed and remanded by published opinion. Judge Richardson wrote the opinion, in
which Judge Agee and Judge Quattlebaum joined.
ARGUED: Jennifer D. Bennett, GUPTA WESSLER, San Francisco, California, for
Appellants. Kyle David Highful, OFFICE OF THE ATTORNEY GENERAL OF TEXAS,
Austin, Texas, for Amici States. Theodore (Jack) Metzler, FEDERAL TRADE
COMMISSION, Washington, D.C., for Amicus Federal Trade Commission. Misha
Tseytlin, TROUTMAN PEPPER HAMILTON SANDERS LLP, Chicago, Illinois, for
Appellees. ON BRIEF: Leonard A. Bennett, Craig C. Marchiando, CONSUMER
LITIGATION ASSOCIATES, P.C., Newport News, Virginia; Kristi C. Kelly, KELLY
GUZZO PLC, Fairfax, Virginia; Matthew W.H. Wessler, GUPTA WESSLER,
Washington, D.C., for Appellants. Timothy J. St. George, Richmond, Virginia, Ronald I.
Raether, Jr., TROUTMAN PEPPER HAMILTON SANDERS LLP, Irvine, California, for
Appellees. Steven Van Meter, Acting General Counsel, Steven Y. Bressler, Acting Deputy
General Counsel, Laura Hussain, Assistant General Counsel, Derick Sohn, Senior Counsel,
CONSUMER FINANCIAL PROTECTION BUREAU, Washington, D.C.; James Reilly
Dolan, Acting General Counsel, Joel Marcus, Deputy General Counsel, FEDERAL
TRADE COMMISSION, Washington, D.C.; Joshua H. Stein, Attorney General, Daniel P.
Mosteller, Deputy General Counsel, NORTH CAROLINA DEPARTMENT OF JUSTICE,
Raleigh, North Carolina, for Amici Federal Trade Commission, Consumer Financial
Protection Bureau, and North Carolina. John G. Albanese, Ariana Kiener, BERGER
MONTAGUE PC, Minneapolis, Minnesota, for Amici National Consumer Law Center,
Upturn, American Civil Liberties Union, National Housing Law Project, National
Employment Law Project, and National Low Income Housing Coalition. Ken Paxton,
Attorney General, Brent Webster, First Assistant Attorney General, Judd E. Stone II,
Solicitor General, Bill Davis, Deputy Solicitor General, OFFICE OF THE ATTORNEY
GENERAL OF TEXAS, Austin, Texas, for Amicus State of Texas. Steve Marshall,
Attorney General, OFFICE OF THE ATTORNEY GENERAL OF ALABAMA,
Montgomery, Alabama, for Amicus State of Alabama. Mark Brnovich, Attorney General,
OFFICE OF THE ATTORNEY GENERAL OF ARIZONA, Phoenix, Arizona, for Amicus
State of Arizona. Leslie Rutledge, Attorney General, OFFICE OF THE ATTORNEY
GENERAL OF ARKANSAS, Little Rock, Arkansas, for Amicus State of Arkansas.
William Tong, Attorney General, OFFICE OF THE ATTORNEY GENERAL OF
CONNECTICUT, Hartford, Connecticut, for Amicus State of Connecticut. Christopher
M. Carr, Attorney General, OFFICE OF THE ATTORNEY GENERAL OF GEORGIA,
Atlanta, Georgia, for Amicus State of Georgia. Tom Miller, Attorney General, OFFICE
OF THE ATTORNEY GENERAL OF IOWA, Des Moines, Iowa, for Amicus State of
Iowa. Aaron M. Frey, Attorney General, OFFICE OF THE ATTORNEY GENERAL OF
MAINE, Augusta, Maine, for Amicus State of Maine. Dana Nessel, Attorney General,
2
USCA4 Appeal: 21-1678     Doc: 88        Filed: 11/03/2022     Pg: 3 of 28
OFFICE OF THE ATTORNEY GENERAL OF MICHIGAN, Lansing, Michigan, for
Amicus State of Michigan. Keith Ellison, Attorney General, OFFICE OF THE
ATTORNEY GENERAL OF MINNESOTA, St. Paul, Minnesota, for Amicus State of
Minnesota. Lynn Fitch, Attorney General, OFFICE OF THE ATTORNEY GENERAL
OF MISSISSIPPI, Jackson, Mississippi, for Amicus State of Mississippi. Douglas J.
Peterson, Attorney General, OFFICE OF THE ATTORNEY GENERAL OF NEBRASKA,
Lincoln, Nebraska, for Amicus State of Nebraska. Aaron D. Ford, Attorney General,
OFFICE OF THE ATTORNEY GENERAL OF NEVADA, Las Vegas, Nevada, for
Amicus State of Nevada. Wayne Stenehjem, Attorney General, OFFICE OF THE
ATTORNEY GENERAL OF NORTH DAKOTA, Bismarck, North Dakota, for Amicus
State of North Dakota. Dave Yost, Attorney General, OFFICE OF THE ATTORNEY
GENERAL OF OHIO, Columbus, Ohio, for Amicus State of Ohio. Alan Wilson, Attorney
General, OFFICE OF THE ATTORNEY GENERAL OF SOUTH CAROLINA,
Columbia, South Carolina, for Amicus State of South Carolina. Jason R. Ravnsborg,
Attorney General, OFFICE OF THE ATTORNEY GENERAL OF SOUTH DAKOTA,
Pierre, South Dakota, for Amicus State of South Dakota. Sean D. Reyes, Attorney General,
OFFICE OF THE ATTORNEY GENERAL OF UTAH, Salt Lake City, Utah, for Amicus
State of Utah. Thomas J. Donovan, Jr., Attorney General, OFFICE OF THE ATTORNEY
GENERAL OF VERMONT, Montpelier, Vermont, for Amicus State of Vermont. Mark
R. Herring, Attorney General, OFFICE OF THE ATTORNEY GENERAL OF VIRGINIA,
Richmond, Virginia, for Amicus Commonwealth of Virginia. Jon Greenbaum, David
Brody, Noah Baron, Adonne Washington, LAWYERS’ COMMITTEE FOR CIVIL
RIGHTS UNDER LAW, Washington, D.C.; D. Scott Chang, Morgan Williams,
NATIONAL FAIR HOUSING ALLIANCE, Washington, D.C.; Zarema A. Jaramillo,
Joshua E. Morris, Washington, D.C., Mary J. Hildebrand, Sydney J. Kaplan,
LOWENSTEIN SANDLER LLP, New York, New York, for Amici the Lawyers’
Committee for Civil Rights Under Law and the National Fair Housing Alliance.
3
USCA4 Appeal: 21-1678         Doc: 88         Filed: 11/03/2022     Pg: 4 of 28
RICHARDSON, Circuit Judge:
Section 230(c)(1) of the Communications Decency Act protects some parties
operating online from specific claims that would lead to liability for conduct done offline.
But it is not a license to do whatever one wants online. Protection under § 230(c)(1)
extends only to bar certain claims imposing liability for specific information that another
party provided.
Public Data sought § 230(c)(1) protection against four claims brought against it for
violating the Fair Credit Reporting Act (“FCRA”). The district court agreed that the claims
were precluded by § 230(c)(1). Plaintiffs appealed, arguing that § 230(c)(1) does not apply.
We agree. Plaintiffs have alleged facts that, if true, render § 230(c)(1) inapplicable to their
four claims. So we reverse the district court and remand for further proceedings.
I.     Background
Defendants are The Source of Public Data, L.P.; ShadowSoft, Inc.; Harlington-
Straker Studio, Inc.; and Dale Bruce Stringfellow. Defendants’ relation to each other and
to the website PublicData.com is complex but unimportant to this appeal. Rather than
break out the white board and red string to understand how they fit together, we accept on
appeal Plaintiffs’ allegation that all Defendants are alter egos jointly responsible for any
FCRA liability arising from the business activities conducted on PublicData.com. 1 So we
refer to Defendants collectively as “Public Data.”
1
This case comes to us on appeal from the district court’s grant of a motion for
judgment on the pleadings under Federal Rule of Civil Procedure 12(c). Our review is de
novo, and we apply the same standards as we would for a Rule 12(b)(6) motion. Massey
(Continued)
4
USCA4 Appeal: 21-1678       Doc: 88          Filed: 11/03/2022     Pg: 5 of 28
Public Data’s business is providing third parties with information about individuals.
Plaintiffs allege that it involves four steps.
First, Public Data acquires public records, such as criminal and civil records, voting
records, driving information, and professional licensing. These records come from various
local, state, and federal authorities (and other businesses that have already collected those
records).
Second, Public Data “parses” the collected information and puts it into a proprietary
format. This can include taking steps to “reformat and alter” the raw documents, putting
them “into a layout or presentation [Public Data] believe[s] is more user-friendly.” J.A.
16. For criminal records, Public Data “distill[s]” the data subject’s criminal history into
“glib statements,” “strip[s] out or suppress[es] all identifying information relating to the
charges,” and then “replace[s] this information with [its] own internally created summaries
of the charges, bereft of any detail.” J.A. 30.
Third, Public Data creates a database of all this information which it then
“publishes” on the website PublicData.com.           Public Data does not look for or fix
inaccuracies in the database, and the website disclaims any responsibility for inaccurate
information. Public Data also does not respond to requests to correct or remove inaccurate
information from the database.
v. Ojaniit, 

, 353 (4th Cir. 2014). This means that we accept all well-pleaded
facts in the complaint as true. Drager v. PLIVA USA, Inc., 

, 474 (4th Cir.
2014). Given the procedural posture, our factual summary takes Plaintiffs’ Second
Amended Complaint at face value.
5
USCA4 Appeal: 21-1678      Doc: 88         Filed: 11/03/2022     Pg: 6 of 28
Fourth, Public Data sells access to the database, “disbursing [the] information . . .
for the purpose of furnishing consumer reports to third parties.” J.A. 19. All things told,
Plaintiffs allege that Public Data sells 50 million consumer searches and reports per year.
Public Data knows that traffic includes some buyers using its data and reports to check
creditworthiness and some performing background checks for employment purposes.
Plaintiffs allege that Public Data’s activities injured them. Plaintiffs Henderson,
Harrison, and McBride have each requested a copy of the records Public Data keeps on
them, but Public Data has not provided those records. Plaintiff McBride also alleges that
he applied for a job that required a background check. As part of that check, his potential
employer used a background report from Public Data. Public Data’s report on McBride
was inaccurate because it contained misleading and incomplete criminal history. McBride
was not hired. 2
Plaintiffs bring four claims against Public Data alleging it violated four provisions
of the FCRA. 3 Underlying each claim is the contention that Public Data must comply with
2
McBride alleges that he learned about the inaccurate information included in the
report when he sued his potential employer and obtained the report in discovery.
3
Plaintiffs together represent a putative class for Count One, Plaintiff McBride
alone represents a class for Counts Two and Three, and Count Four is an individual claim
brought by Plaintiff McBride. Given the posture of this case, we express no opinion on the
class allegations or propriety of class certification.
6
USCA4 Appeal: 21-1678      Doc: 88          Filed: 11/03/2022     Pg: 7 of 28
the FCRA because they produce “consumer report[s]” and are a “consumer reporting
agency” under the Act. 4
In Count One, Plaintiffs allege that Public Data violated § 1681g 5 by failing to
provide them a copy of their own records and a notice of their FCRA rights when requested.
In Count Three, Plaintiff McBride alleges that Public Data violated § 1681b(b)(1) 6 by
failing to get certain certifications from employers it provided reports to, and by failing to
provide those employers with a consumer-rights summary. Counts Two and Four both
seek to impose liability for Public Data’s failure to maintain proper procedures to ensure
accurate information. Count Two alleges that Public Data violated § 1681k(a) 7 by failing
4
These terms are defined in 15 U.S.C. § 1681a(d) and (f), respectively. Since the
only issue on appeal is whether 

(c)(1) bars Plaintiffs’ claims, we do not
address whether Public Data qualifies as a “consumer reporting agency” under the FCRA.
5
“Every consumer reporting agency shall, upon request . . . clearly and accurately
disclose to the consumer” certain information including “[a]ll information in the
consumer’s file at the time of the request,” “[t]he sources of the information,” and the
“[i]dentification of each person . . . that procured a consumer report” within the two years
before the request, if procured “for employment purposes,” or within one year otherwise.
15 U.S.C. § 1681g(a)(1)–(3).
6
Section 1681b(b)(1) requires that a consumer reporting agency obtain
certifications from its employer-customers stating they will comply with § 1681b(b)(2)(A),
and that the consumer reporting agency provide those employer-customers with a summary
of the consumer’s rights. 15 U.S.C. § 1681b(b)(1).
7
“A consumer reporting agency which furnishes a consumer report for employment
purposes and which for that purpose compiles and reports items of information on
consumers which are matters of public record and are likely to have an adverse effect upon
a consumer’s ability to obtain employment shall—(1) at the time such public record
information is reported to the user of such consumer report, notify the consumer of the fact
that public record information is being reported by the consumer reporting agency, together
with the name and address of the person to whom such information is being reported; or
(Continued)
7
USCA4 Appeal: 21-1678       Doc: 88          Filed: 11/03/2022      Pg: 8 of 28
to notify Plaintiffs when it provided their records for employment purposes and by failing
to establish adequate procedures to ensure complete and up to date information in those
records. And in Count Four, Plaintiff McBride alleges, for himself only, that Public Data
violated § 1681e(b) 8 by not implementing sufficient procedures to ensure accuracy in its
reports.
Public Data moved for judgment on the pleadings, arguing that each claim was
barred by § 230(c)(1). The district court agreed and granted judgment for Public Data. See
Henderson v. Source for Pub. Data, 

, 543 (E.D. Va. May 19, 2021).
Plaintiffs appealed, and we have jurisdiction under 

.
II.    Discussion
Section 230 provides internet platforms with limited legal protections.              See
generally Adam Candeub, Reading Section 230 as Written, 1 J. Free Speech L. 139 (2021).
Subsection 230(c)(1) prohibits treating an interactive computer service as a publisher or
speaker of any information provided by a third party. And § 230(c)(2) bars liability for a
platform’s actions to restrict access to obscene, lewd, lascivious, filthy, excessively violent,
harassing, or otherwise-objectionable material.
(2) maintain strict procedures designed to insure that whenever public record information
which is likely to have an adverse effect on a consumer’s ability to obtain employment is
reported it is complete and up to date.” 15 U.S.C. § 1681k(a).
8
“Whenever a consumer reporting agency prepares a consumer report it shall follow
reasonable procedures to assure maximum possible accuracy of the information concerning
the individual about whom the report relates.” 15 U.S.C. § 1681e(b).
8
USCA4 Appeal: 21-1678       Doc: 88          Filed: 11/03/2022       Pg: 9 of 28
On appeal, this case deals exclusively with the protection provided by § 230(c)(1):
“No provider or user of an interactive computer service shall be treated as the publisher or
speaker of any information provided by another information content provider.” Read
plainly, this text requires that a defendant like Public Data must establish three things to
claim protection: (1) The defendant is a “‘provider or user of an interactive computer
service’”; (2) the plaintiff’s claim holds the defendant “responsible ‘as the publisher or
speaker of any information’”; and (3) the relevant information was “‘provided by another
information content provider.’” Nemet Chevrolet, Ltd. v. Consumeraffairs.com, Inc., 

, 254 (4th Cir. 2009) (quoting § 230(c)(1)). 9 These three requirements look first
to the defendant’s status (i.e., are they a provider or user of an “interactive computer
service”), then to the kind of claim the plaintiff has brought (i.e., does the plaintiff treat the
defendant as a publisher or speaker of information), and finally to the source of the
information underlying the plaintiff’s claim (i.e., who provided the information).
9
There was some confusion below about these requirements. See Henderson, 540
F. Supp. 3d at 547. And that is understandable given that we have not been clear about
separating (c)(1)’s three distinct requirements. See Zeran v. American Online, Inc., 

, 330 (4th Cir. 1997) (discussing the protection in broad terms, without separating
into distinct prongs). But when grappling with § 230(c)(1), we have applied these ideas, if
not always in a neat and ordered row. See id. (discussing (1) “service providers” being (3)
held “liable for information originating with a third-party user of the service,” (2) “in a
publisher’s role”); see also Nemet, 

254–55; Erie Ins. Co. v. Amazon.com, Inc.,

, 139–40 (4th Cir. 2019). To avoid confusion, we follow our sister circuits
and read the statute to create three requirements. See HomeAway.com, Inc. v. City of Santa
Monica, 

, 681 (9th Cir. 2019); FTC v. LeadClick Media, LLC, 

,
173 (2d Cir. 2016); Marshall’s Locksmith Serv. Inc. v. Google, LLC, 

, 1267–
68 (D.C. Cir. 2019).
9
USCA4 Appeal: 21-1678        Doc: 88        Filed: 11/03/2022       Pg: 10 of 28
Public Data asserts that its activities, as described in Plaintiffs’ FRCA claims, satisfy
all three § 230(c)(1) requirements, so that § 230(c)(1) bars those claims.            Plaintiffs
disagree. For this appeal, they admit that Public Data is an interactive computer service 10
but challenge the other two requirements necessary for § 230(c)(1) protection. On the
second requirement, Plaintiffs argue their claims do not treat Public Data as the publisher
or speaker of the offending information. And on the third requirement, Plaintiffs allege
that Public Data itself acted as an “information content provider” of the offending
information such that the information did not come solely from “another information
content provider.”
We conclude that § 230(c)(1) does not bar Counts One and Three because those
claims do not treat Public Data as a publisher or speaker of information. For Counts Two
and Four, we need not determine whether this second requirement is met because we
conclude that Plaintiffs have alleged enough facts to plausibly infer that Public Data is an
information content provider that provided the improper information. As Public Data
cannot establish at this stage that it meets the third requirement for Counts Two and Four,
§ 230(c)(1) does not now apply. So we reverse, and all claims are remanded for further
proceedings consistent with this opinion.
10
“The term ‘interactive computer service’ means any information service, system,
or access software provider that provides or enables computer access by multiple users to
a computer server, including specifically a service or system that provides access to the
Internet and such systems operated or services offered by libraries or educational
institutions.” § 230(f)(2). Hosting a website “enables computer access by multiple users
to a computer server.” See LeadClick, 

 (“Courts typically have held that
internet service providers, website exchange systems, online message boards, and search
engines fall within this definition.”).
10
USCA4 Appeal: 21-1678        Doc: 88          Filed: 11/03/2022       Pg: 11 of 28
A.      Requirement Two: Publisher or Speaker of Information
Section 230(c)(1)’s second requirement asks whether the plaintiff’s legal claim
requires that the defendant be “treated as the publisher or speaker of any information.” In
other words, for protection to apply, the claim must turn on some “information,” and must
treat the defendant as the “publisher or speaker” of that information. See § 230(c)(1) (No
internet platform “shall be treated as the publisher or speaker of any information . . .”); see
also Zeran, 

 (describing § 230(c)(1) as protecting a defendant from being
“liable for information” when the defendant acts in the “publisher’s role” for that
information). A claim treats the defendant “as the publisher or speaker of any information”
when it (1) makes the defendant liable for publishing certain information to third parties,
and (2) seeks to impose liability based on that information’s improper content.
Our precedent demands that we ask whether the claim “thrust[s]” the interactive
service provider “into the role of a traditional publisher.” Zeran, 

. The
term “publisher” as used in § 230(c)(1) “derive[s] [its] legal significance from the context
of defamation law.” Id. 11 Thus, the scope of “the role of a traditional publisher,” and
11
When “a word is obviously transplanted from another legal source, whether the
common law or other legislation, it brings the old soil with it.” Stokeling v. United States,

, 551 (2019) (internal citation and quotation marks omitted). “Publisher” is
just such a transplanted word. Section 230(c)(1) altered the way common-law-defamation
claims would apply to users and providers of interactive computer services that the
common law would otherwise hold liable as publishers. Malwarebytes, Inc. v. Enigma
Software Grp. USA, LLC, 

, 14 (2020) (Thomas, J., statement respecting denial
of certiorari) (discussing Stratton Oakmont, Inc. v. Prodigy Services Co., 

,
at *3–*4 (N.Y. Sup. Ct. May 24, 1995)); Jones v. Dirty World Ent. Recordings LLC, 

, 407 (6th Cir. 2014) (“Section 230 marks a departure from the common-law rule
that allocates liability to publishers . . . of tortious material written or prepared by others.”).
11
USCA4 Appeal: 21-1678      Doc: 88          Filed: 11/03/2022     Pg: 12 of 28
therefore the scope of what § 230(c)(1) protects, is guided by the common law. See id.
(“[Defendant] falls squarely within this traditional definition of a publisher and, therefore,
is clearly protected by § 230’s immunity.” (citing W. Page Keeton et al., Prosser and
Keeton on the Law of Torts § 113, at 803 (5th ed. 1984)). 12
At common law, a publisher was someone who intentionally or negligently
disseminated information to third parties. 13 In this context, a third party is someone other
than the subject of the information disseminated. 14 Thus, for a claim to treat someone as a
12
Defamation at common law distinguished between publisher and distributor
liability but Zeran did not make this distinction. Instead, Zeran determined that distributor
liability “is merely a subset, or a species, of publisher liability” and so treated them the
same under § 230(c)(1). Zeran, 

. The decision has been questioned for
failing to make this distinction. See, e.g., Malwarebytes, 141 S. Ct. at 14–15 (Thomas, J.,
statement respecting denial of certiorari). But the approach taken in the Fourth Circuit
since Zeran has been clear, and the parties have made no arguments based on this
distinction.
13
See Restatement (Second) of Torts § 577, at 201 (Am. L. Inst. 1965) (“Publication
of defamatory matter is its communication intentionally or by a negligent act to one other
than the person defamed.”); Publish, Black’s Law Dictionary 1268 (8th ed. 2004) (defining
“publish” as including “[t]o distribute copies . . . to the public” and “[t]o communicate
(defamatory words) to someone other than the person defamed”); Yousling v. Dare, 

, 371 (Iowa 1904) (“The cases . . . uniformly hold that . . . the sending of a
communication containing defamatory language directly to the person defamed, without
any proof that, through the agency or in pursuance of the intention of the sender, it has
come to the knowledge of any one else, does not show such publication as to render the
sender liable in damages.”).
14
See Restatement (Second) of Torts § 577 cmt. b, at 202 (Am. L. Inst. 1965);
Scottsdale Cap. Advisors Corp. v. The Deal, LLC, 

, 21 (1st Cir. 2018)
(“[P]ublication, does not mean merely uttering or writing. Rather, ‘publication’ . . . means
to communicate the defamatory material to a third party (that is, a party who is not the
subject of the defamatory material) . . .”); Sheffill v. Van Deusen, 

, 305 (1859)
(asserting that there can be no publication unless the words spoken were heard by third
persons).
12
USCA4 Appeal: 21-1678      Doc: 88         Filed: 11/03/2022      Pg: 13 of 28
publisher under § 230(c)(1), the claim must seek to impose liability based on the
defendant’s dissemination of information to someone who is not the subject of the
information.
But that alone is not enough. To meet the second requirement for § 230(c)(1)
protection, liability under the claim must be “based on the content of the speech published”
by the interactive service provider. Erie Insurance Co., 925 F.3d at 139. At common law,
defamation required publishing a “false and defamatory statement.” Restatement (Second)
of Torts § 558(a), at 155 (Am. L. Inst. 1965). The publisher was held liable because of the
improper nature of the content of the published information. 15 In other words, to hold
someone liable as a publisher at common law was to hold them responsible for the content’s
15
Other information-based torts at common law follow this mold, imposing liability
on publishers for the improper nature of their disseminated content. For example, false-
light claims hold a publisher liable only when there is “at least an implicit false statement
of objective fact.” Flowers v. Carville, 

, 1132 (9th Cir. 2002).
And publisher liability at common law did not always require that the “impropriety”
of the content be that it was false and defamatory. Claims based on publicity given to
private life impose liability on a publisher for information that is “highly offensive to a
reasonable person.” Restatement (Second) of Torts § 652D, at 383 (Am. L. Inst. 1965).
Reaching further back, publishers in England were prosecuted under a fourteenth century
statute banning “constructive treason” for printing “seditious, poisonous, and scandalous”
information even if that information was not false and defamatory. William T. Mayton,
Seditious Libel and the Lost Guarantee of a Freedom of Expression, 

,
100–101 (1984); Geoffrey R. Stone et al., Constitutional Law 1009–10 (8th ed. 2018).
Similarly, while libel required that the published information dishonor another or provoke
violence, “truth was no defense.” Philip Hamburger, The Development of the law of
Seditious Libel and the Control of the Press, 

, 712 (1985).
While it is commonly accepted that Congress passed § 230 in part as reaction to a
case involving a defamation suit against an internet company, see Malwarebytes, Inc., 141
S. Ct. at 14 (Thomas, J., statement respecting denial of certiorari) (discussing Stratton,

), § 230(c)(1) protection is not limited to defamation suits.
13
USCA4 Appeal: 21-1678      Doc: 88          Filed: 11/03/2022     Pg: 14 of 28
improper character. We have interpreted “publisher” in §230(c)(1) in line with this
common-law understanding. Thus for § 230(c)(1) protection to apply, we require that
liability attach to the defendant on account of some improper content within their
publication. See Erie Ins. Co., 925 F.3d at 139–40 (“There is no claim made based on the
content of speech published by [Defendant]—such as a claim that [Defendant] had liability
as the publisher of a misrepresentation of the product or of defamatory content.”).
This improper-content requirement helps dispel Public Data’s notion that a claim
holds a defendant liable as a publisher anytime there is a “but-for” causal relationship
between the act of publication and liability. See Appellee’s Response Brief 20–21 (“Put
another way, had Public Data not published court records on its website, Plaintiffs could
not have brought their Section 1681g(a) claim.”). This “but-for” publication test would
say a claim treats an entity as a “publisher” under § 230(c)(1) if liability hinges in any way
on the act of publishing. This but-for test bears little relation to publisher liability at
common law. To be held liable for information “as the publisher or speaker” means more
than that the publication of information was a but-for cause of the harm. See Erie Ins. Co.,
925 F.3d at 139–40; HomeAway.com, 918 F.3d at 682.
Erie Insurance is a good example. There, we held that Amazon was not protected
by § 230(c)(1) in a product-liability suit even though publishing information was a but-for
cause of the harm—i.e., the product was bought from Amazon’s website, making the
advertisement’s publication a necessary link in the causal chain that led to setting the
buyer’s house on fire. See Erie Insurance Co., 925 F.3d at 138–40. Though publishing
information was a but-for cause, we refused to apply § 230(c)(1) protection because the
14
USCA4 Appeal: 21-1678      Doc: 88          Filed: 11/03/2022     Pg: 15 of 28
plaintiff’s product-liability claim was based on Amazon “as the seller of the defective
product . . . [not] the content of speech published by Amazon.” Id. at 139–40.
So, to paraphrase the test we began with, a claim only treats the defendant “as the
publisher or speaker of any information” under § 230(c)(1) if it (1) bases the defendant’s
liability on the disseminating of information to third parties and (2) imposes liability based
on the information’s improper content.
Based on these two requirements, we can see that § 230(c)(1) does not provide
blanket protection from claims asserted under the FCRA just because they depend in some
way on publishing information. Yes, the FCRA imposes procedural obligations on any
“consumer reporting agency.” See Ross v. FDIC, 

, 812 (4th Cir. 2010) (“The
FCRA is a comprehensive statutory scheme designed to regulate the consumer reporting
industry.”). And each claim here alleges that Public Data ignored those obligations as a
member of that regulated industry. 16 So publishing information online is a but-for cause
16
Each FCRA claim here is triggered by a defendant’s status as a “consumer
reporting agency” as defined in 15 U.S.C. § 1681a(f). See 15 U.S.C. §§ 1681g(a) (“Every
consumer reporting agency shall”); 1681k(a) (“A consumer reporting agency . . . shall”);
1681b(b)(1) (“A consumer reporting agency may furnish a consumer report for
employment purposes only if”); 1681e(b) (“Whenever a consumer reporting agency
prepares a consumer report it shall”).
A “consumer reporting agency” is defined as “any person which, for monetary
fees . . . regularly engages . . . in the practice of assembling or evaluating consumer credit
information . . . for the purpose of furnishing consumer reports to third parties.”
§ 1681a(f). Circular as it is, “companies that regularly prepare consumer reports” are
consumer reporting agencies. Berry v. Schulman, 

, 605 (4th Cir. 2015). The
district court did not determine whether Plaintiffs made sufficient allegations to prove that
Public Data is a “consumer reporting agency,” and we take no position on that question.
Of course, Public Data may contest that claim below. But here we only consider the
preliminary question of whether § 230 bars Plaintiffs’ FCRA claims even if Public Data is
a “consumer reporting agency.”
15
USCA4 Appeal: 21-1678       Doc: 88         Filed: 11/03/2022           Pg: 16 of 28
of Public Data being a consumer reporting agency subject to the FCRA’s requirements.
Most of what Public Data allegedly does, after all, is publish things on the internet. That
means that publishing information is one but-for cause of these FCRA claims against
Public Data. If Public Data is a “consumer reporting agency” subject to FCRA liability, it
is one because it is the publisher or speaker of consumer report information. Yet that alone
is not sufficient, as we do not apply a but-for test. See Erie Ins., 925 F.3d at 139–140;
HomeAway.com, 918 F.3d at 682. We must instead examine each specific claim. 17
It is also true that, at a high level, liability under the FCRA depends on the content
of the information published. Both the definition of “consumer reporting agency” and the
definition     of    “consumer      reports”        reference      “credit     information”   or
“information . . . bearing on a consumer’s credit worthiness.” § 1681a(d)(1), (f). If Public
Data and its activities did not meet these definitions, there could be no liability under these
FCRA claims. In this way, liability for each claim hinges on the published information’s
content. Yet, while the informational content matters, § 230(c)(1) protects Public Data
only from claims that demand the information’s content be improper before imposing
liability.   And, as a class, there is nothing improper about “credit information” or
17
Section 230(e) catalogues other laws for which § 230(c)(1) must not be construed
to impair. And the FCRA is not on the that list. But that tells us little about whether
§ 230(c)(1) can bar specific FCRA claims because § 230(e) does not establish “an
exception to a prohibition that would otherwise reach the conduct excepted.” Edward J.
DeBartolo Corp. v. Fla. Gulf Coast Bldg. & Constr. Trades Council, 

, 582
(1988). Instead, it suggests a “clarification of the meaning of [§ 230] rather than an
exception” to its coverage. Id. at 586. In other words, a FCRA claim must first impose
liability on the defendant as the publisher or speaker of information to trigger the FCRA in
the first place. If it does, then § 230(c)(1) can apply to FCRA claims. And if it does not,
then § 230(c)(1) will not apply.
16
USCA4 Appeal: 21-1678      Doc: 88          Filed: 11/03/2022       Pg: 17 of 28
“information . . . bearing on a consumer’s credit worthiness.” Again, we must examine
each specific claim in context to see if the claim treats Public Data as a publisher under
§ 230(c)(1).
Finally, when considering whether any claim treats Public Data as a publisher, our
precedent teaches that we must look beyond the claim’s formal elements. Beginning in
Zeran, our Court has stressed a functional approach. In our functional analysis, we ask
whether holding this defendant liable requires treating them as a publisher, not whether
every abstract violation requires it. See Zeran, 129 F.2d at 332; Erie Ins. Co., 925 F.3d at
139. To make this determination, we look to see what the plaintiff in our case must prove.
If the plaintiff’s recovery requires treating the defendant as a publisher, then the defendant
has satisfied § 230(c)(1)’s second requirement.
Zeran itself is instructive. There, Kenneth Zeran made a negligence claim against
AOL. Zeran, 

. A defendant can, of course, be negligent without publishing
anything. Yet Zeran asserted that AOL was negligent “because it communicated to third
parties an allegedly defamatory statement.” 

. That is, Zeran’s specific negligence
claim treated the defendant as a publisher. So while not every negligence claim treats a
defendant as a publisher, Zeran’s negligence claim did; so we held that claim was
foreclosed by § 230(c)(1). Id. at 332–33.
We thus turn to the four specific claims asserted.
Count One is based on FCRA § 1681g and does not seek to impose liability on
Public Data as a speaker or publisher of any information. Section 1681g requires consumer
reporting agencies to give consumers a copy of their own consumer report along with an
17
USCA4 Appeal: 21-1678      Doc: 88          Filed: 11/03/2022     Pg: 18 of 28
FCRA notice upon request. 18 So it is based on a failure to disseminate information about
an individual to that same individual, not a third party. Recall that “[p]ublication of
defamatory matter is its communication intentionally or by a negligent act to one other
than the person defamed.” See Restatement (Second) of Torts § 577, at 201 (emphasis
added). So Section 1681g does not seek to hold Public Data liable “as the publisher” under
§ 230(c)(1), and § 230(c)(1) does not bar Count One.
Like Count One, Count Three does not treat Public Data as a speaker or publisher.
Count Three seeks to impose liability on Public Data for violating § 1681b(b)(1), which
lays out two requirements that a consumer reporting agency must meet before they may
provide a consumer report “for employment purposes.” § 1681b(b)(1). First, the employer
who gets the report must certify both that they have complied with the FCRA’s
requirements and that they will not use the information in violation of state or federal law.
§ 1681b(b)(1)(A)(i)–(ii). And, second, the consumer reporting agency must also provide
a summary of the consumer’s FCRA rights to the employer. § 1681b(b)(1)(B).
18
Zeran left the door open to finding § 230(c)(1) protection applies when a claim
holds a party liable for a decision not to publish, Zeran, 

, and we need not
decide here if we should shut it. Zeran suggested that it might allow § 230(c)(1) to bar
claims whenever avoiding liability under those claims would require acting as a publisher.
Id. In other words, it is possible to read Zeran as applying § 230(c)(1) protection when an
interactive service provider would be held liable for failing to publish information. See id.;
see also Doe v. Internet Brands, Inc., 

, 851 (implying that not providing a
warning can be an act of publishing by considering whether § 230(c)(1) could bar a
negligent-failure-to-warn claim). Since even in those circumstances the failure to publish
would still need to relate to information meant to be disseminated to third-parties, we need
not reach this question here.
18
USCA4 Appeal: 21-1678      Doc: 88         Filed: 11/03/2022     Pg: 19 of 28
The requirement that a consumer reporting agency obtain certification from an
employer is easily disposed of because liability is in no way based on the improper content
of any information spoken or published by Public Data. Here, if liability is based on
information, it is only Public Data’s failure to obtain the required information
(certification) from the employer that matters.
Slightly more vexingly, Count Three also does not treat Public Data as a publisher
because liability depends on Public Data’s failure to provide a summary of consumer rights
to the putative employer (§ 1681b(b)(1)’s second requirement). Even if Public Data’s
decision to not provide the required summary could be described as a publisher’s decision,
the information it failed to provide is proper and lawful content. And § 230(c)(1) applies
only when the claim depends on the content’s impropriety. Therefore, Public Data’s failure
to summarize consumer rights cannot fall within § 230(c)(1) protection.
Unlike Counts One and Three, Counts Two and Four may seek to hold Public Data
liable as the publisher of information. Section 1681e(b), the basis for Count Four, requires
that a consumer reporting agency “follow reasonable procedures to assure maximum
possible accuracy of the information concerning the individual about whom the report
relates.” Likewise, liability under § 1681k(a), the gravamen of Count Two, requires that a
consumer reporting agency that is selling consumer reports “for employment purposes”
which “are likely to have an adverse effect on a consumer’s ability to obtain employment”
must “maintain strict procedures” to ensure that any consumer information “is complete
19
USCA4 Appeal: 21-1678       Doc: 88         Filed: 11/03/2022       Pg: 20 of 28
and up to date.” §§ 1681k(a), 1681(k)(a)(2). 19 Thus, both claims seek to impose liability
based on an agency’s failure to maintain proper procedures to ensure accurate information.
On its face, liability for failing to maintain proper procedures does not seem to fall within
§ 230(c)(1)’s ambit as we have described it. After all, the FCRA’s statutory language here
requires neither dissemination of information to third parties nor improper content. Yet a
little digging uncovers two levels of complexity.
First, current Fourth Circuit precedent requires that a plaintiff bringing a claim under
both § 1681e(b), and by implication § 1681k(a), show the defendant’s “consumer report
contains inaccurate information.” Dalton, 257 F.3d at 415. Though the textual basis for
requiring an inaccuracy is unclear, Dalton provided that liability under Counts 2 and 4
depend on inaccurate information. 20       And that suggests that Counts 2 and 4 thus
functionally impose liability on the defendant based on the information’s impropriety.
Second, a private plaintiff bringing a claim in federal court, as is the case here, under
§ 1681e(b) or § 1681k(a) must show that Public Data disseminated information to third
parties to satisfy Article III standing. TransUnion LLC v. Ramirez, 

, 2214
19
Liability under § 1681k(a) also requires that the defendant fail to provide
notifications to the consumer that the report was provided to a potential employer.
§ 1681k(a)(1). We have already explained why a consumer-notification requirement like
this does not impose liability on Public Data as a publisher or speaker of information—it
is a failure to disseminate information about an individual to that same individual, not a
third party.
20
Dalton held that violating § 1681e(b) requires inaccurate information. Id. While
Dalton did not address § 1681k(a)’s reasonable-procedures requirement, we see no
principled way to distinguish the two provisions and so read Dalton to require the same
inaccuracy.
20
USCA4 Appeal: 21-1678      Doc: 88          Filed: 11/03/2022     Pg: 21 of 28
(2021). The statutory provisions might be violated without the dissemination of any
information, as the FCRA itself does not condition these provisions on disseminating the
report but on failing to follow proper procedures to ensure a report’s accuracy. But a
private plaintiff lacks standing to bring a reasonable-procedures claim unless the plaintiff’s
report was provided to a third party. Id. So it may be that these reasonable-procedures
claims turn on Public Data providing the inaccurate information to a third party. 21 See id;
Spokeo, Inc. v. Robins, 

, 342 (2016) (providing “entirely accurate”
information without complying fully with the FCRA’s procedures is a “bare procedural
violation” that cannot “satisfy . . . Article III”). Considering past precedent and the
Constitution’s limited judicial power, perhaps Counts Two and Four functionally depend
on Public Data disseminating inaccurate information to a third party. But we need not, and
do not, decide whether our functional approach can stretch the meaning of being “treated
as the publisher or speaker of any information” far enough to cover Counts Two and Four.
For as we will see, Public Data was “another information content provider” for the
information at issue in Counts 2 and 4. So, based on the third requirement, § 230(c)(1)
protection fails for those two counts.
B.     Requirement Three: Provided by Another Information Content
Provider
The third and final requirement for § 230(c)(1) protection is that the information at
issue in the plaintiff’s claim be “provided by another information content provider.”
21
Again, at least in federal court. See TransUnion, 141 S. Ct. at 2224 n.9 (Thomas,
J., dissenting) (suggesting a non-publication claim could be brought in state court).
21
USCA4 Appeal: 21-1678       Doc: 88         Filed: 11/03/2022      Pg: 22 of 28
§ 230(c)(1) (emphasis added). An “‘information content provider’ means any person or
entity that is responsible, in whole or in part, for the creation or development of information
provided through the Internet or any other interactive computer service.” § 230(f)(3).
Plaintiffs argue that this third requirement is not met because Public Data itself is
an “information content provider” for the relevant information. 22 We agree. The plaintiffs’
complaint plausibly alleges that Public Data is an information content provider for the
information that creates liability under these two counts. So, on these alleged facts,
§ 230(c)(1) does not bar Counts Two and Four. 23
Public Data is an “information content provider” if they are “responsible, in whole
or in part, for the creation or development” of the information at issue. This Court has
never fully defined the terms “creation” or “development” as they are used in the statute.
22
Public Data can be both “a provider or user of an interactive computer service”
and also the “information content provider.” And when a defendant is both, § 230(c)(1)
provides no protection. Section 230(c)(1) applies only when the information for which
liability is being imposed on the provider or user of an interactive computer service is
“provided” by “another” information content provider. § 230(c)(1). The use of the
modifier another shows that an interactive computer service provider can be an information
content provider at the same time. See § 230(c)(1) (“No provider or user of an interactive
computer service shall be treated as the publisher or speaker of any information provided
by another information content provider.” (emphasis added)). And when a provider of an
interactive computer service also provides the information at issue in a claim, it receives
no protection under § 230(c)(1). See Nemet, 

. In other words, § 230(c)(1)
does not protect entities for their own speech, it protects them only when they serve as a
conduit for other’s speech. See Zeran, 

.
23
Since we determine that Public Data is an information content provider, we do
not address Plaintiffs’ argument that “provided” in the statute means “provided to the
internet user” not “provided to the internet company.” Appellee’s Brief 34–35; see, e.g.,
Batzel v. Smith, 

, 1033 (9th 2003) (“The structure and purpose of § 230(c)(1)
indicate that the immunity applies only with regard to third-party information provided for
use on the Internet.”).
22
USCA4 Appeal: 21-1678      Doc: 88           Filed: 11/03/2022    Pg: 23 of 28
But we have explained that “lawsuits seeking to hold a service provider liable for its
exercise of a publisher’s traditional editorial functions—such as deciding whether to
publish, withdraw, postpone or alter content—are barred.” Zeran, 

; see
also Nemet, 

 ( “creation” or “development” of information requires
“something more than [what] a website operator performs as part of its traditional editorial
function”).
Other circuits have put more flesh onto these definitions, determining that an
interactive computer service provider or user is responsible for the development 24 of the
information at issue in the case if they “directly and ‘materially’ contributed to what made
the content itself ‘unlawful.’” Force v. Facebook, 

, 68 (2d Cir. 2019) (quoting
LeadClick, 

); see Fair Hous. Council of San Fernando Valley v.
Roommates.Com, LLC, 

, 1168 (9th Cir. 2008) (explaining that a defendant
is an information content provider if they “contribute[d] materially to the alleged illegality
of the conduct”); Jones, 755 F.3d at 413 (“Consistent with our sister circuits, we adopt the
material contribution test.”). And while this Court has never explicitly adopted “material
contribution” as the test, we applied it in Nemet to determine that the website operator there
was not an information content provider. See Nemet, 

257–58 (noting that the
plaintiff failed to allege that the website operator “contributed to the allegedly fraudulent
nature of the comments at issue”).
24
Since we find that Public Data has “developed” the information at issue we need
not consider whether it might also have “created” that information.
23
USCA4 Appeal: 21-1678       Doc: 88        Filed: 11/03/2022      Pg: 24 of 28
Additionally, the material-contribution test fits well within our broader § 230(c)(1)
jurisprudence. Zeran and Nemet rest on the principle that liability for an interactive
computer service user or provider must turn on “something more than . . . its traditional
editorial function.” Nemet, 

258 (citing Zeran, 

). All the
material-contribution test does is put a more helpful name to this “something more”
standard. And defining “something more” as a material contribution makes sense. As
Zeran notes, § 230 bars liability against “companies that serve as intermediaries for other
parties’ potentially injurious messages.” Zeran, 

330–31. But where a company
materially contributes to a message’s unlawful content, that company stops being a mere
“intermediary” for another party’s message. Instead, the company is adding new content
to the message that harms the plaintiff. We thus hold that an interactive computer service
is not responsible for developing the unlawful information unless they have gone beyond
the exercise of traditional editorial functions and materially contributed to what made the
content unlawful.
Whether a defendant developed information such that they are an “information
content provider” turns on whether the defendant has materially contributed to the piece(s)
of information relevant to liability. Section 230(c)(1) applies if a defendant has materially
contributed only to parts of the disseminated information that do not make the disseminated
information unlawful (if § 230(c)(1) is otherwise applicable). For example, in Jones, the
Sixth Circuit determined that a website had not materially contributed to defamatory
content that it hosted. Jones, 755 F.3d at 416. This was so even though the website
operator had authored his own comments underneath the alleged defamatory material. Id.
24
USCA4 Appeal: 21-1678       Doc: 88         Filed: 11/03/2022      Pg: 25 of 28
In drawing this conclusion, the court noted that “[t]o be sure, [the operator] was an
information content provider as to his comment . . . [b]ut [Plaintiff] did not allege that [the
operator’s] comments were defamatory.” Id. In other words, the § 230(c)(1)’s third
requirement did not turn on whether the defendant materially contributed to some part of
the total information disseminated—i.e., the entire post—but on whether the defendant
materially contributed to the defamatory aspect of the information. Id.; see La Liberte v.
Reid, 

, 89 (2d Cir. 2020) (applying liability when defendant was responsible
for the content’s defamatory portion). Our approach is the same. See Nemet, 

255–60 (discussing twenty allegedly defamatory posts in separate groups based on the
defendant’s involvement with the posts before concluding that the plaintiff failed to show
that defendant “was responsible for the creation or development of the allegedly
defamatory content at issue”).
Plaintiffs have alleged enough facts to show that Public Data’s own actions
contributed in a material way to what made the content at issue in Counts Two and Four
inaccurate and thus improper. Plaintiff McBride claims that the report Public Data sent to
his potential employer was inaccurate because it omitted or summarized information in a
way that made it misleading.       And, from Plaintiffs’ allegations, it is plausible that
McBride’s report was misleading based on Public Data’s own actions.
As a general matter, Plaintiffs claim that Public Data handles criminal matters by
“strip[ping] out or suppress[ing] all identifying information relating to the charges . . .
[including] dispositions” and that it then “replace[s] this information with [its] own
internally created summaries of the charges, bereft of any detail.” J.A. 30. As to McBride’s
25
USCA4 Appeal: 21-1678       Doc: 88          Filed: 11/03/2022      Pg: 26 of 28
report specifically, Plaintiffs allege that the report “suggest[ed] that Plaintiff McBride had
been convicted of each of the offenses listed,” but that “the report was inaccurate and
incomplete as it failed to indicate that several of the offenses listed had been nolle prossed.”
J.A. 37–38. These allegations, and all reasonable inferences, sufficiently allege that the
inaccuracies in McBride’s report resulted from Public Data’s stripping out the nolle
prosequi disposition for McBride’s charges and adding in its own misleading summaries.
Thus, on Plaintiffs’ allegations, Public Data’s summaries and omissions materially
contribute to the report’s impropriety. They are not merely an exercise of traditional
editorial functions. When Zeran proclaimed that § 230(c)(1) barred claims based on a
defendant’s exercise of traditional editorial functions, it also provided a suggestive list
including “deciding whether to publish, withdraw, postpone or alter content.” Zeran, 

. Of course, in a sense, omitting the criminal charge dispositions is just
“altering” their content, as is creating new charge summaries. Yet, Zeran’s list of protected
functions must be read in its context, and that context cabins that list to merely “editorial”
functions. It cannot be stretched to include actions that go beyond formatting or procedural
alterations and change the substance of the content altered. 25 An interactive service
25
An extreme example helps illustrate this point. Take a writer of a ransom note
who cuts letters out of a magazine to list his demands. That writer might be said to be
“altering” content. Yet, the note’s writer is hardly acting as an “editor” of the magazine.
Instead, he has substantively changed the magazine’s content and transformed it from
benign information about sports or entertainment into threatening information about bags
of cash and ultimatums.
26
USCA4 Appeal: 21-1678       Doc: 88          Filed: 11/03/2022      Pg: 27 of 28
provider becomes an information content provider whenever their actions cross the line
into substantively altering the content at issue in ways that make it unlawful. 26
Applying these principles to Counts Two and Four, Public Data—according to
Plaintiffs’ allegations—has materially contributed to what makes the content at issue
unlawful. The content relevant to Counts Two and Four is only unlawful because it is
inaccurate. But, as alleged, the content provided to Public Data about McBride was not
inaccurate. Instead, through Public Data’s actions, the records were changed so as to
introduce the inaccuracies. Public Data thus made substantive changes to the records’
content that materially contributed to the records’ unlawfulness. That makes Public Data
an information content provider, under the allegations, for the information relevant to
Counts Two and Four, meaning that it is not entitled to § 230(c)(1) protection for those
claims.
*              *              *
26
Drawing this line here is reinforced by another contextual reading of Zeran’s list
of traditional editorial functions. After listing some traditional editorial functions for which
liability is barred, Zeran then said that § 230(c)(1) prevents suits that “cast [the defendant]
in the same position as the party who originally posted the offensive messages.” Id. at 333.
Zeran saw § 230(c)(1) as vicarious liability protection that could not be used as a shield
when the offensiveness of the message comes from the defendant themselves rather than a
third party. See id.; see also Nemet, 

 (“Congress thus established a general
rule that providers of interactive computer services are liable . . . for speech that is properly
attributable to them”); cf. La Liberte, 966 F.3d at 89 (holding that there is no § 230
immunity for a defendant who posted a third-party’s photo, but who supplied her own
defamatory commentary to it). So we may not read the traditional editorial functions listed
in Zeran so broadly as to include a defendant’s substantive alterations that introduced the
inaccuracy or falsity at issue in the claim.
27
USCA4 Appeal: 21-1678      Doc: 88          Filed: 11/03/2022     Pg: 28 of 28
Section 230(c)(1) provides protection to interactive computer services. Zeran, 

. But it does not insulate a company from liability for all conduct that happens
to be transmitted through the internet. Instead, protection under § 230(c)(1) extends only
to bar certain claims, in specific circumstances, against particular types of parties. Here,
the district court erred by finding that § 230(c)(1) barred all counts asserted against Public
Data. To the contrary, on the facts as alleged, it does not apply to any of them. Counts
One and Three are not barred because they do not seek to hold Public Data liable as a
publisher under the provision. Counts Two and Four are not barred because Public Data
is itself an information content provider for the information relevant to those counts.
REVERSED AND REMANDED
28