Will an Obscure Internet Law Screw Up Your Credit Score?
Section 230 of the Communications Decency Act has created the dumpster fire of today's internet. Regulators Lina Khan and Rohit Chopra are fighting to stop it from applying to finance.
Welcome to BIG, a newsletter on the politics of monopoly power. If you’d like to sign up to receive issues over email, you can do so here.
Since 1997, The Source for Public Data, L.P, a firm that sells dossiers on individuals, has been compiling background information from public records, such as criminal files, and selling it, often to employers who are getting background information on potential hires. As one might expect, there are frequently errors in such data, like applying the wrong name to a record, which causes serious problems for individuals who cannot get jobs because they are wrongly understood to have engaged in criminal activity.
Naturally, people have been litigating against Public Data for years, asking the firm to correct inaccurate information. Regulators have also been investigating Public Data as well, because what it is doing fits under a well-understood problem: consumer and credit reporting. A credit report is a basic mechanism that sets the terms by which people in modern America can get credit, insurance, and sometimes employment. Traditionally, selling dossiers for use by employers or credit decisions fits under a law called the Fair Credit Reporting Act, which was passed in 1970 because, well, people were having trouble with inaccurate information in their credit reports, and couldn’t get jobs because of it.
Since Public Data is engaging in what has been understood to be a well-regulated activity, you would think that it would come under a regulatory purview. But the firm has refused to obey the Fair Credit Reporting Act. We are not a consumer reporting agency, they said, we are a website that is merely facilitating speech by selling data. Much like Facebook isn’t liable for what its users say because law called Section 230 of the Communications Decency Act shields the firm from liability for third party speech, Public Data isn’t responsible for the accuracy of information it procures from third parties. And surprisingly a judge recently agreed with them. Now, Public Data isn’t that important a firm, but the case is widely watched, because if the loophole a judge punched through the law stands, then a lot of financial rules are going to be tossed out the window.
The Fair Credit Reporting Act has a fascinating history. Even though FCRA was passed in 1970, it is in many ways the first Big Data law, passed at the dawn of the computer age to help build a national credit market. Visa, then called BankAmericard, built the first real-time commercial data network in 1973. It also has New Deal roots, going through the Banking Committee back when it was run by the populist New Dealer Wright Patman of Texas, through the subcommittee of the only female member of the panel, Leonor Sullivan.
The context here is actually similar to what we’re dealing with today. In the mid-1960s, the government was experimenting with databases to track information on every citizen, which terrified the American public. This law, among others, was meant to short-circuit such all-encompassing surveillance. Richard Nixon in signing FCRA, noted that one reason for the law was to assuage the fear there might be “a nationwide data bank covering every citizen.” The goal of the law was threefold. First, legislators sought to stop the local unfair snitch culture of credit reporting. Second, they wanted to foster a national market for credit to support the then-new innovation of the credit card. And third, they aimed to protect the right to privacy by giving people some due process over how private firms used their personal information.
Prior to credit scores, local merchants would use private detective-style ‘business intelligence’ firms to ascertain credit and employment backgrounds, often hiring detectives to find out your reputation. The Congressional record is full of these kinds of complaints. A woman might not be able to insure jewelry because her nosy neighbor saw her with too many men, or a guy might never be able to get a job because someone once told a credit reporting agency that he drinks a lot. Yet, it was critical to have credit information of some sort, so that lending and insuring could happen. The FCRA was the result, and helped create standards for clear structured data that could exclude overt discrimination and hearsay.
To strike this balancing act, the FCRA gives consumers certain rights over their credit files. Consumer credit reporting agencies are only allowed to sell reports for certain purposes, like for loan applications or insurance, and must get permission to sell them to employers. Consumers have the right to see their files or to dispute inaccurate information, and credit or consumer reporting agencies must tell consumers if a report was used to deny them a job, a loan, or insurance. There’s more - the law has a long history - but the FCRA is the backbone of modern consumer financial protection. Last year, the Federal Trade Commission and the Consumer Financial Protection Bureau, both of whom enforce the law, received over 300,000 complaints about credit or consumer reporting.
Enter Public Data.
For years, consumers have been asking Public Data to correct inaccurate information, using their right to dispute under FCRA, as well as complaining to regulators about the firm. But Public Data, which puts forward the spirit of the American Revolution as justification for selling consumer dossiers to employers, will not comply. Instead, the firm claims it is not a credit reporting agency, but an ‘interactive computer service’, like Facebook or Craigslist. The government records it compiles, it claims, are those of a third party speaker, so it is immune from any liability as a consumer reporting bureau. It is using a law, Section 230 of the Communications Decency Act, passed in 1996, to make that case.
Section 230 has been in the news a lot because of disputes over big tech, most recently due to the “Facebook whistleblower” who called for reforms to the law. Section 230 is a sort of public utility rule, essentially saying that operator of websites and apps that help people talk to each other, ‘interactive computer services,’ aren’t responsible for what people use them for. It’s kind of like saying that AT&T isn’t liable for the conversations its users have over the phone network.
That kind of law intuitively makes sense. The goal was to make it so that AOL wasn’t liable for the speech of its users when they were in an AOL chatroom. But this law has been stretched to cover everything from Amazon refusing to take liability for faulty products sold through its warehouses to stalking and illegal gun sales through platforms, all of which the platforms say is mere ‘speech’ and thus not their problem (with courts gradually figuring out some limitations). Now it’s being stretched to gut the FCRA.
This isn’t the first time that Section 230 has entered the financial world, but what is surprising is that in a district court, such an outlandish claim was successful. District Court Judge Henry Hudson, An old George W. Bush appointee, dismissed the complaint against Public Data, on the grounds that Section 230 does preclude it from being liable as a consumer or credit reporting bureau. It is not a consumer reporting bureau, the judge claimed, it is a tech platform that happens to sell consumer dossiers.
It’s a surprising decision, and opens the door for Section 230 to overturn all sorts of possible rules and regulations. After all, what isn’t a website these days, and thus who couldn’t lay claim to immunity from public rules or liability under Section 230 using creative legal theories?
As one might expect, the plaintiffs have asked the Fourth Circuit Court of Appeals to overturn the case. And they are backed by regulators. FTC Chair Lina Khan, CFPB Director Rohit Chopra, and North Carolina Attorney General Josh Stein have jointly filed an amicus brief against Public Data. Their argument is that credit reporting isn’t a question of speech, it’s a question of regulating the process by which credit reporting happens. It’s not illegal to have inaccurate information in credit files, but it is illegal to not have a process to dispute these files. Since FCRA regulates market behavior and not speech, Section 230 does not apply. That’s their legal argument, at any rate.
While the actual firm involved isn’t very important, these kinds of cases are widely watched, because they set the rules by which market participants operate. If Public Data escapes liability under Section 230, we can expect a lot more financial firms to test the boundaries of financial regulation.
For years, this kind of legal shapeshifting would go unnoticed, or even nodded at benevolently by regulators in the name of disruption. But we have a new generation in power. Khan and Chopra have made it clear that they are going to push back. “As tech companies expand into a range of markets,” they argued in a joint statement, “they will need to follow the same laws that apply to other market participants.” They cannot abuse a legal shield to “gain an undue competitive advantage over law-abiding businesses.”
Law is made at the boundaries. As the inflection point of digitization hits every part of our economy, these kinds of battles will determine the shape of society. Will we have any rights at all over the private firms who track us and determine whether we can get credit or employment? Congress passed a law ensuring we would. Now it’s up to our regulators to make sure that this promise stays aloft in the internet age.
"And they are backed by regulators. FTC Chair Lina Khan, CFPB Director Rohit Chopra, and North Carolina Attorney General Josh Stein have jointly filed an amicus brief against Public Data. Their argument is that credit reporting isn’t a question of speech, it’s a question of regulating the process by which credit reporting happens. It’s not illegal to have inaccurate information in credit files, but it is illegal to not have a process to dispute these files. Since FCRA regulates market behavior and not speech, Section 230 does not apply."
It would be awesome if this view is upheld on appeal, and Facebook/Google et al. are held to the same standard with respect to any libel that others publish on their platforms. I do see a carve out though, in that Facebook/Google/etcetera aren't selling what others publish, whereas Public Data is. So the question is: is there any way for a corporation like Public Data to pivot to a FB/Google model in which the data, or access to the data, is not being sold?
Slightly off topic: The issue of credit reporting agencies offering to improve the credit scores of people if those people send them self-selected valuable data. Then turning around and selling batches of data to companies, some of which is 'corrected' with additional data, others of which isn't, yet giving scores to this data that states creditworthiness equivalency between the people the data represents.
That's super helpful background. But thank goodness for disruptive technology. FICO will fall and we won't have to wait for regulators to catch up because Upstart has started to tear down this insufferable cartel (disclosure: long $UPST (+183% p.a. but thinking about adding more)