In the past few months, there have been a number of notable decisions affirming broad immunity under the Communications Decency Act (CDA), 47 U.S.C. §230(c), for online providers that host third party content. The beat goes on, as in late May, a Utah district court ruled that the Tor Browser, which allows for anonymous communications and transactions on the internet, was protected by CDA Section 230 for a website’s sale of illegal substances to a minor on the dark web via the Tor Browser.

More recently, the D.C. Circuit affirmed the dismissal of claims brought by multiple locksmith companies (the “plaintiffs”) against the operators of the major search engines (the “defendants” or “providers”) for allegedly publishing the content of fraudulent locksmiths’ websites and translating street-address and area-code information on those websites into map pinpoints that were displayed in response to user search requests. (Marshall’s Locksmith Service v. Google LLC, No. 18-7018 (D.C. Cir. June 7, 2019)). According to the plaintiffs, by burying legitimate locksmiths listings (with actual, local physical locations) beneath so-called “scam” listings from locksmith call centers that act as lead generators for subcontractors, who may or may not be fully trained, plaintiffs’ legitimate businesses suffered market harm and were forced to pay for additional advertising. (Beyond this case, the issue of false local business listings appearing in Google Maps remains an ongoing concern, according to a report from the Wall Street Journal yesterday).

The plaintiffs asserted various claims, including antitrust violations, false advertising and a number of state law claims, including unfair competition and tortious interference. The defendants moved to dismiss on several grounds, including that they were immune from suit under CDA Section 230. The lower court dismissed the complaint as barred by the CDA (except the breach of contract claim, which it dismissed on the merits), ruling that the claims were all contingent on the defendants’ actions in republishing third party information in search results.  That court reasoned that “it is the scam locksmiths who provide the original location claim, and the [providers] have created a website that simply re-publishes that information along with associated mapping information.” The D.C. Circuit affirmed the dismissal.

The plaintiffs’ two principal contentions to bypass CDA immunity were that: (1) the defendants published content from third-party websites created by fraudulent locksmiths that defendants knew did not exist at the physical addresses listed; and (2) defendants “enhanced” the listings by creating mapping information based on the locksmith’s false location listings, including publishing fictitious addresses, photos, map locations, and map pinpoints for them. The plaintiffs also noted that if the alleged sham locksmiths listed a location in a city, but no precise address, the search engines would automatically create a map pinpoint somewhere in the listed city.

The court first rejected the plaintiff’s argument that the defendants should be held liable for publishing the content of scam locksmith websites because they were “on actual notice” that this content was fraudulent, concluding that liability for such posting of third-party content is “plainly” barred by the CDA: (“[I]t is “well established that notice of the unlawful nature of the information provided is not enough to make it the service provider’s own speech”).

The court also rejected the plaintiff’s second argument that creating mapping pinpoints and similar “enhanced” content that displays sham locksmith locations falls outside the CDA.  The court held that data collected from a third party and “re-presented in a different format” is protected by the CDA and that “the decision to present this third-party data in a particular format — a map — does not constitute the “creation” or “development” of information for purposes of [the CDA].”

“The underlying information is entirely provided by the third party, and the choice of presentation does not itself convert the search engine into an information content provider. Indeed, were the display of this kind of information not immunized, nothing would be: every representation by a search engine of another party’s information requires the translation of a digital transmission into textual or pictorial form.”

The court characterized the defendants’ automated search results as merely a “consequence of a website design” that depicts search results pictorially, with the maximum precision possible from third-party content of varying precision. The holding is reminiscent of prior rulings where courts have held that translating or condensing third-party information into something pictorial or analytical (e.g., star ratings, automated keyword search tools) does not convert the publisher into the developer of such content. See e.g., Kimzey v. Yelp!, Inc., 836 F.3d 1263, 1270 (9th Cir. 2016) (Yelp’s star rating system, which is based on receiving customer service ratings from third parties and “reduc[ing] this information into a single, aggregate metric” of one to five stars could not be “anything other than user-generated data”). Thus, because the defendants employed a “neutral means” and an “automated editorial act” that do not distinguish between legitimate and fraudulent locksmiths to convert third-party location data into map pinpoints, the court found that such map pinpoints fell within the protection of § 230.

The Marshall’s Locksmith decision is an important, circuit-level decision affirming robust CDA immunity for online providers. In particular, it reaffirms protection for online providers’ use of neutral tools that translate or portray third-party content pictorially or reduce such content as an aggregate metric – put simply, the court stated that such reduction of data does not change the origin of the data and that it does not make the provider into a content developer.

However, the D.C. Circuit cautioned in the closing paragraph of its opinion, “§ 230 immunity is not limitless.”  If a website operator “is responsible, in whole or in part, for the creation or development of information” on its website, then it is an “information content provider.” 47 U.S.C. §§ 230(c)(1) & (f)(3). Indeed, the court rejected the defendants’ “remarkable suggestion at oral argument that they would enjoy immunity even if they did in fact entirely fabricate locksmith addresses,” stating that if that were the case, such data would not be “information provided by another information content provider,” 47 U.S.C. § 230(c)(1), and fall outside of the reach of CDA immunity.