Section 230 of the Communications Decency Act turns 30 this year. It’s become clear over the past several years that a lot of people do not like this law. Critics blame the statute for content moderation decisions they disagree with, for the spread of harmful material online, for the market power of dominant platforms. Some of these people want to repeal it outright.
I am not one of those people. Section 230 is a good law that enables free expression online by allowing platforms to host user speech without facing liability for every post. It permits a diversity of content moderation approaches, and it protects small operators who could not survive even meritless lawsuits. The statute has problems, and Congress could improve it, but wholesale repeal would cause more harm than good.
One problem with Section 230 is that people think it is broader than it actually is, or means something other than what it says. I have written before about how Section 230 does not protect tech company’s specific business models or guarantee them a right to monetize user data or conduct financial transactions, and about how Section 230 does not cover outputs from generative AI. Another issue involves when people take facts or data they have found elsewhere and incorporate them into their own expression – most notably, in the context of “data brokers.” Data brokers are companies that collect personal information from public records, commercial sources, and other databases, compile it, and sell access to anyone willing to pay. This could be employers running background checks, landlords screening tenants, debt collectors, bail bondsmen, private investigators, or even law enforcement agencies looking to get information on someone without needing a judicial warrant.
Some data brokers have invoked Section 230 to try to defeat lawsuits over inaccurate or harmful reports. As discussed below, courts have rejected these claims, and rightly so.
This matters because data brokers cause real harm. Inaccurate reports lead to denied employment, rejected rental applications, and wrongful arrests. People discover that data brokers have linked them to criminal records belonging to someone else with a similar name, or that outdated information about expunged charges or satisfied judgments remains in broker databases, or that intimate details about their lives are available for purchase by anyone with a credit card.
If data brokers could invoke Section 230 to defeat claims based on these harms, the Fair Credit Reporting Act would be gutted. Congress passed the FCRA to require accuracy in consumer reports, and if every consumer reporting function migrated to online “interactive computer services” that disclaimed responsibility for third-party data, the statute’s protections would vanish. Thankfully this is not the case.
The Difference Between Hosting and Creating Speech
One question is what it means for information to be “provided by another information content provider,” as the Section 230 statute notes. A social media platform hosts user speech: the user writes a post, uploads it, and the platform makes that post available. The user is the “information content provider,” and the platform is shielded from liability for the user’s words. (I am compelled to note here that 230 does not say that the platform is somehow not the “publisher” of user-submitted content. Of course it is! Section 230 doesn’t change that. It merely is a shield against legal claims. That is all the statute’s language – “No provider or user of an interactive computer service shall be treated as the publisher or speaker of any information provided by another information content provider” – means.)
Data brokers work differently. For example, Thomson Reuters, through its CLEAR platform, compiles what it has called “cradle-to-grave dossiers” on millions of people, containing names, photographs, addresses, criminal history, employment information, financial data, and more. It assembles these profiles from government records, commercial sources, and other data vendors, then sells access to the profiles to law enforcement, employers, and corporate customers.
Thomson Reuters tried to claim Section 230 protection when the company was sued for violating California privacy law. In Brooks v. Thomson Reuters, a federal district court rejected the argument, finding that Thomson Reuters “generates all the dossiers with Plaintiffs’ personal information that is posted on the CLEAR platform.” These are not user posts that Thomson Reuters merely hosts. The court noted that plaintiffs were “not seeking to hold Thomson Reuters liable ‘as the publisher or speaker’ because they are not asking it to monitor third-party content; they are asking to moderate its own content.”
“In Whole or in Part”
The 230 statute defines “information content provider” as “any person or entity that is responsible, in whole or in part, for the creation or development of information.” The phrase “in whole or in part” is doing a lot of work. You do not need to be the sole author of content to fall outside Section 230’s protection. If you are responsible even “in part” for creating or developing the information at issue, you are an information content provider, and Section 230 does not shield you from liability for that information.
The Ninth Circuit addressed this in Fair Housing Council v. Roommates.com, holding that when a website requires users to answer questions and then publishes the resulting information in a format that facilitates discrimination, the website has contributed to the creation of that content. It becomes a co-author of sorts, losing Section 230 protection for the resulting discriminatory content.
Even more straightforwardly than Roommates.com, when a data broker assembles a dossier linking a person’s name to their photograph, address, criminal record, employment history, and financial information, it is not republishing someone else’s speech but creating, or at a minimum co-authoring, a new information product. The fact that the underlying data originated elsewhere does not change this.
The Fourth Circuit reached this conclusion in Henderson v. Source for Public Data. Public Data aggregates government records and sells background check reports. The plaintiffs alleged the company’s reports were inaccurate and violated the Fair Credit Reporting Act. Public Data argued it merely republished third-party records and thus qualified for Section 230 immunity. The court rejected this defense. It found Public Data was itself the “information content provider” because it “create[d] summaries” and its “own actions contributed in a material way to what made the content at issue … inaccurate.” By stripping context from court records, omitting dispositions, and generating misleading summaries, Public Data was creating new content, which it was responsible for..
Section 230 Protects Users Too—But Not for Their Own Speech
One often-overlooked feature of Section 230 is that it protects “provider[s] or user[s]” of interactive computer services. The statute shields not just platforms like YouTube and X but also the people who use those platforms. This matters for understanding where the line falls and sheds light on why data brokers are not covered.
Consider the facts of Banaian v. Bascom, decided by the New Hampshire Supreme Court in 2022. A high school student hacked a middle school teacher’s webpage and replaced it with sexually explicit content suggesting the teacher sought “sexual liaisons with Merrimack Valley students and their parents.” Another student screenshotted the hacked page and tweeted it. The defendants in the case did nothing more than retweet that screenshot. The teacher sued them for defamation, arguing Section 230 was meant to protect internet service providers, not individual users who spread defamatory content. The court disagreed, holding that Section 230’s plain text protects “users” of interactive computer services, and that the retweeting students qualified. The teacher could still sue the hacker and the original tweeter, but not those who merely hit the retweet button.
The same principle applies to email in Barrett v. Rosenthal, decided by the California Supreme Court. A publicist named Tim Bolen had sent an email attacking two doctors who ran websites critical of alternative medicine. Among other things, the email accused one doctor of stalking a Canadian radio host. Ilena Rosenthal came across Bolen’s email and reposted it to two Usenet newsgroups. The doctors contacted her, warned her the email was defamatory, and threatened to sue. She did not remove it, and they sued her for defamation. The California Supreme Court held that Rosenthal was a “user” of an interactive computer service and was protected by Section 230, even though she actively chose to republish the email after being told it was defamatory.
But this protection has limits. Courts have held that while Section 230 protects users who retweet, it does not protect them for their additional commentary. In US Dominion v. Byrne, a court held that Section 230 did not protect a defendant who retweeted an article and added that he “vouch[ed] for” its contents. The retweet alone would have been protected; the endorsement was the defendant’s own speech. If a user retweets a defamatory statement and adds “This is true and I can confirm it,” the user is liable for those additional words. The retweet is republication of third-party content; the added commentary is the user’s own speech, for which there is no immunity.
For example, think of a hypothetical YouTuber who watches another YouTuber’s video containing defamatory statements, then appears on camera and repeats those statements in her own words. Is she protected by Section 230 because she “heard it from someone else” on the platform? Of course not. She is not republishing third-party content; she is speaking for herself. The fact that she learned the defamatory claim from another source does not transform her into a user merely republishing “information provided by another.” She has adopted the statements as her own, just like the Twitter user who vouches for a retweet. Section 230 is not an “I read it on the internet so don’t blame me” statute. The same reasoning applies to data brokers.
Thirty Years On(Line)
As Section 230 enters its fourth decade, the debates over its scope will continue. Critics from the left often want platforms held accountable for hosting harmful content, while critics from the right often want platforms punished for removing content the critics prefer. Both sides sometimes propose reforms that would damage free expression online.
But many reform proposals could benefit from a better understanding of what Section 230 actually protects: publishers of third-party content, not every business that touches data or operates online. For example, Section 230 does not apply to the outputs of generative AI, despite the fact that AI models are trained on massive sets of data sourced from the internet.
The Ninth Circuit made this clear in HomeAway v. City of Santa Monica (2019), where Airbnb and HomeAway argued that local rental regulations were preempted by Section 230. The court rejected this, holding that “the Platforms face no liability for the content of the bookings; rather, any liability arises only from unlicensed bookings.” The regulation targeted transactions, not speech. The same principle applies to online marketplaces. If a marketplace is legally a “seller” of a product under state law, holding it liable as a seller (e.g. for selling dangerous or defective products) does not conflict with Section 230. The platform is being held liable for the act of selling, not for the words in a marketplace listing. As I have written elsewhere, a marketplace is either a seller or not, and if it is a seller, traditional product liability rules can apply regardless of Section 230.
Section 230 is a good law that promotes speech, enables new services, and protects small operators from ruinous litigation. But defending Section 230 does not require accepting every expansive interpretation that defendants advance. The data broker industry has operated for too long in the shadows, claiming that liability rules designed for different problems somehow immunize their conduct. Courts and regulators should reject these claims, and fortunately, have been. Section 230 was enacted to let platforms host user speech, not to create a surveillance industry free from accountability.