Facebook, it seems, has developed a system of rating users trustworthiness. It's not clear if this is just a system for internal use or if users' trustworthiness scores are for sale to third parties, but if the latter, then would sure seem that Facebook is a Consumer Reporting Agency and subject to CRA provisions of the Fair Credit Reporting Act (FCRA).
FCRA defines a CRA as
any person which, for monetary fees, dues, or on a cooperative nonprofit basis, regularly engages in whole or in part in the practice of assembling or evaluating consumer credit information or other information on consumers for the purpose of furnishing consumer reports to third parties, and which uses any means or facility of interstate commerce for the purpose of preparing or furnishing consumer reports.
A consumer report is, in turn, defined as:
any written, oral, or other communication of any information by a consumer reporting agency bearing on a consumer’s credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living which is used or expected to be used or collected in whole or in part for the purpose of serving as a factor in establishing the consumer’s eligibility for [credit, insurance, employment or government license].
Thus, if Facebook is selling information about a consumer's general reputation—trustworthiness—to third parties that might reasonably be expected to use it for credit, insurance, or employment, it's a CRA, and that means it's subject to a host of regulatory requirements as well as civil liability, including statutory damages for willful noncompliance.
Facebook is hardly the only tech company that might be a CRA--I've written about this in regard to Google previously. While Facebook has a bunch of money transmitter licenses and knows it is in the consumer finance space on payments, I suspect it hasn't thought about this from the data perspective. Indeed, I don't think tech companies think about the possibility that they might be CRAs because we think of CRAs as being firms like Equifax that specialize in being CRAs, but FCRA's definition is broader. If I collect data on you that I sell to third parties for employment or insurance or credit purposes, I'm a CRA. Once one plays in consumer data, it's pretty easy to fall into the world of consumer finance regulation. Welcome to a very different Social Network, Mr. Zuckerberg.
Update: Having just read Alan White's post about Thomson Reuters selling data to ICE, it makes me wonder more generally about the applicability of the FCRA to any firm that sells browsing history to parties that use it for credit, insurance, or employment. I suspect that's a more aggressive of a reading of FCRA than a court would accept, but the statutory language is pretty broad, and perhaps it gets a party to discovery.