In the current Congressional session (2023-2024), we have seen many bills introduced that relate to the online sexual exploitation and abuse of children (OSEAC) or to child safety more broadly. One of these important pieces of legislation, the Revising Existing Procedures On Reporting via Technology Act (or the REPORT Act), recently passed out of the House of Representatives and was subsequently signed into law by President Biden on May 7, 2024.

The REPORT Act, which was initially introduced last year in the Senate by Sen. Marsha Blackburn (R-TN) and Sen. Jon Ossoff (D-GA), makes statutory changes related to the reporting of crimes involving the online sexual exploitation of children, increases penalties for non-compliant providers, and limits liability for vendors and for self-reporting. In the REPORT Act, “providers” is a catch-all term that refers to electronic communication service providers and remote computing service providers.

At Thorn, we recognize just how impactful the REPORT Act can be for survivors, as well as for all stakeholders in the child safety ecosystem – including content-hosting platforms. Since the REPORT Act is now federal law, we will break down its components and explain how it will impact online platforms.

Components of The REPORT Act

1. Increased Data Retention Requirements: The REPORT Act will extend the legal requirements for providers to retain data from CyberTipline reports from 90 days to one year, as well as allow providers to voluntarily retain data beyond that one-year mark for the purposes of combating OSEAC.
2. Extended Legal Liability & Cybersecurity Requirements for Vendors: The REPORT Act will extend NCMEC’s limited liability to the vendors NCMEC contracts to support its duties, subject to carve-outs for misconduct. NCMEC vendors must also meet minimum cybersecurity requirements.
3. Extended Legal Liability for Self-Reporting CSAM: The REPORT Act will immunize children depicted in CSAM, or their representatives (such as a parent or guardian), from liability if they report the imagery to the CyberTipline, subject to carve-outs for misconduct.
4. Increased Statutory Penalties for Providers: The REPORT Act will increase providers’ statutory penalties for knowing and willful failure to report online sexual exploitation of children, as required by law.
5. Expanded Reporting Requirements for Providers: The REPORT Act will expand providers’ legal reporting requirements to cover (1) apparent violations of child sex trafficking and (2) coercion and enticement of minors.

Impact for Online Platforms

There are three components of the bill that are particularly relevant for online platforms.

The data retention provision will be very impactful for law enforcement who are at the front lines of child sexual abuse and exploitation investigations. Ninety days is an extremely short amount of time for a CyberTipline report to make it from a company, through NCMEC processing, and then to law enforcement for action. With platforms now being required to retain relevant data for at least one year now, law enforcement will have more time to work on cases and access necessary data, and, ultimately, help more victims. For platforms, this means existing data retention mechanisms will need to be adjusted according to this new timeframe. Notably, platforms are able to retain CyberTipline data for more than one year, to combat OSEAC.

The expanded CyberTipline reporting requirements will make it so providers must legally report detected incidents of child sex trafficking and online enticement to NCMEC’s CyberTipline. This may require platforms to tweak internal reporting mechanisms or processes to ensure that these two new types of content are being reported. While the REPORT Act does not mandate detection for these types of content, companies seeking to proactively protect their users and potentially prevent abuse from occurring on their platforms can adopt solutions like Safer’s text classifier.

The increased penalties for providers mean that online platforms could face fines of up to one million dollars for failing to comply with legal reporting requirements to NCMEC's CyberTipline. This increase in fines should be flagged internally, and it is in the best interest of the platforms to ensure that they comply with CyberTipline requirements at all times.

Next Steps for Platforms

Online platforms can benefit from starting internal planning and identifying adjustments needed to meet the requirements of this legislation. While platforms may have to implement some changes, we are confident that the mandate of this legislation will lead to increased child safety online and, importantly, ensure that more victims of child sexual exploitation and abuse receive the help that they deserve.