The REPORT Act Explained
In the current Congressional session (2023-2024), we have seen many bills introduced that relate to the online sexual exploitation and abuse of children (OSEAC) or to child safety more broadly. One of these important pieces of legislation, the Revising Existing Procedures On Reporting via Technology Act (or the REPORT Act), recently passed out of the House of Representatives and was subsequently signed into law by President Biden on May 7, 2024.
The REPORT Act, which was initially introduced last year in the Senate by Sen. Marsha Blackburn (R-TN) and Sen. Jon Ossoff (D-GA), makes statutory changes related to the reporting of crimes involving the online sexual exploitation of children, increases penalties for non-compliant providers, and limits liability for vendors and for self-reporting.
At Thorn, we recognize just how impactful the REPORT Act can be for survivors, as well as for all stakeholders in the child safety ecosystem – including technology companies, law enforcement, and civil society organizations. Since the REPORT Act is now federal law, we will break down its components and explain how it could impact our mission to defend children from sexual abuse.
What are the Key Components of the REPORT Act?
Increased Data Retention Requirements
The REPORT Act will extend the legal requirements for electronic communication service providers and remote computing service providers (“providers”) to retain data from CyberTipline reports from 90 days to 1 year, as well as allow providers to voluntarily retain data beyond that 1 year mark for the purposes of combating OSEAC.
Child Safety Impact: The data retention provision will be very impactful for law enforcement who are at the front lines of child sexual abuse and exploitation investigations. Ninety days is an extremely short amount of time for a CyberTipline report to make it from a company, through NCMEC processing, and then to law enforcement for action. With providers now being required to retain relevant data for at least 1 year, law enforcement will have more time to work on cases and access necessary data, and, ultimately, help more victims.
Extended Limited Liability & New Cybersecurity Requirements for Vendors
The REPORT Act will extend NCMEC’s limited legal liability to the vendors NCMEC contracts to support its duties, subject to carve-outs for misconduct. NCMEC vendors must also meet minimum cybersecurity requirements.
Child Safety Impact: The limited legal liability and cybersecurity requirements for vendors is a much needed change to ensure that vendors of NCMEC can more efficiently store CSAM data and transfer that data to NCMEC. Notably, this provision modernizes the process by allowing vendors to use cloud storage for CSAM. This will have big impacts for NCMEC, law enforcement, and other vendors.
Extended Limited Liability for Self-Reporting CSAM
The REPORT Act will immunize children depicted in CSAM, or their representatives (such as a parent or guardian), from liability if they report the imagery directly to the CyberTipline, subject to carve-outs for misconduct.
Child Safety Impact: Currently, child victims and their parents/guardians can utilize TakeItDown to report their own abuse imagery that is online, but federal law is ambiguous concerning their liability for the illegal content. Clarifying that victims and their parents/guardians will not face legal liability for reporting their own abuse imagery is a trauma-informed step forward that will hopefully incentivize more reporting and subsequent removal of this content from the Internet.
Increased Statutory Penalties for Providers
The REPORT Act will increase providers’ statutory penalties for knowing and willful failure to report online sexual exploitation of children, as required by law.
Child Safety Impact: The penalties increased from $150k-$300k all the way up to $600k-$1M, dependent on provider size, which will hopefully encourage more diligent CyberTipline reporting from all providers. The increase in penalties could incentivize providers to put more resources into reporting to ensure compliance.
Expanded Reporting Requirements for Providers
The REPORT Act will expand providers’ legal reporting requirements to the CyberTipline to cover (1) apparent violations of child sex trafficking and (2) coercion and enticement of minors.
Child Safety Impact: The expanded CyberTipline reporting requirements could be a powerful tool in preventing abuse and aiding in victim identification. Research has shown that bad actors often groom potential victims for exploitation and abuse online before luring them to more private online settings, like encrypted messaging apps. In fact, according to Thorn’s report on online grooming in 2022, 2 in 3 kids reported an online-only contact asked them to move from a public chat into a private conversation on a different platform. With this knowledge in mind, we are hopeful that requirements for providers to report known coercion and enticement can help in preventing abuse.
What’s Next?
The REPORT Act’s passage into law is a significant milestone for the child safety ecosystem, and we extend gratitude to many of our partners, including the National Center for Missing and Exploited Children (NCMEC) and the End OSEAC Coalition (of which we are a member of), who worked tirelessly to inform and move this legislation over the past year.
We are grateful for all Members of Congress who engaged with and supported the REPORT Act as it progressed through the Senate and the House of Representatives. We encourage policymakers to not lose sight of other pressing issues that the REPORT Act does not address, such as the lack of transparency from online platforms on their child safety efforts and the need for significant safety by design efforts from online platforms, especially as AI-generated CSAM continues to rise in prevalence.
Click to expand
