REPORT Act


The Revising Existing Procedures On Reporting via Technology Act is a United States federal law enacted in 2024 which significantly expanded and clarified obligations on online service providers to report suspected online sexual exploitation of children. The law broadens the types of offenses that must be reported, extends data-retention requirements, and clarifies liability protections for companies, vendors, and victims. It amends existing provisions under 18 U.S.C. § 2258A and related statutes governing reports to the National Center for Missing and Exploited Children (NCMEC) CyberTipline.

Background

Concerns about the online sexual exploitation of minors, including child sexual abuse material (CSAM), online enticement, grooming, and child trafficking, have grown in the digital age. The CyberTipline, operated by NCMEC, serves as the central U.S. mechanism for receiving and processing reports of suspected child sexual exploitation. Under federal law, electronic communication service providers and remote computing service providers are required to report apparent instances of child sexual abuse material and related crimes to NCMEC, which then shares the information to appropriate law enforcement agencies.
In recent years, online exploitation reports have risen dramatically, reflecting both increased detection by platforms and the proliferation of encrypted, anonymous, and generative AI technologies. Policymakers and advocacy organizations like NCMEC and RAINN argued that the existing framework did not adequately cover grooming, enticement, or child-trafficking offenses while law enforcement organizations reported that short required data-retention periods hindered investigations due to the growing volume of reports.
A 2024 report by the Stanford Internet Observatory (SIO) found that while the CyberTipline remained “an enormously valuable public-private partnership,” its data-retention rules, system capacity, and provider-interface design had “not kept pace with the scale and complexity of modern online exploitation.”

Prior law

Before the enactment of the REPORT Act, federal reporting requirements for online providers were governed by 18 U.S.C. § 2258A, created through the PROTECT Our Children Act of 2008. Under this framework, providers had to submit reports to the CyberTipline, preserve related content and subscriber information for at least 90 days, and cooperate with law enforcement or face civil penalties for willful failure to report.
Critics said the standard of “actual knowledge” was too narrow, excluding behaviors such as grooming, enticement, and trafficking. The 90-day retention period was viewed as insufficient for lengthy investigations, and the statute did not clearly address liability for vendors that processed CSAM data or for victims who self-reported exploitative imagery. The Stanford Internet Observatory concluded that these limitations led to inconsistent reporting practices and placed strain on investigative capacity.

Legislation

The REPORT Act was introduced in the 118th Congress as S. 474, sponsored by Senator Jon Ossoff and co-sponsored by Senator Marsha Blackburn. Blackburn had been active in child-online-safety legislation since 2022, having co-sponsored the Kids Online Safety Act and held hearings on technology’s impact on minors.
While the full Senate passed S. 474 by unanimous consent on December 14, 2023, policy observers noted significant trade-offs were discussed during the legislative process. The bill passed the House of Representatives on April 29, 2024, and was signed into law on May 7, 2024. A Congressional Budget Office analysis estimated that implementation would have little net budgetary impact but would modestly increase federal oversight and guidance activity.

Provisions

The Act expands the list of offenses requiring reports to NCMEC to include child sex trafficking, coercion or enticement of a minor, and other online exploitation crimes. It replaces the “actual knowledge” requirement with an obligation to report when a provider becomes aware of an apparent violation, broadening when companies must notify authorities.
The minimum preservation period for information tied to a report increases from 90 days to one year, giving investigators more time to request and analyze evidence, though providers may voluntarily retain data longer for legitimate child safety purposes. The Act extended protections to companies that contract with NCMEC to process or store CSAM, provided they comply with statutory requirements and added protections for survivors when submitting their own imagery in good faith for removal or investigation. A further provision in the REPORT Act authorizes NCMEC to issue guidelines on how to recognize indicators of online enticement of children for sexual purposes and child sex trafficking. NCMEC released those guidelines in October 2024.
Under the prior version of 18 U.S.C. § 2258A, providers that knowingly and willfully failed to report could be fined up to $150,000 for the first offense and $300,000 for patterns of violation. The REPORT Act increased the fines substantially with maximum penalties of $600,000–850,000 for the first offense and $850,000–1,000,000 for patterns of violation.