REPORT Act 2024: Quadrupled CSAM Fines and Extended Data Retention
Signed into law May 2024, the REPORT Act quadruples fines for failing to report CSAM, extends data preservation to one year, and adds child sex trafficking to mandatory reporting categories.
What the REPORT Act Changed
The REPORT Act (Revising Existing Procedures On Reporting via Technology) was signed into law by President Biden on May 7, 2024. It amends 18 U.S.C. Section 2258A, which governs mandatory reporting of child sexual exploitation material to NCMEC's CyberTipline.
This was bipartisan legislation, sponsored by Senators Marsha Blackburn (R-TN) and Jon Ossoff (D-GA).
Before vs. After
| Provision | Before REPORT Act | After REPORT Act |
|---|---|---|
| Data preservation after report | 90 days | 1 year |
| Initial violation fine (<100M MAU) | $150,000 | $600,000 |
| Initial violation fine (>100M MAU) | $150,000 | $850,000 |
| Subsequent violation fine (<100M MAU) | $300,000 | $850,000 |
| Subsequent violation fine (>100M MAU) | $300,000 | $1,000,000 |
New Mandatory Reporting Categories
Previously, NCMEC CyberTipline reporting was required only for: sexual exploitation of children, child trafficking, CSAM, misleading domain names, and production of CSAM for importation.
The REPORT Act adds two categories:
- Child sex trafficking
- Enticement of a minor
Liability Protections
The Act also provides:
- Children depicted in CSAM (or their representatives) are immune from liability if they report the imagery to the CyberTipline
- Limited liability protections for providers who self-report
- Protections for vendors providing reporting tools
What Platforms Must Do
If your platform allows user-generated content, you are an Electronic Service Provider under federal law. Your obligations:
- Register with NCMEC as an ESP at esp.ncmec.org — this is free and straightforward
- Report CSAM to the CyberTipline when you become aware of it. "Apparent violations" (not just confirmed ones) trigger the reporting obligation.
- Preserve reported content for one year (up from 90 days). This includes associated metadata, user account information, and IP logs.
- Implement hash matching. PhotoDNA (provided by Microsoft) is the industry standard for detecting known CSAM. Application is free but approval takes weeks.
- Document everything. An immutable audit trail of what was detected, when it was reported, and how it was preserved is your best defense.
The fines are now large enough that a single violation can be existential for a smaller platform. Proactive detection and reporting infrastructure is no longer optional.