What changes did the REPORT Act of 2024 make to ESP mandatory reporting and CyberTipline data retention?

1. Expanded mandatory reporting: enticement and trafficking added to ESP duties

The Act amends 18 U.S.C. §2258A to require providers to report two new categories—online enticement and child sex trafficking—so that ESP submissions to the CyberTipline must now include those forms of online sexual exploitation alongside child sexual abuse material (CSAM), a change cited as a direct cause of increases in those report types in NCMEC’s 2024 data ^{[1] [3] [5] [6]}.

2. From 90 days to one year: the concrete change in data retention

Under the REPORT Act, a completed CyberTipline submission is treated as a request that the provider preserve the reported contents for one year after submission (up from the previous statutory 90-day preservation period), a statutory amendment memorialized in the bill text and explained in multiple legal analyses ^{[1] [7] [8]}.

3. Voluntary longer preservation and law‑enforcement rationale

The law explicitly permits providers to voluntarily preserve report contents beyond one year for the purpose of reducing proliferation of online child sexual exploitation or preventing such exploitation, a provision pitched by advocates and law enforcement as necessary because 90 days “was an extremely short amount of time” for cases to be processed through NCMEC and into investigative pipelines ^{[1] [4] [8] [2]}.

4. Security and procedure requirements tied to preservation

The statutory language requires preservation to be “consistent with the most recent version of the NIST Cybersecurity Framework,” creating an affirmative cybersecurity standard for how preserved CyberTipline materials must be stored and signaling compliance obligations beyond mere retention ^{[7] [9]}.

5. Liability, privacy and operational trade‑offs for ESPs

The REPORT Act also clarifies and modernizes liability: it creates protections for minors (or their representatives) who report imagery of themselves to the CyberTipline, insulating them from civil or criminal claims related to such self-reporting, while the law preserves carve‑outs for misconduct and includes other liability clarifications for companies and vendors—changes framed as balancing victim protection with operational reporting duties ^{[1] [2] [8]}.

6. What providers and defenders warn about in practice

Industry and defense observers warned that retention and expanded reporting will force operational changes—providers must update reporting workflows, preservation mechanisms and security controls—and that despite the statutory year‑long preservation, real‑world problems (deleted accounts, encryption, delays in law enforcement action and evidence handling) can still leave gaps between reporting and usable evidence ^{[10] [11] [12]}.

7. Early measurable effects and remaining uncertainties

Early reporting data is mixed: NCMEC and advocacy groups report increases in trafficking and enticement tips—attributable in part to the new mandates—while overall CyberTipline totals shifted year-to-year for reasons that include platform reporting behavior and technical limits such as end‑to‑end encryption; these trends highlight that legal change alters obligations but does not eliminate operational, technical or privacy trade‑offs ^{[6] [3] [5] [2]}.

Conclusion: a legal tightening with operational ripple effects

The REPORT Act made two clear statutory changes most relevant to ESPs—expanded mandatory categories to include online enticement and child sex trafficking, and a one‑year preservation rule (with voluntary extension and NIST-aligned security expectations)—while also recalibrating liability for victims and leaving practical implementation questions to providers, NCMEC, and law enforcement to resolve ^{[1] [7] [4] [2]}.