What does the REPORT Act require of platforms regarding CyberTipline retention and transfer timelines?

1. Retention minimum: from 90 days to one year — what platforms must do

Under the REPORT Act, a completed CyberTipline submission by a provider is treated as a request to preserve the contents provided in the report for one year after submission, replacing the earlier statutory baseline that required preservation for at least 90 days ^{[3] [2]}. Multiple explainers and stakeholder statements summarize this change: advocacy and industry guidance note that providers must adjust retention mechanisms so that materials identified in CyberTipline reports remain available for 12 months to support investigations ^{[1] [6] [7]}.

2. Voluntary retention beyond one year and its stated purpose

The law explicitly permits providers to voluntarily preserve CyberTipline report contents for longer than one year for the purpose of reducing proliferation of OSEAC or preventing online sexual exploitation of children, effectively making one year a floor rather than a cap ^{[3] [1]}. Industry advocates frame this as critical because multi‑jurisdictional investigations and NCMEC processing can exceed short statutory windows; the REPORT Act therefore leaves room for providers to keep data longer when operationally justified ^{[6] [7]}.

3. How preservation must be done: cybersecurity and standards

The statute does not merely set a time frame; it requires providers, within one year of enactment, to preserve materials in a manner consistent with the most recent Cybersecurity Framework from the National Institute of Standards and Technology (NIST) ^[3]. That mandate aims to ensure technical safeguards for stored CyberTipline materials and reflects the REPORT Act’s broader effort to modernize evidence handling and vendor responsibilities ^{[5] [3]}.

4. Transfer and disclosure: to whom and under what conditions

Providers that submit CyberTipline reports may disclose information, including visual depictions contained in the report, to law enforcement agencies, to NCMEC, or as necessary to respond to legal process, consistent with permitted disclosure rules; the statutory language therefore contemplates prompt transfers to investigative partners when required ^{[4] [3]}. The law treats a completed submission as triggering preservation obligations and explicitly preserves the existing ability to share report contents with law enforcement and NCMEC for investigative use ^{[3] [4]}.

5. Enforcement pressures, liability carve‑outs, and competing perspectives

The REPORT Act also increases potential penalties for providers that knowingly and willfully fail to report and extends limited liability protections to vendors that store or transfer CSAM for NCMEC provided they meet cybersecurity requirements, which collectively create incentives and constraints around how long and how securely platforms retain and transmit CyberTipline data ^{[1] [5] [8]}. Critics previously argued that the 90‑day rule was insufficient for complex investigations and that the “actual knowledge” standard was too narrow; the REPORT Act’s 1‑year preservation requirement responds directly to those concerns, though it also raises implementation burdens and privacy/compliance costs for providers ^{[2] [7]}.

6. Practical implication in plain terms

In short, platforms that submit CyberTipline reports must preserve the reported contents for at least one year, implement preservation consistent with NIST’s Cybersecurity Framework within a year of enactment, may voluntarily retain data longer to fight OSEAC, and may disclose preserved materials to NCMEC and law enforcement under existing disclosure authorities — all layered atop heightened penalties and clarified liability rules for vendors and reporters ^{[3] [1] [4]}.