What does the REPORT Act require platforms to preserve after a CyberTipline submission and for how long?

1. What exactly must platforms preserve: “contents provided in the report” and comingled materials

The statute treats a completed CyberTipline submission as a request to preserve "the contents provided in the report," a phrase courts and agencies interpret to encompass the actual files or messages identified in the report as well as comingled content referenced in the statute — meaning related communications, metadata, and subscriber or account information that can be crucial to investigations ^{[1] [2]}. The REPORT Act’s text and legislative summaries explicitly include such comingled content in the preservation mandate, and other explainer pieces repeat that platforms must preserve not just an alert but the underlying materials and associated identifiers that would help law enforcement trace origin, recipients, and timeline ^{[3] [6]}.

2. How long must preserved materials be kept: extension to one year plus voluntary retention

Under the amended language providers are required to preserve those materials for one year after the CyberTipline submission — an extension from the pre‑REPORT Act baseline of 90 days — and the law expressly allows providers to voluntarily retain content for longer than one year if they choose to further prevent or reduce online child sexual exploitation ^{[2] [4] [7]}. Multiple legislative and legal-text sources reconfirm that the one‑year term is the new statutory minimum and that voluntary longer retention is permitted and even encouraged for public‑safety reasons ^{[3] [8]}.

3. How the materials must be stored: NIST-aligned cybersecurity requirements

The REPORT Act goes beyond a bare retention clock by requiring, within one year of enactment, that providers preserve CyberTipline materials "in a manner that is consistent with the most recent version of the Cybersecurity Framework developed by the National Institute of Standards and Technology (NIST)," signaling congressional intent to bind preservation practices to recognized security controls rather than ad hoc storage ^{[3] [9]}. Industry and civil‑society explainers note this aims to reduce risks from long‑term storage of sensitive images and metadata, although implementation detail and compliance costs are left to providers ^{[3] [8]}.

4. Why Congress changed the rule: investigative delay versus operational burden

Sponsors justified the move by pointing to investigative timelines — NCMEC processing and law‑enforcement follow‑up often outlasted the 90‑day window, so a one‑year preservation period was framed as necessary to hold predators accountable and to bridge operational delays between private reporting and public investigations ^{[5] [4]}. Opposing or cautionary views, reflected in policy analyses and regulatory-cost discussions, flag that longer retention increases industry costs, data‑security responsibilities, and potential privacy surface area, making storage and compliance a nontrivial burden for providers ^{[10] [6]}.

5. Practical contours and legal protections: voluntary retention, immunity, and limits

Beyond preservation length and storage standards, the REPORT Act clarifies related liability and reporting obligations: it provides certain immunities for minors or their representatives who report CSAM to the CyberTipline and modernizes reporting duties to include additional offenses, while not preventing providers from keeping data longer to aid prevention ^{[2] [7] [6]}. Reporting and preservation under the statute is thus both a legal duty and a conduit for law enforcement, but the statute leaves open operational questions — such as how providers should segregate preserved material, notify users, or coordinate with NCMEC — that are to be resolved in practice by firms and regulators ^{[3] [8]}.