PROTECT Our Children Act, introduced by Sen. Biden (D-DE), was signed into law by the President on October 13, 2008. The Act modifies the federal criminal code to extend new reporting requirements to providers of “electronic communication services” or “remote computing services” (“Providers”) with “actual knowledge” of incidents involving child pornography.1 Providers would be required to report such incidents to the National Center for Missing and Exploited Children (“NCMEC”) and CyberTipline. By amending the criminal code, the Act subjects Providers to the types of reporting and data retention obligations imposed on Internet service providers. While the Act requires a Provider to make a report when it obtains “actual knowledge,” the Act expressly indicates that it would not require Providers to monitor its users, subscribers, or customers; monitor the content of any communication of any person; or affirmatively seek facts or circumstances related to a reportable incident. 2

Below is a summary of the Act’s reporting and retention requirements and the enforcement and limited liability provisions.

I. Reporting Requirements – Sec. 2258A(b)(1-5)

The Act requires Providers to report to NCMEC certain information related to apparent child pornography, the individual involved, and the circumstances surrounding the images. Set forth below is specific information that are required to be included in a report to NCMEC:

  • Information about the Involved Individual—identity of any individual who appears to have violated the law (i.e. email address, IP address, URL, or any other identifying information, including self-reported identifying information).
  • Historical Reference—information related to when and how the individual uploaded, transmitted, or received the material or how the provider obtained “actual knowledge” of the apparent child pornography (i.e. reported to, or discovered by the provider). Information should include a date and time stamp and time zone.
  • Geographic Location Information—information relating to the geographic location of the involved individual or website (e.g. IP address, verified billing address, or at least one form of geographic identifying information, including area code or zip code, and any self-reported geographic indentifying information).
  • Images of Apparent Child Pornography—any image of the apparent child pornography that is the subject of the report.
  • Complete Communication for the Image—the image should be accompanied by any data or information regarding the transmission of the communication and any images, data, or other digital files in, or attached to, the communication.

II. Retention Requirements – Sec. 2258A(h)(1-5)

A Provider is required to preserve the contents of the report for 90 days from the date it receives notification by the CyberTipline receipt of the report. The Act requires Providers to preserve any images, data, or other digital files commingled or dispersed among the images of apparent child pornography within a particular communication or user created folder or directory. The Act also requires Providers to preserve material in a secure location and to limit access to the material.

III. Enforcement & Limited Liability – Sec. 2258A(e) and Sec. 2258B

Any Provider that knowingly and willfully fails to make a report to NCMEC could be fined up to $150,000. For any subsequent failure to report, the Provider could be fined up to $300,000.

The Act specifically exempts electronic communications service providers, remote computer service providers, and domain name registrars from civil claim or criminal charge arising from the performance of the reporting requirements under the Act, provided such entities do not engage in intentional misconduct or reckless behavior. The Act also requires such entities to minimize the number of employees having access to any image depicting child pornography and to permanently destroy such images upon notification from law enforcement.