The Cooper Davis and Devin Norring Act adds a new Section 521 to the Controlled Substances Act that requires electronic communication service providers and remote computing services to submit reports to the Attorney General when they obtain actual knowledge — or, optionally, a reasonable belief — that activity on their service involves fentanyl, methamphetamine, counterfeit substances (including counterfeit prescription drugs), or unauthorized sale of prescription pain or stimulant medication. Reports must be made no later than 60 days after discovery and must include provider contact information and identifiable account or transmission data; providers may optionally include content and complete communications.
The bill layers operational and legal requirements onto online providers: a 60‑day reporting deadline, a 90‑day preservation treatment for reported materials with limits on extensions, criminal and civil penalties for knowing noncompliance or falsification, express privacy carve-outs (it does not require blanket monitoring or decrypting), and an annual public report by the Attorney General detailing volume and outcomes of reports. Broadband and text‑messaging providers acting in those specific capacities are exempt; law enforcement officers are barred from submitting or instigating reports through providers.
At a Glance
What It Does
It creates a statutory duty for electronic communication service and remote computing providers to notify the Attorney General within 60 days after gaining actual knowledge (or voluntarily on reasonable belief) of conduct involving fentanyl, methamphetamine, counterfeit drugs, or illegal prescription sales; reports must include provider contact details and account identifiers and may include content at the provider’s discretion.
Who It Affects
Large and small providers that operate electronic mail, hosted accounts, message platforms, or cloud services (as defined under 18 U.S.C. §§2510, 2711), excluding providers acting only as broadband internet access or text messaging carriers. Compliance, legal, safety, and trust & safety teams will be the primary organizational owners of the obligations.
Why It Matters
The bill forces a formal bridge between platform signals and federal drug enforcement, creating predictable reporting mechanics, explicit preservation rules, and enforceable penalties. That changes how platforms balance content moderation, data retention, and cooperation with investigators.
More articles like this one.
A weekly email with all the latest developments on this topic.
What This Bill Actually Does
The bill inserts a new Section 521 into the Controlled Substances Act and defines the class of covered entities using existing statutory terms for electronic communication services and remote computing services. It targets three kinds of illicit activity on covered services: trafficking or manufacture of fentanyl and methamphetamine, distribution or manufacture of counterfeit substances (including pills purporting to be prescription drugs), and unauthorized sales of prescription pain medications or stimulants (including impersonation of medical practitioners).
When a provider obtains actual knowledge of such activity — or, voluntarily, has a reasonable belief — the provider must file a report with the Attorney General no later than 60 days after discovery.
Each report must include provider contact information and, to the extent reasonably available, account and transmission identifiers (names, usernames, IP addresses, URLs, and similar metadata). Providers may, at their discretion, attach historical metadata, location indicators, and even the substantive content, including complete communications and attachments.
Reports must also indicate whether the facts were uncovered by human moderation or by automated means; that distinction feeds into the Attorney General’s annual public report.On receipt, the Attorney General will preliminarily review reports and either open further investigation (and share with other agencies if warranted) or close the matter. The Attorney General must adopt data-minimization practices: retain report contents only as long as necessary for investigations and delete material once it lacks evidentiary value.
Submission of a report is treated as a request to preserve relevant content for 90 days; the bill limits extensions under the Stored Communications Act unless the Attorney General has an active or pending investigation. Providers may not notify users of a preservation request until at least 45 business days pass after the provider notifies the Attorney General of its intent to notify.Failure to comply carries enforceable consequences.
The bill makes knowing failure to submit a required report a criminal offense with fines up to $190,000 for a first violation and $380,000 for subsequent violations; knowingly submitting materially false reports or omitting reasonably available identifying information exposes a provider to civil penalties between $50,000 and $100,000. The bill also prohibits law enforcement officers from directly submitting reports or arranging third parties to do so, and it bars admission of evidence derived from reports that result from prohibited law-enforcement submissions.
Finally, it exempts providers of broadband internet access service and text-messaging service acting solely in those roles and amends the Stored Communications Act to allow disclosure to the Attorney General in connection with these reports. The Attorney General must publish an annual report disaggregating report volume, investigation outcomes, and method of discovery (human vs. automated).
The Five Things You Need to Know
A provider must submit a report to the Attorney General no later than 60 days after obtaining actual knowledge of covered drug activity; the provider may also report on a reasonable belief basis.
Submission of a report triggers a 90‑day preservation treatment for the reported contents and reasonably accessible contextual data; the Attorney General cannot extend preservation under the SCA beyond that period unless there is an active or pending investigation.
Reports must identify accounts and transmission metadata (names, emails, IP addresses, URLs, screen names) and may — at the provider’s sole discretion — include complete communications, attachments, photos, or video.
Criminal fines apply for knowingly failing to report (up to $190,000 for a first violation and $380,000 for subsequent violations), and civil penalties from $50,000 to $100,000 apply for knowingly false or materially incomplete reports.
Federal, state, local, or tribal law‑enforcement officers are expressly barred from submitting reports or arranging others to submit reports, and evidence derived from prohibited submissions is inadmissible.
Section-by-Section Breakdown
Every bill we cover gets an analysis of its key sections.
Definitions and scope of covered providers
This subsection imports statutory definitions for electronic communication service and remote computing service from Title 18 and the CAN‑SPAM and Internet Tax Freedom Act for related terms. It also defines ‘provider’ and ‘website’ for the new duty. The practical effect is to tie coverage to well‑established statutory categories (mail, hosted accounts, cloud computation), not to ad hoc platform descriptions, which matters for interpreting which corporate units or services must comply.
Duty to report covered controlled‑substance activity
Providers must report when they obtain actual knowledge of crimes involving fentanyl, methamphetamine, counterfeit substances, or unauthorized prescription sales; they may also report on a reasonable belief. The bill sets a substantive and temporal threshold: file as soon as reasonably possible and in any event within 60 days. This creates a predictable reporting window but leaves the discovery threshold (actual knowledge vs. reasonable belief) operative — both an obligation and an optional safe channel for earlier reporting.
Required and optional contents of a report
Reports must include provider contact details and, to the extent available, account and transmission identifiers (name, email, user ID, IP address, URL, screen names). Providers may optionally include timestamps, geographic indicators (including whether a VPN was used), any data (symbols, photos, video), and even the complete communication and attachments. The bill therefore authorizes sharing of extensive metadata and, if the provider chooses, potentially highly sensitive content — but the choice to include content remains with the provider.
Attorney General review, investigations, and data‑minimization duties
The Attorney General must conduct a preliminary review and then either pursue further investigation (including sharing with other federal, state, or local agencies) or close the report. The AG is required to take reasonable measures to limit storage of reports to what is necessary for investigation and to delete materials when no longer needed unless they have future evidentiary value. The AG may also designate other federal agencies to process reports, creating an administrative workflow that platforms will need to understand.
Penalties, privacy protections, and explicit non‑monitoring limits
The bill criminalizes knowing failure to submit required reports and sets tiered fines; it also creates civil liability for knowingly false reports or omission of reasonably available identifying information. At the same time, the statute expressly says it does not require providers to monitor communications, to break encryption, or to affirmatively scan — and it disallows proving actual knowledge solely because a provider declined to investigate further unless it deliberately blinded itself.
Preservation rules, notice limits, and annual reporting
A submitted report functions as a 90‑day preservation request for the reported contents and reasonably accessible contextual data; the Attorney General may only seek SCA extensions beyond that 90 days if it has an active or pending investigation. Providers may not notify affected users about preservation requests unless they informed the AG of their intent to notify and 45 business days have elapsed. The AG must publish an annual report with disaggregated counts of reports, outcomes (convictions), number lacking actionable information, the discovery method (human or automated), and preservation‑extension requests.
Prohibition on law‑enforcement submissions, exemptions, and conforming SCA changes
The bill bars federal, state, tribal, and local officers from submitting reports directly or via intermediaries; evidence derived from such prohibited submissions is inadmissible. It exempts providers of broadband internet access service and text messaging service when acting solely in those capacities. The bill also amends 18 U.S.C. §2702 to allow providers to disclose contents to the Attorney General in connection with these reports and adjusts a clause about inadvertently obtained communications.
This bill is one of many.
Codify tracks hundreds of bills on Criminal Justice across all five countries.
Explore Criminal Justice in Codify Search →Who Benefits and Who Bears the Cost
Every bill creates winners and losers. Here's who stands to gain and who bears the cost.
Who Benefits
- Federal drug‑enforcement agencies (DOJ, DEA, FBI): Receive standardized, centralized reporting streams and statutory access to account and contextual data, improving lead quality and potentially accelerating investigations.
- State and local law enforcement: Gain a clearer pathway to access provider information via the Attorney General’s review and interagency sharing, which can support prosecutions of local distributors or counterfeit‑drug rings.
- Public‑health and emergency‑response entities: Indirect benefit from faster disruption of fentanyl and meth distribution networks, potentially reducing overdoses tied to counterfeit pills.
- Pharmacies and regulated healthcare providers: Improved detection of fraudulent sales and impersonation schemes that target prescription drugs, helping protect supply chains and patient safety.
Who Bears the Cost
- Electronic communication and remote computing providers: Must build or expand workflows to detect reportable signals, assemble account metadata, manage a 60‑day reporting cadence, and handle preservation obligations — an operational and compliance cost.
- Smaller platforms and niche hosting providers: Face disproportionate administrative burden and financial risk from penalties if they lack dedicated compliance teams or automated reporting tooling.
- Attorney General’s office and designated federal agencies: Must process, triage, and store high volumes of incoming reports, enforce data‑minimization, and produce the statutory annual report — a resource and staffing burden.
- Users and privacy advocates: Risk increased data disclosures to law enforcement when providers choose to include content or full communications; metadata sharing could expose user connections and locations.
Key Issues
The Core Tension
The central dilemma is practical and normative: the government needs fast, accurate signals from platforms to disrupt deadly fentanyl and meth supply chains, but imposing enforceable reporting and preservation duties risks pushing providers toward broader data collection, longer retention, and more disclosures — precisely the harms the bill says it does not require. The statute tries to thread the needle by prohibiting mandated monitoring and limiting preservation windows, but implementation will force providers to choose between conservative over‑retention and the legal risk of under‑reporting.
The bill blends permissive choices (providers may include content; may report on reasonable belief) with hard obligations (60‑day deadline; criminal fines for knowing failures), creating implementation friction. Providers that want to avoid penalties may over‑report or preserve broad swaths of data to stay on the safe side, which would increase privacy and storage demands even though the statute expressly says it does not require monitoring.
That tension will drive conservative operational choices: more preservation and more handoffs to law enforcement, or increased investment in human review to reduce false positives.
Operationally, the preservation rules are awkwardly coupled to the Stored Communications Act: a report automatically triggers a 90‑day preservation expectation, but the Attorney General’s ability to extend preservation under section 2703(f) is limited unless an active or pending investigation exists. This reduces indefinite data retention risk but creates tight timelines for investigators to open and justify follow‑on actions.
The prohibition on direct law‑enforcement submissions closes one route for obtaining provider assistance but could be skirted if informal human reviewers or third parties relay information to providers; the statute’s remedy — excluding derived evidence — will create litigation fights over what constitutes an impermissible law‑enforcement‑instigated report.
Finally, the bill frames automated discovery (algorithms, machine learning) as an acceptable source but requires reports to identify whether content was discovered by human moderators or non‑human methods; that creates a new compliance taxonomy platforms must capture. At scale, distinguishing discovery modality and controlling downstream evidentiary chain will be nontrivial and costly, and the line between permissible volunteer reporting and constitutionally problematic compelled surveillance will invite legal challenges.
Try it yourself.
Ask a question in plain English, or pick a topic below. Results in seconds.