This bill adds a new section to the Controlled Substances Act that compels certain online service providers to notify the Attorney General when they obtain actual knowledge or reasonably believe that activity on their services involves unlawful manufacture, distribution, or dispensing of some controlled substances. The provision creates an incoming pipeline of account identifiers, metadata, and — at providers’ discretion — content to assist federal investigation.
The measure bundles procedural rules for the Department of Justice (preliminary review, referrals, data-minimization duties), a 90-day automatic preservation mechanism, criminal and civil penalties for knowing failures or false reports, and a carve-out for providers acting solely as broadband internet or text-message carriers. For compliance officers and platform safety teams, the bill imposes new operational, legal, and privacy trade-offs around detection, retention, and disclosure of user data.
At a Glance
What It Does
The bill requires specified electronic-communication and remote-computing providers to submit reports to the Attorney General when they learn of facts suggesting certain controlled-substance crimes. It directs the Attorney General to review, investigate, or close reports and to publish an annual summary of reports and outcomes.
Who It Affects
The obligation targets entities defined as electronic communication service providers or remote computing services under Title 18 — essentially online services that host or transmit user communications or store user content — while excluding providers when functioning solely as broadband internet access or text messaging carriers. DOJ and federal, state, and local law enforcement are recipients and processors of the reports.
Why It Matters
The bill creates a formalized, statutory channel for digital evidence to flow from private platforms to federal prosecutors, changing incentives for moderation and data handling. It also imposes retention and disclosure responsibilities that intersect with existing privacy law and the Stored Communications Act.
More articles like this one.
A weekly email with all the latest developments on this topic.
What This Bill Actually Does
The bill adds Section 521 to the Controlled Substances Act and defines its scope by importing familiar terms from Title 18 and other statutes (electronic communication service, remote computing service, email address, Internet). It targets provider-observed or provider-reasonably-believed activity involving fentanyl, methamphetamine, counterfeit substances (including counterfeit prescriptions), and unauthorized sale or distribution of actual or purported prescription pain or stimulant medication.
When a provider obtains actual knowledge — or, optionally, has a reasonable belief — that such activity is occurring, the provider must submit a report to the Attorney General "as soon as reasonably possible" and no later than 60 days after obtaining that knowledge. The required report must include provider contact details and, to the extent within the provider’s custody or control, account identifiers and other metadata (names, emails, IPs, URLs, screen names).
At the provider’s discretion the report may include fuller materials: timestamps and upload/transmission history, geographic information (IP or user‑provided ZIP/area code and VPN indication), data items such as photos or messages, and even the complete communication or attached digital files.Receipt of a report triggers a DOJ preliminary review. If DOJ judges the report contains sufficient information, it may investigate further and share it with other federal, state, or local agencies; otherwise, DOJ may close the matter.
The Attorney General must take reasonable measures to limit storage of report contents to what is necessary for the investigation and delete material once it is no longer needed, except where there is future evidentiary value. The bill also directs DOJ to publish an annual public report counting submissions, their sources by provider, conviction outcomes, non‑actionable reports, how reports were discovered (human moderation vs non‑human methods), and preservation‑extension requests made under the Stored Communications Act.On preservation, the bill treats a provider’s completed submission as a request to preserve the reported contents and reasonably related data for 90 days.
The Attorney General cannot use 2703(f) of Title 18 to extend that preservation period unless there is an active or pending investigation of the account at issue; other agencies may still make extension requests. Providers may not notify users of the preservation request unless they notify DOJ of their intent to do so and then wait 45 business days.
The statute clarifies providers are not required to monitor or affirmatively scan content, are not required to decrypt end‑to‑end encrypted communications, and cannot be deemed to have actual knowledge solely because they declined further verification — provided they are not deliberately blind.Sanctions are twofold: a criminal prohibition that makes a knowing failure to submit a required report unlawful (with graduated fines set in the text), and a civil penalty for knowingly false or materially incomplete reports. The bill also amends the Stored Communications Act to permit providers to disclose to the Attorney General information in connection with these reports, and it bars federal, tribal, state, or local officers from submitting or arranging user‑style reports to providers (evidence derived from such prohibited submissions would be excluded).
The Five Things You Need to Know
The bill requires providers to file a report to the Attorney General no later than 60 days after they obtain actual knowledge of covered criminal activity; providers may also report on a reasonable‑belief standard at their discretion.
Reports must include provider contact information and, to the extent available, account identifiers and metadata; providers may also include full communications, timestamps, geolocation indicators, and media files at their discretion.
A completed report functions as a preservation request: providers must preserve the reported contents and reasonably related accessible data for 90 days, and DOJ may not extend preservation under 18 U.S.C. 2703(f) beyond that period unless there is an active or pending investigation of the account.
The bill creates monetary penalties: criminal fines for knowing failures to report (statutory amounts set in the text) and civil penalties of $50,000–$100,000 for knowingly false or materially incomplete reports.
Broadband internet access providers and text messaging service providers are expressly exempt from the bill’s reporting, preservation, and disclosure duties when acting only in those capacities.
Section-by-Section Breakdown
Every bill we cover gets an analysis of its key sections.
Definitions that import existing statutory terms
The bill pulls definitions from Title 18 (electronic communication service, remote computing service), the CAN‑SPAM Act, and the Internet Tax Freedom Act, and adds a working definition of "website." By leaning on existing statutory language, the provision both narrows and clarifies which entities fall within scope — a key compliance point for counsel deciding whether a platform is an "electronic communication service" or only a carrier. The definition choices also determine what account and message data a provider might reasonably control.
Reporting trigger, timing, and required content
Subsection (b) creates the reporting duty when a provider obtains "actual knowledge" of enumerated crimes and permits reporting on a reasonable‑belief basis. The deadline is "as soon as reasonably possible" but with a hard 60‑day maximum. Subsection (c) specifies contents: required provider contact details and, to the extent within custody or control, account identifiers and other metadata; it also permits providers to include more intrusive materials — including complete communications and media — at their sole discretion. Practically, this forces providers to map what data they actually control and build a workflow to assemble and transmit reports within the statutory window.
DOJ processing, referrals, and data‑minimization duty
These provisions obligate the Attorney General to perform a preliminary review of each report and then either investigate and share it with other agencies or close it. The Attorney General may designate other federal agencies to receive reports. Critically, the statute sets out express data‑minimization duties: DOJ must limit storage of report contents to what is necessary for the investigation and delete materials when no longer needed unless they retain evidentiary value. That creates a legal expectation of active records management inside DOJ rather than indefinite retention of platform data handed to the government.
Penalties and limits on compelled monitoring or decryption
The bill establishes a criminal offense for knowingly failing to submit a required report and sets tiered fines for initial and subsequent violations; it separately authorizes civil penalties for knowingly false or materially incomplete reports. At the same time, subsection (g) protects providers from being read as requiring affirmative monitoring, scanning, or decryption; it also forbids proving "actual knowledge" solely from a provider's refusal to investigate, so long as the provider hasn't deliberately blinded itself. Practically, this is a balance: the statute compels reporting when a provider knows, but it resists converting the statute into a general surveillance or decryption mandate.
Preservation mechanics and user notification limits
A completed submission counts as a preservation request for 90 days for reasonably accessible data and related files. The Attorney General cannot extend that preservation via 2703(f) unless there's an active or pending investigation of the specific account; other agencies retain the ability to make their own 2703(f) requests. Providers may not notify users of the preservation request unless they inform DOJ of the intent to notify and then wait 45 business days. These mechanics create operational procedures for secure short‑term hold and a strict gate on early user notice.
Transparency reporting and prohibition on law‑enforcement masquerade
The Attorney General must publish an annual report that enumerates total reports, provider‑level counts, conviction outcomes, non‑actionable reports, whether reports were found via human moderation or automated methods, and preservation‑extension requests. Separately, the bill prohibits public‑safety officers from submitting or arranging user‑style reports to evade the statute; evidence derived from such prohibited submissions is excluded from government proceedings. Together these rules aim to provide accountability for the new pipeline while blocking an obvious circumvention.
SCA amendments to permit provider disclosures to DOJ
The bill amends 18 U.S.C. 2702 to add the Attorney General as an authorized recipient of contents disclosed by providers in connection with these reports. That change removes a statutory barrier that might otherwise have prevented providers from voluntarily including certain stored content in the report packet, and it aligns the SCA with the new reporting channel while preserving other SCA protections elsewhere in the code.
This bill is one of many.
Codify tracks hundreds of bills on Justice across all five countries.
Explore Justice in Codify Search →Who Benefits and Who Bears the Cost
Every bill creates winners and losers. Here's who stands to gain and who bears the cost.
Who Benefits
- Federal law enforcement (DOJ and designated agencies) — Gains a consistent, statutory intake stream of platform‑sourced account identifiers, metadata, and optional content tied to suspected fentanyl, meth, counterfeit, and illicit prescription activity, which can shorten investigative lead times and improve evidence collection.
- State and local prosecutors and police — Receives referrals and report materials from DOJ that can help identify cross‑jurisdictional trafficking and build cases that previously required time‑consuming legal process to obtain.
- Families and communities affected by opioid and meth markets — Potentially benefit from faster disruption of online networks that supply illicit drugs, as the pipeline is expressly aimed at reducing proliferation of dangerous substances.
- Platform compliance and trust & safety teams — Gains a statutory framework and a point of contact at DOJ for escalations, which can standardize interactions and expectations around data preservation and referral handling.
Who Bears the Cost
- Electronic communication and remote‑computing service providers (platforms) — Must build or adapt detection, legal, and operational workflows to identify reportable activity, assemble potentially large evidence packages, trigger 90‑day preservation holds, and respond to civil/criminal risk for noncompliance or false reporting.
- Small and mid‑sized platforms that qualify as covered providers — Face disproportionate burdens because the bill’s definitions can sweep up non‑consumer‑facing hosts and niche services with limited compliance resources and technical capacity to gather forensic metadata and securely preserve materials.
- Privacy and security teams — Must reconcile the bill’s preservation and optional content‑sharing mechanics with user privacy, encryption practices, and retention minimization obligations; secure handling and limited retention add ongoing operational expense.
- Department of Justice and designated federal agencies — Must absorb increased intake, perform preliminary reviews, manage preservation requests, and produce the mandated annual transparency report, adding investigative and records‑management workload.
Key Issues
The Core Tension
The central dilemma is speed versus restraint: the bill seeks rapid, standardized access to provider data to disrupt lethal drug flows, but that same access risks incentivizing bulk preservation and broad sharing of private communications, creating operational burdens for providers and privacy and constitutional concerns that are not fully resolved by the statute’s limited safeguards.
The bill creates several real implementation stress points. First, the statutory triggers ("actual knowledge" and an opt‑in "reasonable belief" route) are familiar but legally ambiguous; platforms and courts will likely litigate what constitutes sufficient knowledge and when a platform’s internal signals cross the line from suspicion to an obligation to report.
That ambiguity drives two opposing incentives: over‑reporting (to avoid criminal or civil exposure) and under‑reporting (to avoid operational cost or user backlash). Either outcome undermines the bill’s goals — floods DOJ with low‑value reports or leaves dangerous activity undetected.
Second, the preservation and optional content provisions create a tension between rapid law‑enforcement access and privacy/de minimis retention. Treating a provider submission as a 90‑day preservation request is operationally straightforward but risks accumulating large volumes of intimate user data on short holds; the rule that DOJ must delete when no longer necessary places the burden on the government to maintain secure, auditable deletion practices.
The bill’s carveouts (no forced monitoring or decryption, broadband/text messaging exemptions) mitigate some privacy risk, but providers may change product behavior — for example, by limiting or modifying user‑facing services to reduce the probability of reportable discoveries.
Finally, the statute interacts awkwardly with existing law. Amending the Stored Communications Act to permit disclosure to the Attorney General helps providers comply, but it also raises Fourth Amendment and SCA boundary questions about compelled preservation, prosecution use, and cross‑border data.
The prohibition on law‑enforcement‑posed user reports is necessary but may be imperfect in practice; agencies could pursue alternative routes (subpoenas, covert reporting through third parties) that sidestep the bar, shifting burdens back onto providers and courts. Collectively, these tensions mean effective implementation will require detailed DOJ guidance, technical standards for report format and transfer, and likely litigation over definitional edges.
Try it yourself.
Ask a question in plain English, or pick a topic below. Results in seconds.