The Cooper Davis and Devin Norring Act mandates that electronic communication and remote computing service providers report actual or reasonable knowledge of illegal activity involving fentanyl, methamphetamine, or counterfeit prescription drugs to the Attorney General, with penalties for non-compliance.
Roger Marshall
Senator
KS
The Cooper Davis and Devin Norring Act mandates that electronic communication and remote computing service providers must report confirmed or reasonably suspected illegal activity involving fentanyl, methamphetamine, or counterfeit prescription drugs to the Attorney General. Providers must submit identifying account information, though they are not required to actively monitor content or break encryption. The law establishes penalties for non-compliance and requires the Attorney General to issue an annual public report on the enforcement of these provisions.
New Act Forces Social Media, Email Providers to Report Fentanyl, Meth Activity Within 60 Days
The Cooper Davis and Devin Norring Act creates a mandatory new reporting system that pulls online service providers—like social media platforms, email services, and cloud storage companies—directly into the fight against illegal drug trafficking. Essentially, if these companies gain “actual knowledge” that someone is using their service to create, sell, distribute, or possess fentanyl, methamphetamine, or counterfeit prescription drugs, they must report it to the Attorney General (AG) within 60 days.
This isn't about asking nicely; it's about compliance. The bill defines "actual knowledge" as the trigger, but providers also have the option to report based on a "reasonable belief." If they knowingly fail to report, they face fines up to $190,000 for a first offense, escalating to $380,000 for repeat offenses. This puts tech companies in a tough spot: they must now dedicate resources to determining when they have crossed the threshold of 'actual knowledge' concerning illegal drug activity, or risk massive penalties.
Who’s Watching the Chat? (And What They Must Share)
When a provider submits a report, the bill requires them to hand over identifying information about the user account involved. Think names, email addresses, account IDs, and IP addresses. This is the crucial part for users: while the law explicitly doesn't require providers to turn over the actual content of private messages (like the text of an email or DM), the mandatory sharing of your identifying data removes a significant layer of anonymity the minute your account is flagged.
It’s a fine line the bill walks. On one hand, it tries to protect privacy by stating providers aren't required to actively monitor users, scan content, or break end-to-end encryption. On the other hand, the moment a provider confirms illegal drug activity is happening—perhaps via a user report or automated detection—they are legally compelled to drop your identifying data into the AG's lap. For the average person, this means if you use a non-exempt service, any online activity related to these specific drugs could lead to your personal information being shared with federal law enforcement without a warrant.
The Compliance Catch-22 for Tech
This legislation exempts basic broadband internet access and standard text messaging services, but it hits remote computing services and electronic communication providers squarely. For these companies, the new rules create a significant compliance headache. They must establish internal systems to track and report this specific illegal activity and ensure they aren't accidentally or intentionally submitting false reports, which carries its own civil penalty of up to $100,000.
Because the trigger is “actual knowledge,” companies may feel pressure to err on the side of caution and over-report based on less-than-certain evidence to avoid the huge fines. This could lead to more user data being handed over to the government based on internal corporate judgment rather than a judicial warrant. The law does include a check: law enforcement officers are banned from soliciting a report from a provider, and evidence gathered from an improperly solicited report cannot be used in court. However, the initial transfer of identifying data is mandatory once the provider determines the threshold has been met.
Transparency and Data Shelf Life
To keep things transparent, the AG must publish an annual report detailing how many of these reports were received, how the information was discovered (human review vs. algorithm), and how many reports actually led to convictions. This is a solid check that will allow the public to gauge the system's effectiveness and whether it’s being overused.
Furthermore, the bill addresses data retention. When a report is submitted, the provider must preserve the data for 90 days. The AG can only extend this preservation period if there is an active, ongoing investigation. This provision is designed to ensure that data related to closed cases doesn't just sit around in government databases indefinitely, which is a necessary protection when dealing with mandatory data sharing.