opinion

Business Models Can Trigger Regulatory Compliance

Adult website operators are typically familiar with the obligations imposed by Title 18 U.S.C. § 2257 (Section 2257) which mandates the compilation and maintenance of certain records relating to the production of sexually explicit content.

Less well known, but equally if not more important, are the reporting obligations imposed on certain website operators under 18 U.S.C. § 2258A. This federal statute requires “electronic communication service providers” such as hosts, forums, dating sites, tube sites, and advertising networks, to report any apparent violations of child exploitation laws, to the CyberTipline — https://www.missingkids.org/cybertipline — operated by the National Center for Missing and Exploited Children (NCMEC).

Affected website operators are encouraged to educate themselves regarding the details of these requirements to avoid inadvertent violations and to foster a cooperative relationship with agencies investigating instances of child exploitation.

The following is a summary of those reporting obligations.

What Violations Must Be Reported?

Qualifying service providers must report “apparent” violations of federal laws relating to child exploitation or child pornography. No specific definition of what constitutes an apparent violation is included in the statute. However, as discussed below, there are benefits to erring on the side of submitting a report in questionable cases.

When Must the Report Be Made?

The report to the CyberTipline must be made as soon as reasonably possible after the website operator obtains actual knowledge of any facts or circumstances that a violation of the relevant laws has occurred in connection with the operation of the site or online service. While no specific time frame is included in the law, the statute contemplates prompt reporting of suspected violations.

What Must the Report Contain?

There are two types of reports that can be submitted: a public report, or a secure, private report by a registered service provider. The registration process requires that certain information about the service provider be voluntarily submitted. The secure report permits uploading of images, and provides a receipt confirming the submission. Service providers are encouraged by NCMEC to register and submit secure reports by submitting an email to its coordinator at espteam@ncmec.org.

The report must include certain categories of information:

  • Identifying information about the individual responsible for posting or transmitting the images, such as IP address, or email address (including any self-reported information submitted by the user).
  • Historical information about when and how the user posted the illegal content.
  • A description of how the violation was discovered by, or reported to, the service provider.
  • Geographic location information relating to the responsible user such as billing address, IP address or ZIP Code.
  • The suspected images themselves. Note, all “associated images” must be preserved by the service provider as well.
  • The complete communication relating to the suspected images, including any data, digital file or other information relating to the transmission of information.

What Other Obligations Apply?

In addition to reporting suspected violations, the service provider must preserve the NCMEC report for a period of 90 days, plus an additional 90 days if requested by NCMEC. The full contents of the NCMEC report must be preserved, along with any other images that are “comingled” or “interspersed” with the suspected images. Read broadly, this could include all images that appear on a given web page, or which are uploaded by a particular user into the user’s folder or directory. The website operator must also take steps to keep the preserved material in a secure location, and limit access to the material by its agents or employees. Finally, operators must permanently destroy any reported images upon the request of law enforcement.

Importantly, the statute does not impose an obligation to monitor any user or the content of any user. Moreover, there is no obligation to affirmatively seek out potential violations of the applicable laws. In other words, service providers are not required to become child exploitation investigators.

Why Should the Report Be Filed?

Affected website operators might ask themselves why they should get involved in submitting reports to law enforcement, relating to their users’ activities. The most obvious answer is because the law requires such involvement. Failure to report suspected violations is a criminal offense which can result in the imposition of substantial fines. Moreover, federal law provides a form of immunity from civil or criminal prosecution for the service provider, in connection with the submission of any reports to the CyberTipline. See, 18 U.S.C. §2258B(a). However, this legal protection can be lost if the service provider engages in any intentional misconduct, or if it acts (or fails to act) with actual malice, or reckless disregard for injury to others. §2258B(b).

Conclusion

Certain popular online business models trigger compliance obligations with a wide variety of federal statutes and regulations. Among them are the statutes imposing reporting obligations to the CyberTipline. Affected website operators are encouraged to educate themselves regarding the details of these requirements to avoid inadvertent violations and to foster a cooperative relationship with agencies investigating instances of child exploitation.

Lawrence G. Walters, Esq., heads up Walters Law Group and has represented website operators for over 25 years. Nothing contained in the foregoing article is intended as legal advice. Please consult individual legal counsel with any questions or concerns.

Copyright © 2024 Adnet Media. All Rights Reserved. XBIZ is a trademark of Adnet Media.
Reproduction in whole or in part in any form or medium without express written permission is prohibited.

More Articles

opinion

Best Practices for Payment Gateway Security

Securing digital payment transactions is critical for all businesses, but especially those in high-risk industries. Payment gateways are a core component of the digital payment ecosystem, and therefore must follow best practices to keep customer data safe.

Jonathan Corona ·
opinion

Ready for New Visa Acquirer Changes?

Next spring, Visa will roll out the U.S. version of its new Visa Acquirer Monitoring Program (VAMP), which goes into effect April 1, 2025. This follows Visa Europe, which rolled out VAMP back in June. VAMP charts a new path for acquirers to manage fraud and chargeback ratios.

Cathy Beardsley ·
opinion

How to Halt Hackers as Fraud Attacks Rise

For hackers, it’s often a game of trial and error. Bad actors will perform enumeration and account testing, repeating the same test on a system to look for vulnerabilities — and if you are not equipped with the proper tools, your merchant account could be the next target.

Cathy Beardsley ·
profile

VerifyMy Seeks to Provide Frictionless Online Safety, Compliance Solutions

Before founding VerifyMy, Ryan Shaw was simply looking for an age verification solution for his previous business. The ones he found, however, were too expensive, too difficult to integrate with, or failed to take into account the needs of either the businesses implementing them or the end users who would be required to interact with them.

Alejandro Freixes ·
opinion

How Adult Website Operators Can Cash in on the 'Interchange' Class Action

The Payment Card Interchange Fee Settlement resulted from a landmark antitrust lawsuit involving Visa, Mastercard and several major banks. The case centered around the interchange fees charged to merchants for processing credit and debit card transactions. These fees are set by card networks and are paid by merchants to the banks that issue the cards.

Jonathan Corona ·
opinion

It's Time to Rock the Vote and Make Your Voice Heard

When I worked to defeat California’s Proposition 60 in 2016, our opposition campaign was outspent nearly 10 to 1. Nevertheless, our community came together and garnered enough support and awareness to defeat that harmful, misguided piece of proposed legislation — by more than a million votes.

Siouxsie Q ·
opinion

Staying Compliant to Avoid the Takedown Shakedown

Dealing with complaints is an everyday part of doing business — and a crucial one, since not dealing with them properly can haunt your business in multiple ways. Card brand regulations require every merchant doing business online to have in place a complaint process for reporting content that may be illegal or that violates the card brand rules.

Cathy Beardsley ·
profile

WIA Profile: Patricia Ucros

Born in Bogota, Colombia, Ucros graduated from college with a degree in education. She spent three years teaching third grade, which she enjoyed a lot, before heeding her father’s advice and moving to South Florida.

Women In Adult ·
opinion

Creating Payment Redundancies to Maximize Payout Uptime

During the global CrowdStrike outage that took place toward the end of July, a flawed software update brought air travel and electronic commerce to a grinding halt worldwide. This dramatically underscores the importance of having a backup plan in place for critical infrastructure.

Jonathan Corona ·
opinion

The Need for Minimal Friction in Age Verification Technology

In the adult sector, robust age assurance, comprised of age verification and age estimation methods, is critical to ensuring legal compliance with ever-evolving regulations, safeguarding minors from inappropriate content and protecting the privacy of adults wishing to view adult content.

Gavin Worrall ·
Show More