Cooper Davis and Devin Norring Act
The Cooper Davis and Devin Norring Act would amend the Controlled Substances Act to require electronic communication service providers (like email, messaging, and other online platforms) and remote computing services (such as cloud hosting) to report certain drug-related crimes to the Attorney General. When they obtain knowledge of activities involving fentanyl, methamphetamine, counterfeit drugs, or unauthorized or misrepresented prescription medications, these providers must report within 60 days, sharing identifying details about the account and the crime, and noting whether the information was found via human review or automated tools. The bill adds data-minimization and privacy protections, limits how disclosed information can be used, imposes penalties for noncompliance or false reporting, and requires annual AG reporting on these reports and investigations. It also creates a mechanism to preserve relevant data for a limited period and explicitly prohibits law enforcement from submitting reports on behalf of officers. Certain broadband and text-messaging providers are exempt, and the bill amends related stored-communications laws to facilitate these reports. In short, the bill creates a new, mandatory reporting channel from online service providers to the federal government for specific controlled-substance violations, with guardrails around privacy, data handling, and enforcement, and with regular public reporting on the program’s activity.
Key Points
- 1Mandatory reporting by providers: Electronic communication service providers and remote computing services must report certain drug-crime facts to the Attorney General within 60 days of knowledge, including provider contact details and whether discovery was human or automated.
- 2Scope of reportable crimes: Crimes involving fentanyl or methamphetamine; counterfeit substances (including fake prescription drugs); and unauthorized or misrepresented prescription pain medications or stimulants by unapproved individuals or entities.
- 3Content and data in reports: Reports may include account info (name, address, email, IP, etc.) and, at the provider’s discretion, other details such as time stamps, geographic info, data about the content or activity, and the complete communications or attached files.
- 4Handling and follow-up: The Attorney General conducts a preliminary review and may forward the report to other agencies or close it if no further action is warranted.
- 5Privacy protections and encryption: The bill limits monitoring obligations, does not require decryption of encrypted communications, and requires data minimization and secure handling of preserved materials.
- 6Penalties for noncompliance: Criminal penalties for knowingly failing to report (up to $190,000 for a first violation; up to $380,000 for subsequent violations) and civil penalties for knowingly submitting false or incomplete reports ($50,000 to $100,000).
- 7Annual reporting: The Attorney General must publish annual data on the number and type of reports, dispositions, actionability, discovery methods (human vs. automated), and interagency sharing.
- 8Prohibition on law enforcement reporting: Federal, tribal, state, or local law enforcement officers cannot submit reports on behalf of themselves or others through providers; contents obtained through prohibited submissions cannot be used in court.
- 9Exemptions and amendments: Broadband internet access service providers and text messaging service providers are exempt from these reporting requirements. The bill also adds Sec. 521 to the CSA and makes conforming amendments to the Stored Communications Act (18 U.S.C. 2702).