Skip to content
The Digital Harm Project
Get Help

Reference

Laws & policy tracker

The current state of the law on CSAM, online child exploitation, and intimate-image abuse — with the one distinction most coverage gets wrong made explicit: which of these are enacted law and which are merely proposed bills.

United States — enacted law

These are in force now. The most common public confusion in this area is treating proposed bills (below) as if they were law — these are the ones that actually are.

  • In forceUS federal

    18 U.S.C. § 2258A — ESP reporting duty

    Long-standing law

    Requires US electronic service providers that obtain actual knowledge of apparent CSAM to report it to NCMEC's CyberTipline. Failure-to-report penalties can reach $1M for larger providers. The backbone of US platform obligations.

    Primary source ↗
  • EnactedUS federal

    REPORT Act

    Signed May 7, 2024

    Expands mandatory reporting to cover child sex trafficking and online enticement (not just CSAM), lengthens how long providers must preserve evidence, and raises failure-to-report penalties. Part of why 2024's enticement report numbers rose.

    Primary source ↗
  • EnactedUS federal

    TAKE IT DOWN Act

    Signed May 19, 2025; platform compliance deadline ~May 2026

    Criminalizes publishing non-consensual intimate images — including AI deepfakes — and requires covered platforms to remove a reported image within 48 hours of a valid request, enforced by the FTC. The first federal removal right of its kind. (Distinct from NCMEC's separate 'Take It Down' hashing tool.)

    Primary source ↗
  • In forceUS federal

    18 U.S.C. § 2255 — 'Masha's Law' (civil remedy)

    Amended by the AVAA, 2018

    Lets CSAM survivors sue for civil damages with a statutory minimum of $150,000 per defendant. Paired with Paroline v. United States (2014) on restitution and the DOJ Child Pornography Victims Reserve (~$35,000 one-time defined monetary assistance). See the takedown guide for how to pursue these.

    Primary source ↗

United States — proposed (NOT law)

These are bills that have been introduced and debated but have not been enacted. They are frequently cited as if they were already law — they are not.

  • Proposed — not lawUS federal

    EARN IT Act

    Introduced across multiple Congresses; never enacted

    Would narrow Section 230 immunity in relation to CSAM and create a national commission on best practices. Controversial for its potential effect on end-to-end encryption. Despite years of coverage, it has never become law.

    Primary source ↗

International

The other major regimes a global platform must track. Statuses differ sharply — some fully in force, some still in negotiation.

  • In forceEuropean Union

    EU Digital Services Act (DSA)

    Fully applicable since Feb 17, 2024

    Horizontal platform-governance regime: notice-and-action on illegal content (including CSAM), risk assessments and audits for very large platforms, transparency duties. Penalties up to 6% of global annual turnover.

    Primary source ↗
  • Proposed — not lawEuropean Union

    EU CSA Regulation ('Chat Control')

    In trilogue negotiation; not final

    Would create CSAM detection/removal obligations and, in contested drafts, detection orders that critics argue amount to client-side scanning of private messages — the core of the encryption debate. Not yet law; the scope keeps changing.

    Primary source ↗
  • Phasing inUnited Kingdom

    UK Online Safety Act 2023

    Enacted 2023; Ofcom duties phasing in, child-safety duties live from Jul 2025

    Duties of care for user-to-user and search services, with strong child-protection requirements, age assurance, and codes of practice enforced by Ofcom. Penalties up to 10% of global turnover or £18M, with senior-manager liability.

    Primary source ↗
  • Phasing inAustralia

    Australia Online Safety Act + under-16 social-media rule

    OSA in force; under-16 restriction enforcement from Dec 10, 2025

    Empowers the eSafety Commissioner with removal powers and mandatory industry codes/standards; civil penalties; plus the world-first restriction on under-16 social-media accounts. Penalties up to AUD 49.5M.

    Primary source ↗

This is a plain-language summary for orientation, not legal advice; follow the primary-source link for the authoritative text, and consult counsel for your situation. Compliance teams and platforms: see For Compliance Teams and For Tech CEOs for the operational detail. Related: CSAM by the numbers.

Last reviewed May 2026. Statutes change; verify status against the primary source before relying on it.