Sponsors (9)
The bill strengthens law enforcement's ability to store, secure, and retain child sexual abuse evidence through vetted U.S.-based vendors and oversight, but it does so by granting broad vendor liability protections, imposing domestic-storage and retention costs, and increasing federal visibility—trading greater investigative capacity and data security for higher costs and reduced legal remedies and privacy concerns.
Law-enforcement agencies will have clearer legal authority to use vetted vendors to store and analyze child sexual abuse material, improving investigative capacity and ability to pursue perpetrators.
Law-enforcement and state/local governments will retain evidence and keep it under U.S. legal control because vendors must store material in the U.S. and meet mandated retention periods, preserving material for prosecution and appeals.
Law-enforcement, state, and local agencies will benefit from stronger data security because approved vendors must follow NIST cybersecurity standards and undergo annual audits, reducing the risk of breaches of sensitive evidence.
Victims and third parties will have reduced ability to obtain remedies because vendors are broadly shielded from civil and criminal liability for routine performance and accountability may be harder to enforce.
Taxpayers and state/local governments may face higher costs and less vendor choice because the requirement that storage and analytics remain in the U.S. can raise prices and limit competition.
Privacy advocates and the public will face increased federal visibility into which vendors and contracts handle sensitive material because of the DOJ notification requirement, raising civil‑liberties concerns.
Based on analysis of 2 sections of legislative text.
Introduced October 21, 2025 by Marsha Blackburn · Last progress October 21, 2025
Creates a federal "approved vendor" pathway that lets U.S.-based cloud storage and analytics providers store and process child sexual abuse material (CSAM) on behalf of U.S. law enforcement or prosecutors with limited civil and criminal liability, provided they follow strict cybersecurity, evidence-retention, and notification rules. Approved vendors must meet defined technical safeguards (including encryption and independent audits), keep data and analysis inside the United States, and notify the Department of Justice (or state attorney general for state/local contracts) about qualifying contracts and certain contract failures. The measure limits vendor liability for actions taken while performing contract duties for law enforcement, but preserves accountability for intentional, reckless, negligent, or non-law-enforcement-related misconduct. It also requires law enforcement/prosecutors using such cloud storage to retain evidence according to federal FBI CJIS policy or, if none, for at least applicable statute-of-limitations/sentence durations.