Listen to this post

This summer, a proposed amendment to the Controlled Substances Act known as the Cooper Davis Act (the “act”) is making its way through congressional approvals and causing growing dissension between and among parents, consumer safety advocates, and anti-drug coalitions on one hand, and the DEA, privacy experts, and constitutional scholars on the other.

As currently written, the act will require certain social media, email and other electronic platforms and remote computing companies (the “services providers”) to report suspected violations of the Controlled Substances Act to the United States attorney general.

The act is named for Cooper Davis, a Kansas teen who died after ingesting half of a counterfeit prescription pain pill that he had allegedly purchased through SnapChat. Subsequent testing revealed that the pill contained a lethal dose of fentanyl. The act, introduced with bipartisan support, proposes to bolster the federal government’s ability to detect and prosecute illegal internet drug trafficking by holding social media, email and other internet companies accountable for the activity conducted on their platforms.

The act’s main function is to impose a reporting obligation on the electronic service providers with respect to activity occurring on their platforms, if and to the extent they have knowledge of the activity. The act applies to any service that provides users with the ability to send or receive wire or electronic communications, and/or computer storage or processing services (18 USC § 2258E). These definitions seem to sweep every internet-based company into the act’s purview. However, the impact of the act hinges not on who the act captures, but rather, what duty these companies have and how this duty will be exercised.

The act, as proposed, targets “the unlawful sale or distribution of fentanyl, methamphetamine, or the unlawful sale, distribution, or manufacture of a counterfeit controlled substance” by imposing reporting requirements on service providers.  A service provider must report unlawful sales when: (1) it obtains actual knowledge of any facts or circumstances of an unlawful sale as defined above; or (2) if a user of the service provider alleges an unlawful sale and the service provider, upon review, has reasonable belief the alleged facts or circumstances that constitute an unlawful sale exist. A service provider also may report unlawful circumstances: (1) after obtaining actual knowledge of any facts or circumstances that indicate that an unlawful activity may be imminent; or (2) if the service provider reasonably believes that any facts or circumstances of unlawful activity exist.

A service provider’s actual knowledge of the unlawful activities allows (and in some situations requires) the service provider to report information about the individual using the internet platform for unlawful purposes, including the individual’s geographic location, information relating to how and when the unlawful activity was discovered by the service provider, data relating to the violation, and the complete communication containing the intent to commit a violation of the act. There are penalties for a service provider’s failure to report: if a service provider that knowingly and willfully fails to make a report required, it will be fined no more than $190,000in the case of an initial knowing and willful failure to make a report, and no more than $380,000in the case of any second or subsequent knowing and willful failure to make a report.

In this way, the act captures the companies and conduct necessary to provide greater protection to consumers, including minors like Cooper Davis. However, by creating the duty to report, the act requires service providers to serve as a surveillance agent for the U.S. Department of Justice. Without further clarification or rulemaking, service providers will be left to determine, on their own and without a consistent industry standard, what constitutes actual knowledge of unlawful activity, and in what instance (if ever) knowledge will be imputed to a service provider based on evidence contained on their platform. The structure of the act was heavily debated in the Full Committee Executive Business Meeting that took place on July 13, 2023, and for good reason. At its worst, the act was described as “deputizing” tech companies to serve as law enforcement, without warrants or other procedures in place to protect citizens or prevent unnecessary disclosure of a user’s private information. Alternatively, consumer safety advocates may argue that the act does not go far enough, and is unnecessarily favorable to service providers at almost every turn. For example, the trigger for a mandatory report is actual knowledge on the part of the service provider, not strict liability or the mere occurrence of unlawful activity on the platform.

Further, the monetary amount of any penalty for failing to report is minimal compared to the earnings reported by many of the tech industry giants who fall within the definition of a Service provider.

From a compliance perspective, companies that fall within the definition of electronic communication service providers and remote computing services should be aware that the Cooper Davis Act could become law and impose additional reporting requirements. Practically, however, companies maintain substantial autonomy in crafting the policies to both identify and provide adequate reports of unlawful activity under the act. Like other amendments to the Controlled Substances Act, the language as written is unpredictable, and enforcement action is often the most practical way to discern the contours of the amendment. So, the impact of the act, and how companies can prepare for it, remains to be understood. The act’s good intentions but unsteady enforcement mechanisms are reminiscent of the Ryan Haight Act, another act promulgated to keep teens safe from controlled substances on the internet. The Ryan Haight Act also remains to be applied in a predictable manner following the COVID-19 public health emergency.

The act is a significant step toward protecting the public from controlled substance distribution via the internet. However, much is left to be worked out regarding the means, scope, and constitutionality of law enforcement’s surveillance of online activity in our increasingly digital world.