CIPA Requirements (FAQs)

There are several basic requirements in the legislation. In brief they are:

  1. A school or public library must have filtering on all computers with Internet access. The filters must protect against access to certain visual depictions described below (CIPA requirement).

  2. A school or public library must have an Internet safety policy and hold a public meeting to review the policy. The policy must incorporate the criteria described below (NCIPA requirement).

Technology Protection Measure (Filtering)

Q: Which has to be filtered?

A: The law states that a "technology protection measure" (i.e., filter) must be on any computer with Internet access. The filter must protect against access to visual depictions that are:

  1. Obscene: This is defined in a reference to section 1460 of title 18, U.S. Code.

  2. Child pornography: This is defined in a reference to section 2256 of title 18, U.S. Code.

  3. Harmful to minors: This is defined in CIPA and means any picture, image, graphic image file, or other visual depiction that, with respect to minors:

    1. taken as a whole, appeals to a prurient interest in nudity, sex, or excretion;

    2. depicts, describes, or represents, in a patently offensive way, an actual or simulated sexual act or sexual contact, actual or simulated normal or perverted sexual acts, or a lewd exhibition of the genitals; and

    3. taken as a whole, lacks serious literary, artistic, political, or scientific value.

Note: CIPA defines a minor as any person less than 17 years of age.

In its rules, the FCC declined to elaborate on the outlawed visual depictions beyond what is already stated in the law. The law also does not require the filtering of text. Filtering of any other content is a local decision. Most commercial filtering programs have a variety of categories by which they can filter, including Web content related to games, gambling, drug use, etc.

Q: What computers and software have to be subject to the filter

A: The law states that all computer workstations with Internet access must have some type of blocking or filtering technology. This includes student, staff, administrative, and patron workstations accessed by minors or adults. The FCC has stated that even for computers located in administrative areas not accessible to the public or students, the law still requires the use of filters. A provision allows the filter to be disabled under certain circumstances for adults as described in the next question.

The law does not specify any particular software (client) programs, such as Web browser, email, or chat software which must come under the scrutiny of the technology protection measure. The following is a comment on this issue based on correspondence with attorneys at the FCC.

FCC position: The question has been asked whether there is a need under CIPA to filter images other than those viewed through a Web browser (e.g., images attached to emails). The FCC has not taken a position on this issue. Thus, statements from any filtering vendor saying that CIPA requirements are not limited to Web browsing represent the vendor's interpretation of the law. It is not an interpretation the FCC has made. CIPA gives schools and libraries wide latitude to make local interpretations of much of the language in the act. Neither the statute nor the FCC's order addresses the specific question of email filtering nor filtering of any other end-user programs.

Q: Does the filter have to be active at all times for everyone?

A: No. The law permits any authorized staff to disable the filter to allow adults Internet access for any lawful purpose. (Even without CIPA, there is no constitutional protection to view obscene images, and child pornography, regardless of its medium, is clearly illegal.) The disabling provision applies only to adults. There is no provision that allows unfiltered access by minors for any purpose at any time. The FCC has stated that the method or procedures used to disable the filter for adults is a matter of local policy.

Note: The June 23 Supreme Court decision appears to make it easier for an adult user to request that filtering be turned off. FCC and IMLS will need to establish interpret rules around disabling filtering since the Supreme Court majority did not speak with one voice on this matter (see Court decision above.)

In the Loudoun County, Virginia, court case (Mainstream Loudoun et al. vs. Board of Trustees of the Loudoun County Library), public library filtering of all workstations at all times was found to be unconstitutional on first amendment grounds.

Q: How effective do the filters have to be? Is there any type of effectiveness certification for the filter?

A: It is important to note that the law states that filters must protect against visual depictions outlawed by the legislation. The filter does not have to prevent access to all such depictions. (No filter is 100% effective in preventing all such access.) In developing the CIPA regulations, the FCC declined to further define the filter requirements or to adopt any type of definition or certification on how effective a filter must be, beyond the very general "protect" language of the law. Thus, there is no such thing as an FCC certified "CIPA compliant filter." And, considering the broad interpretation of the word "protect," any statements by vendors that their filtering software will help schools and libraries be CIPA compliant is of little value. Furthermore, the FCC will not mandate that schools or libraries track the number of attempts made to access prohibited visual depictions or the number of times the filter succeeds or fails. It also will not require schools or libraries to collect any complaints filed by staff, students, or the public on what was or was not blocked. The Internet policy may indicate that it will track and collect such statistics, but there is no mandate to do this in the law or regulations. (Some organizations did request the FCC to mandate in its CIPA regulations such tracking and compiling of complaints.)

To help determine how effective filters are, the law required that by June 2002 the National Telecommunications and Information Administration (NTIA) initiate a process to evaluate Internet blocking and filtering programs. The report can be found at:

Q: What are the legal implications if the filter occasionally allows banned visuals to appear on the screen?

A: The FCC presumes that Congress did not intend to penalize schools or libraries that act in good faith and in a reasonable manner to implement filters. The FCC also notes that failure to comply with the law's requirements "could also engender concern among library patrons and parents of students at the school. We believe that schools and libraries will act appropriately in order to avoid such outcomes" [FCC regulations, par. 47]. In other words, the FCC will rely, in part, on community "concern" to serve as one mechanism to enforce compliance. In instances where an individual or group believes the school or library is in violation of CIPA (e.g., too many banned images get through the filter), the individual or group has no grounds under the law to initiate any legal action directly against the school or library. In such instances, any complaints would be made to the FCC, and the FCC would then decide whether to take action, such as withdrawing the applicant's discounts.

Q: Can filtering be done centrally by an Internet Service Provider (ISP) or at the school or library server level (LAN or WAN), or does the filter have to be individually installed on each workstation?

A: It makes no difference where the filtering is done --whether at the ISP, at the LAN or WAN, or on the individual workstation. The option to install filtering software on each individual PC works best with a very limited number of PCs. The option to filter at some point higher in the network is more efficient when filtering a large numbers of workstations, but you may then have a limited ability to customize settings for each workstation.

Internet Safety Policy

Note: Assuming 2002 or 2003 is not your first E-rate year in reference to CIPA/NCIPA (see Undertaking actions paragraph above) your school or library must already have an Internet Safety Policy that meets the requirements of the law and must have already held a public meeting on the policy.

Q: Can we use our current Acceptable Use Policy/Internet safety policy as the CIPA/NCIPA Internet safety policy?

A: You can use your current Internet policy if it meets all the requirements stated in the legislation. If, after reviewing your policy, you determine that it does not meet the law's requirements, then you will have to initiate a process to revise it so that it is in compliance.

Q: What must be included in our policy to be in compliance with the law?

A: The CIPA section of the law says that a school or public library must have an Internet safety policy and that this policy must include the use of filters to protect against access to the visual depictions outlawed in the act. A school's Internet policy must also indicate how it plans to monitor the Internet activities of minors.
Note: Neither the law nor the FCC rules require the actual online tracking of Internet use by minors or adults.

The NCIPA section of the law is much more specific in its safety policy requirements. NCIPA requires that schools and libraries participating in the E-Rate program adopt and implement an Internet safety policy that addresses:

  1. Access by minors to inappropriate matter on the Internet and the Web;
  2. The safety and security of minors when using electronic mail, chat rooms, and other forms of direct electronic communications;
  3. Unauthorized access, including so-called "hacking," and other unlawful activities by minors online;
  4. Unauthorized disclosure, use, and dissemination of personal identification information regarding minors; and
  5. Measures designed to restrict minors' access to materials harmful to minors.

The Internet Safety Policy must be adopted after holding at least one public hearing or meeting.

Note: NCIPA only applies to E-Rate, not to libraries receiving LSTA grants.

Q: One of the requirements refers to access by minors to "inappropriate matter" and another refers to access to "materials harmful" to minors. What's the difference?

A: The term "harmful to minors" is defined in CIPA and referenced previously in this FAQ. The definition of "inappropriate for minors" is to be made locally by the library's board or administration. The law states specifically that the federal government is not to make any determination on what is, or is not, "inappropriate for minors."

Q: Who is considered a minor?

A: Again, CIPA defines a minor as any person less than 17 years of age.

Q: Does the Internet Safety Policy have to be adopted by the library board or can it be done as an administrative procedure?

A: The law says the "school or library" shall adopt and implement a policy that meets the requirements of the law. Though the law does not state specifically that the board must pass the policy, it is prudent to have your board take such action.

Public meeting on the Internet Safety Policy

Q: Can a regular meeting of the school or library board be used as the required public meeting?

A: The law and the regulations give schools and libraries considerable flexibility in meeting the public hearing mandate. The law says simply that schools or libraries must "provide reasonable public notice and hold at least one public hearing or meeting to address the proposed Internet safety policy." Considering this general language, the hearing can be part of a regular board meeting, assuming such a meeting allows for public comments. Notices of such a meeting must comport with any local or state open meeting laws. Be certain to document fully the public meeting by keeping a copy of the notice, noting any actions taken, etc.

Eacn member of an automated network for whom Internet or internal connection discounts are being requested must be in compliance with CIPA's requirements. This means that each member must hold a public hearing. One hearing held by the consortium will not serve to cover all the members of the consortium. Also, the hearing is to address the library's Internet Safety Policy. Considering local variations in policies, it is difficult to envision a single library system Internet policy that is the same for all member libraries of the consortium.

Page last updated on 06/11/2015