A Federal Law, A One-Year Clock, and a First Conviction Already on the Books
The TAKE IT DOWN Act — Tools to Address Known Exploitation by Immobilizing Technological Deepfakes on Websites and Networks — is the United States’ first federal statute criminalizing the nonconsensual publication of intimate images, including AI-generated deepfakes. President Biden’s successor signed it on May 19, 2025, closing a regulatory gap that had existed since generative AI made photorealistic intimate deepfakes trivially accessible to anyone with a laptop and a diffusion model.
The law is structured in two distinct parts. The criminal prohibition — making it a federal crime to knowingly publish NCII — took effect immediately upon signing. The platform compliance requirement — mandating that covered platforms build takedown systems — took effect one year after enactment, creating a May 19, 2026 deadline that is now days away.
Before that deadline, in April 2026, the Department of Justice announced the first conviction under the Act: an Ohio man who used AI to generate NCII of neighbors, including minors, and distributed the material on an abuse-related website. The case is significant not only as a legal precedent but as a signal about the DOJ’s enforcement posture: federal prosecutors did not wait for the platform compliance deadline to pass before pursuing criminal cases under the new framework.
For platform operators, legal teams, and product leaders, the approaching May 2026 deadline is the operational priority. This article explains exactly what the law requires, who it covers, and what a compliant platform architecture looks like.
What the Law Actually Requires
Who Qualifies as a “Covered Platform”
The TAKE IT DOWN Act defines covered platforms as public websites, online services, and applications — including mobile applications — that either primarily host user-generated content or specifically feature content that depicts NCII. Email services, broadband internet providers, and platforms that curate rather than host content are explicitly excluded.
In practice, this covers social media platforms, video-sharing services, image hosting platforms, adult content sites, messaging apps with public or semi-public features, and general-purpose content platforms that permit user uploads. The definition is broad enough that platforms whose primary purpose is not adult content but that allow user image uploads — forums, community platforms, creative tools with sharing features — should assume they are covered absent a specific legal opinion confirming exclusion.
The 48-Hour Removal Clock
Once a covered platform receives a takedown request from the person depicted in the intimate image — supported by an electronic signature and a good-faith statement that the image is NCII — the platform has 48 hours to investigate the request and remove the material. The law additionally requires platforms to make “reasonable efforts” to eliminate duplicates and reposts of flagged content — not just the originally reported instance.
The 48-hour window is substantially tighter than the DMCA’s “expeditious” removal standard, which in practice has allowed platforms weeks or months to act. For large platforms handling millions of uploads daily, 48-hour compliance requires automated detection pipelines, not purely manual review queues.
The FTC Enforcement Mechanism
Failure to comply with takedown obligations constitutes a violation of the Federal Trade Commission Act. This allows the FTC to pursue civil fines, injunctive relief, and consumer redress against non-compliant platforms. The FTC’s enforcement toolkit under FTCA Section 5 — “unfair or deceptive acts or practices” — gives it broad authority to define what adequate takedown infrastructure looks like, meaning that platforms that receive takedown requests and fail to act within 48 hours are exposed to regulatory action independent of any specific criminal prosecution.
Criminal Penalties — Two Tiers by Victim Age
For NCII involving non-consenting adults: up to 2 years imprisonment for knowingly publishing intimate images or deepfakes; up to 18 months for threatening deepfakes (sending intimate content as a threat without publishing). For NCII involving minors: up to 3 years imprisonment for intimate images or deepfakes; up to 30 months for threatening deepfakes. These are federal criminal penalties, meaning they run separately from any applicable state-level NCII laws, of which more than 40 US states had enacted their own by the time the federal law passed.
Advertisement
What This Means for Platform Operators and Content Leaders
1. Build the Takedown Pipeline Before May 19, 2026 — Not After
The compliance deadline is fixed. Platforms that do not have a functional notice-and-removal process in place by May 19, 2026 are exposed to FTC enforcement from day one of non-compliance. The system must include: a publicly accessible, clear reporting mechanism; an intake process that accepts electronic signatures; a triage workflow that reaches removal within 48 hours of a valid request; and a duplicate-detection step that surfaces reposts and variants of flagged content. Platforms that have invested in CSAM detection infrastructure — hashing-based image matching, perceptual hash databases — have the closest analogous capability and should assess how quickly it can be adapted for NCII.
2. Implement Perceptual Hashing for Duplicate Detection
The “reasonable efforts” standard for eliminating duplicates requires more than removing the specific reported URL. An image that has been shared 200 times across a platform cannot be taken down in 48 hours through manual URL-by-URL review. Perceptual hashing — technologies like PhotoDNA, PDQ (Meta’s open-source hashing tool), or similar — allow platforms to generate a hash of the reported image and scan for perceptual matches across their content corpus automatically. For AI-generated deepfakes, which may exist as multiple slightly-variant outputs of the same generation prompt, near-duplicate detection (fuzzy matching) provides more comprehensive coverage than exact-hash matching.
3. Assess Whether Your Appeal-Based Moderation Model Survives a 48-Hour Deadline
Many platforms’ content moderation models involve a staged process: report received → initial assessment → counter-notice period → final removal decision. This model was designed for copyright disputes where good-faith counter-claims are common. Under the TAKE IT DOWN Act, the 48-hour window begins at receipt of the victim’s request — there is no explicit provision for a counter-notice pause that extends the removal deadline. Platforms should assess whether their existing appeals infrastructure creates a 48-hour compliance gap and adjust the sequencing accordingly: remove within 48 hours, allow counter-appeal after removal if applicable.
4. Train Trust & Safety Teams on the Good-Faith Statement Standard
The law requires a “good-faith statement” from the depicted individual along with an electronic signature. Trust & Safety teams need clarity on what constitutes a sufficient good-faith statement, how to handle requests where identity cannot be immediately verified, and how to document the intake process to demonstrate compliance in the event of an FTC inquiry. The law includes a safe harbor for good-faith removal efforts, meaning platforms that build a clear, documented process and act on it within 48 hours have substantial protection against liability for removing content that later turns out not to be NCII.
5. Prepare for State-Federal Overlap — 40+ State Laws Also Apply
The TAKE IT DOWN Act is a federal floor, not a ceiling. More than 40 US states have enacted their own NCII statutes with varying definitions, timeframes, and liability rules. A platform that meets federal compliance standards may still face state-level claims in California, New York, Texas, or any other state with more stringent requirements. Legal teams should map the platform’s exposure across the states where it has significant user bases and build compliance to the most stringent applicable standard, not just the federal baseline.
The Global Regulatory Ripple: Where This Law Fits
The TAKE IT DOWN Act is part of a rapidly expanding global regulatory response to AI-generated harmful content. The UK’s Online Safety Act 2023 established a “legal but harmful” content framework with mandatory duties on platforms, including requirements to protect users from NCII. Australia’s Online Safety Act and its eSafety Commissioner’s enforcement powers provide another model. The EU’s Digital Services Act imposes risk assessment and mitigation obligations on Very Large Online Platforms (VLOPs) that would encompass NCII as a category of illegal content.
The common architecture emerging from these frameworks — notice-and-takedown within tight timeframes, platform accountability, criminal penalties for individual publishers — suggests that any platform operating globally should build its takedown infrastructure to satisfy the most demanding applicable standard. Singapore’s Media Development Authority has similarly strengthened its online content framework to address deepfake intimate imagery, framing its approach as protecting digital trust in addition to individual victims.
For compliance teams, the lesson from the April 2026 Ohio conviction is that law enforcement at the federal level is not waiting for the platform compliance deadline before pursuing cases. The criminal side of the TAKE IT DOWN Act was active from May 19, 2025. Platforms that host NCII and delay building their removal infrastructure are not just operationally non-compliant — they may be contributing to a pattern of harm that prosecutors are already treating as a priority.
Frequently Asked Questions
What exactly is a Nonconsensual Intimate Image (NCII) and does the law cover AI-generated deepfakes?
NCII under the TAKE IT DOWN Act includes any visual depiction of an identifiable person’s intimate parts that was shared without consent — whether the image was originally real, digitally altered, or entirely AI-generated. Yes, the law explicitly covers AI-generated deepfakes: a photorealistic AI-generated image depicting someone in an intimate context without their consent qualifies as NCII under the Act.
How does the 48-hour removal clock work in practice for a platform?
The 48-hour clock starts when a platform receives a verified removal request meeting the Act’s criteria. Platforms must establish a clear intake mechanism (a dedicated web form or email) to receive these requests. The verification requirement means platforms need a process to confirm the requester’s identity and relationship to the depicted person — this cannot be manual review of every submission at scale, which is why automation and dedicated Trust & Safety capacity are necessary.
What happens to platforms that fail to comply with the TAKE IT DOWN Act?
The FTC enforces the Act under its Section 5 authority. Violations are treated as unfair or deceptive practices. Fines scale with the size of the violation and the platform’s ability to pay — for major platforms, these can reach tens of millions of dollars per violation cluster. The Act also creates a private right of action for victims in some circumstances, enabling civil lawsuits against non-compliant platforms. The first criminal conviction in April 2026 set the precedent for active prosecution.
Sources & Further Reading
- TAKE IT DOWN Act — Congress.gov Text
- The TAKE IT DOWN Act: Targets AI-Generated and Authentic NCII — Nelson Mullins
- TAKE IT DOWN Act Signed Into Law — National Association of Counties
- The TAKE IT DOWN Act — Skadden Analysis
- First Person Convicted Under Federal Deepfake Intimate Image Law — NBC News
- TAKE IT DOWN Act — RAINN
- —
🔗 Related Intelligence
Platform Liability 2026: Section 230, the DSA, and the Global Battle Over Internet Rules
The DEFIANCE Act: America’s Federal Civil Remedy for Deepfake Victims
The US National AI Policy Framework: How Federal Preemption Will Reshape State AI Laws
Big Tech on Trial: The Global Antitrust Wave Reshaping the Tech Industry in 2025-2026
