TL;DR: The FTC began enforcing the Take It Down Act on May 19, 2026, exactly one year after President Trump signed it into law. Covered platforms must remove non-consensual intimate imagery, including AI-generated deepfakes, within 48 hours of a valid request or face civil penalties of $53,088 per violation per day.
The Take It Down Act (formally, the Tools to Address Known Exploitation by Immobilising Technological Deepfakes on Websites and Networks Act) passed both chambers of Congress with overwhelming bipartisan support and was signed by President Trump on May 19, 2025. The law gave platforms one year to get compliant. That year ended on May 19, 2026.
The FTC did not wait quietly. In the weeks before the enforcement date, FTC Chairman Andrew Ferguson sent warning letters to 15 major platform operators: Alphabet, Amazon, Apple, Automattic, Bumble, Discord, Match Group, Meta, Microsoft, Pinterest, Reddit, SmugMug, Snapchat, TikTok, and X. The letters reminded each operator of its legal obligations and signalled that the agency was watching. Enforcement is now live.
What the Take It Down Act requires
The Act targets "non-consensual intimate visual depictions" (NCII), a category that covers both authentic images and AI-generated deepfakes. Publishing, hosting, or distributing NCII without consent is a federal crime under Section 2. That criminal provision took effect immediately on signing.
Section 3 is the part that drives platform obligations. It requires covered platforms to:
- Provide a mechanism through which any person can submit a removal request for NCII featuring themselves.
- Remove the content, plus all known identical copies, within 48 hours of receiving a valid request.
- Take reasonable steps to prevent the re-upload of removed content.
The FTC enforces Section 3 only. The agency cannot prosecute individual publishers under Section 2; that falls to the Department of Justice.
Which platforms are covered
The Act's definition of a "covered platform" is deliberately broad. It applies to any website, online service, online application, or mobile application that serves the public and primarily provides a forum for user-generated content, including messages, videos, images, games, and audio files.
Unlike many US state privacy laws, there is no minimum user threshold. A platform with 50,000 users is as covered as one with 500 million.
Platforms that received the FTC's May 2026 warning letters include Meta (Facebook and Instagram), Alphabet (Google, YouTube, and Google Photos), X, TikTok, Snapchat, Reddit, and Discord. But those names represent a floor, not a ceiling.
The Act excludes broadband internet service providers and email providers whose primary function is transmitting, not hosting, content. A standard business email service is not a covered platform. A community forum or image-hosting service is.
If your platform hosts user-generated images, videos, or messages and is accessible to the general public, you should assume you are covered and build accordingly.
The 48-hour removal clock
The clock starts the moment a platform receives a valid removal request. "Valid" means the request contains enough information for the platform to identify and locate the content. That typically means at least one of:
- A direct URL to the content
- A description sufficient to locate it (username, post date, file name)
- A hash value matching the content
The Act does not require the requester to provide government-issued identification, but platforms may ask for verification sufficient to confirm the request is from the depicted person or their authorised representative. Platforms that impose excessive identity verification requirements as a condition of processing a request risk being found to have created a barrier that effectively defeats the removal obligation.
Once a valid request lands in the intake queue, the 48-hour window is open. It does not pause while staff review the request or while automated systems scan for duplicates. Platforms that route NCII requests through a general content moderation queue with a three-to-five-day SLA are already out of compliance.
After removal, the platform must also remove all known identical copies hosted on its services. The same video uploaded to ten different accounts must all come down, not just the instance cited in the request. Platforms are also expected to take "reasonable steps" to prevent re-upload, which in practice means hash-matching the removed content against future uploads.
Penalties
The civil penalty amount for FTC enforcement in 2026 is $53,088 per violation per day. Each piece of content that remains up past the 48-hour deadline, and each separate request that goes unanswered, can count as a separate violation.
There is no private right of action under the federal Act. Individuals cannot sue platforms directly under the Take It Down Act in federal court. The FTC holds the enforcement monopoly at the federal level. This means a victim whose content remains up past 48 hours cannot file a private lawsuit under TIDA; they must report to the FTC and wait for the agency to act.
However, several states have enacted parallel NCII laws that do include private rights of action. California, Texas, New York, and others allow victims to sue directly for damages. A platform that is out of compliance with the Take It Down Act may simultaneously be exposed to state-level litigation.
FTC enforcement typically follows a pattern of warning letters followed by formal action for non-responsive platforms. The agency's May 2026 letters to 15 platforms established that it has already identified which operators are most likely to be targets of removal requests and is monitoring their compliance processes. Smaller platforms that did not receive a letter should not treat the omission as a signal that they are outside the Act's scope. The letters were targeted at the highest-traffic services, not intended as an exhaustive list of covered entities.
6-step platform compliance checklist
This checklist is aimed at platform operators who need to verify or build their Section 3 compliance before an enforcement investigation begins.
Step 1: Designate a NCII removal contact point. Assign a named individual or team as the responsible owner for NCII removal requests. This person needs operational authority to escalate content for removal without waiting for a general moderation queue. Document the designation in writing.
Step 2: Build a valid-request intake form. Create a dedicated submission form that collects: the requester's name and contact information, a declaration that the imagery depicts them without consent, the URL or other identifier for the content, and consent to use the submitted information to process the request. The form should be findable from your platform's main help centre in no more than two clicks.
Step 3: Set a 48-hour SLA in your content moderation queue. NCII requests must be tagged and routed separately from general abuse reports. Configure your ticketing system to escalate any NCII ticket that has been open for 36 hours so that removal happens with a buffer before the legal deadline.
Step 4: Implement hash-matching for known NCII. Use PhotoDNA, the NCMEC hash database, or an equivalent perceptual-hash system to scan incoming uploads against a database of known NCII. This both reduces the volume of re-upload incidents and supports your "reasonable steps" defence if a re-upload slips through.
Step 5: Document each removal request and the action taken. Maintain a log of every NCII removal request with: the timestamp of receipt, the content identified, the timestamp of removal, and any reason for delay if the 48-hour window was at risk of being missed. Retain records for a minimum of two years. This documentation is your primary evidence if the FTC investigates.
Step 6: Train content moderation staff on NCII identification. Staff reviewing flagged content need to understand the legal definition of NCII, how AI-generated deepfakes present differently from authentic imagery, and the 48-hour obligation. Training records should be kept alongside the removal logs. Annual refresher training is a reasonable minimum; quarterly is better if your platform hosts significant amounts of user-generated visual content.
Platforms that complete all six steps are in a strong position relative to Section 3. The checklist does not address Section 2 criminal liability for publishers, which is a separate matter for legal counsel.
Related Reading
For a deeper look at what the Act requires across both Section 2 and Section 3, see the Take It Down Act full compliance guide.
Platforms serving EU users also need to consider watermarking and disclosure requirements under EU AI Act Article 50, which covers AI-generated synthetic media more broadly.
If you are reviewing your internal AI use policies as part of a wider compliance exercise, the AI acceptable use policy template provides a starting point for small teams.
For broader FTC AI enforcement context, see FTC AI enforcement actions: April 2026.
