The TAKE IT DOWN Act took effect immediately when President Trump signed it on May 19, 2025. FTC enforcement formally began May 19, 2026, one year after enactment. Covered platforms must remove non-consensual intimate imagery (NCII), including AI-generated deepfakes, within 48 hours of a verified takedown request. Platforms that do not have a compliant intake and removal process in place as of May 2026 are currently subject to FTC action.
Published May 14, 2026. Updated May 29, 2026: FTC formally confirmed enforcement began May 19, 2026. The TAKE IT DOWN Act was signed by President Trump on May 19, 2025. One year in, many platforms still lack a process that meets the 48-hour requirement. This article covers what compliance actually looks like.
The TAKE IT DOWN Act became federal law May 19, 2025, the first US federal law to directly address AI-generated non-consensual intimate imagery. Twelve months later, the most common failure mode is not malice. It is platforms that intended to build a takedown process and have not finished it. The 48-hour requirement is operationally harder than it looks: intake, identity verification, content location, removal, confirmation, re-upload prevention, all inside two days, including weekends.
TL;DR: The TAKE IT DOWN Act (Tools to Address Known Exploitation) was signed by President Trump on May 19, 2025. One year later, many platforms still do not have a compliant NCII takedown process. The law requires covered platforms to remove non-consensual intimate imagery (NCII), including AI-generated deepfakes, within 48 hours of a verified request. It also makes publishing AI-generated CSAM a federal crime. FTC enforces. This article covers what 'compliant' looks like after one year of the law being in effect.
When does enforcement begin?
The TAKE IT DOWN Act was signed May 19, 2025 and took effect immediately. The law gave covered platforms one year to implement compliant notice-and-removal procedures. That grace period expired May 19, 2026.
Platforms that have not built a compliant process as of May 19, 2026 are exposed to immediate FTC enforcement. There is no additional runway. The FTC enforces under Section 5 authority with civil penalties up to $53,088 per violation per day.
On May 19, 2026, the FTC issued a formal enforcement announcement confirming that covered platforms are now subject to active oversight. The agency stated it would prioritize platforms with public-facing user-generated content and no documented NCII takedown process. The FTC's announcement did not name specific targets, but platforms that received prior FTC guidance in 2025 and have not implemented compliant processes face the highest early enforcement risk.
What the Law Does
The TAKE IT DOWN Act has two distinct parts:
| Part | What it covers | Who it applies to |
|---|---|---|
| Platform takedown obligation | Platforms must remove NCII (including AI deepfakes) within 48 hours of verified request | Covered online platforms with US users |
| Publication prohibition | Publishing, distributing, or transmitting NCII or AI-generated CSAM is a federal crime | Individuals and entities; no platform threshold |
The 48-Hour Removal Requirement
This is the core operational challenge for covered platforms.
What triggers the clock: A verified takedown request from the person depicted (or their legal representative) identifying non-consensual intimate imagery depicting them.
What must happen in 48 hours:
- Receive and verify the request
- Locate the reported content
- Remove it from the platform
- Prevent re-upload (reasonable steps)
- Confirm removal to the requester
What "verified" means in practice: The law does not specify an exact verification standard. Platforms need a process that confirms the requester is the person depicted or authorized to act for them. This does not require government ID, but a process that accepts anonymous requests without any verification would likely not satisfy the statute.
Who Is a Covered Platform
| Platform type | Coverage |
|---|---|
| Social media platforms | Yes |
| Video hosting platforms | Yes |
| Image hosting and sharing services | Yes |
| AI content generation platforms | Yes, if users can share generated content |
| Adult content platforms | Yes |
| Messaging apps with public content features | Yes |
| Small single-operator websites | Lower risk, consult counsel |
| Private messaging (no public content) | Not covered for takedown obligation |
AI-Specific Obligations
The law explicitly covers AI-generated NCII. Platforms that offer or enable AI content generation have additional exposure:
| Scenario | Obligation |
|---|---|
| Platform allows users to generate AI images/video | Must process takedown requests for AI-generated NCII |
| Platform uses AI to generate content of real people | Publication prohibition applies to the platform as publisher |
| Platform hosts user-uploaded AI-generated content | Must remove on verified request within 48 hours |
| Platform provides AI tools that can produce NCII | Proactive moderation expected (FTC has broad Section 5 authority) |
7-Point Compliance Checklist
- 1. Determine coverage, assess whether your platform hosts user-generated content accessible to US users; consult counsel if coverage is unclear
- 2. Build a takedown request intake process, a dedicated form, email address, or in-app mechanism for NCII takedown requests; document the identity verification steps
- 3. Establish 48-hour SLA with monitoring, map the end-to-end process (intake → verification → content location → removal → confirmation) and measure current latency; the 48-hour window is hard
- 4. Implement re-upload prevention, use perceptual hashing or similar tooling to detect re-uploads of removed NCII; document the technical approach
- 5. Designate a responsible contact, identify the person or team accountable for NCII takedown compliance; this should be reachable within the 48-hour window, including weekends
- 6. Update your content policies, explicitly prohibit NCII and AI-generated NCII in your Terms of Service; add to your prohibited content list
- 7. Brief legal and trust-and-safety teams, the Act's requirements and the FTC enforcement risk should be communicated to anyone who handles content policy or content moderation
What a Compliant Takedown Process Looks Like in Practice
After one year of the law being in effect, a pattern has emerged for what a defensible compliance posture looks like. Platforms that are most at risk are those that built a reactive process, a generic "contact us" form that routes to a general support queue, rather than a purpose-built NCII intake workflow. FTC enforcement under Section 5 does not require a formal rulemaking to act on a platform that clearly lacks a compliant process.
A compliant process has five traceable steps:
Step 1, Intake. A dedicated, clearly labeled form or contact mechanism for NCII takedown requests. The form must exist, be publicly findable (linked from Terms of Service and ideally from a help center page), and be operational at all times including weekends. A generic "report content" button that routes to a general moderation queue is not sufficient, the law requires a process specifically for NCII.
Step 2, Identity verification. The law requires requests to be "verified" before triggering the 48-hour removal clock. The verification standard is not defined with technical precision, but the intent is clear: the requester must be the person depicted or their authorized legal representative. In practice, most compliant platforms request a government-issued ID or a signed declaration under penalty of perjury. Platforms using third-party identity verification services (Persona, Veriff, or similar) should document that the verification process was applied to NCII requests specifically.
Step 3, Content location. After the request is verified, the platform must locate the reported content within the 48-hour window. For platforms with user-generated content at scale, this requires the intake form to capture a direct URL or content ID, not just a description. A request that cannot be traced to specific content within the deadline creates compliance exposure even if the platform acted in good faith.
Step 4, Removal and confirmation. The content must be removed and the requester notified of removal, within 48 hours of the verified request. The notification requirement is often overlooked: the law's removal standard implies a feedback loop, and FTC guidance has emphasized that the process must be complete, not just initiated, within 48 hours.
Step 5, Re-upload prevention. The law requires "reasonable steps" to prevent re-upload of removed NCII. The most defensible technical approach is perceptual hashing, generating a hash of the removed content and scanning new uploads against it. PhotoDNA (Microsoft) and CSAM Hash Sharing (NCMEC) tools support this for image content. For video, platforms should evaluate available tools and document whatever approach they implement. "Reasonable steps" will be interpreted in light of the platform's scale and technical capabilities, a small platform cannot be expected to implement the same infrastructure as a major social network, but it must implement something.
Building the 48-Hour SLA: Operational Realities
The 48-hour window is the hardest operational requirement in the law. Several factors make it harder than it looks on paper:
Weekend and holiday coverage. The 48-hour clock does not stop on weekends. A request submitted at 11 PM Friday must be resolved by 11 PM Sunday. Platforms that staff content moderation only during business hours will fail this requirement on a regular basis. At minimum, one person must have the ability to action a verified NCII takedown request at any hour of the week.
International time zones. For platforms with global user bases, the requester and the content may be in different jurisdictions. The 48-hour window runs from verified request receipt regardless of where the content is hosted or where the requester is located.
Verification latency. If identity verification takes 24 hours (e.g., manual review of an ID document), only 24 hours remain for content location, removal, and confirmation. Platforms should automate as much of the verification step as possible to preserve time for content action.
AI-generated content detection. The TAKE IT DOWN Act explicitly covers AI-generated NCII. Platforms may receive requests for content they do not immediately recognize as AI-generated. The removal obligation applies regardless of how the content was created, a platform cannot deny a takedown request on the grounds that the content might be AI-generated and therefore not "real" imagery.
How This Interacts with State Laws
The TAKE IT DOWN Act is a federal floor, not a ceiling. Several state laws provide parallel or stronger protections:
| Law | What it adds beyond TAKE IT DOWN Act |
|---|---|
| Washington AI likeness law (effective June 10, 2026) | Private right of action, victims can sue creators and distributors directly |
| California NCII law | Existing state law; private right of action |
| Texas deepfake law | Covers electoral deepfakes; criminal penalties |
| New York deepfake law | Covers sexual and electoral deepfakes |
The TAKE IT DOWN Act does not preempt state laws. Platforms need to comply with the federal Act AND applicable state laws.
FTC Enforcement
The FTC enforces the TAKE IT DOWN Act under its Section 5 authority. Platforms that:
- Fail to establish a takedown process
- Fail to remove content within 48 hours after a verified request
- Allow re-uploads of reported content without reasonable prevention
...are exposed to FTC enforcement and civil penalties up to $53,088 per violation per day. The Act does not grant state attorneys general a parallel civil enforcement right under the federal statute (though state NCII laws may provide separate state AG authority).
The law gave covered platforms one year to implement compliant notice-and-removal procedures, a deadline that expired on May 19, 2026. Platforms that have not yet built a compliant process are now exposed to immediate FTC enforcement. The FTC has been actively expanding AI enforcement (Operation AI Comply), and TAKE IT DOWN Act enforcement is expected to be a priority given the law's bipartisan support and high political visibility.
FTC complaint portal: The FTC launched TakeItDown.ftc.gov at the start of enforcement. Victims and survivors can submit complaints against platforms that have failed to establish a compliant takedown process or failed to act on a valid request. The portal is also where the FTC receives intelligence for targeting early enforcement actions.
EU Parallel: Article 50 and the CSAM/Nudification Ban
US and EU law are converging on AI-generated intimate imagery. The EU Digital Omnibus (May 7, 2026) adds an explicit ban on AI systems that generate non-consensual intimate imagery (NCII) and child sexual abuse material (CSAM), including AI "nudifiers." These bans take effect December 2, 2026 under EU AI Act Article 5 amendments.
For platforms operating in both the US and EU, this creates a two-track compliance obligation:
- US TAKE IT DOWN Act: Platform-facing obligation (removal within 48 hours)
- EU AI Act + Omnibus: Provider-facing obligation (do not build or deploy NCII-generation tools)
If your platform allows any AI-generated content creation, verify that your AI content policies prohibit generation of NCII and CSAM, not just hosting of it. This is the position both the FTC (enforcement of TAKE IT DOWN Act) and EU regulators (Article 5 prohibition) will take. For the EU watermarking and deepfake disclosure obligations that apply separately, see the EU AI Act Article 50 compliance checklist.
Sources: TAKE IT DOWN Act (signed May 19, 2025), FTC press releases, Congressional record. EU Digital Omnibus (May 7, 2026). This article reflects the laws as signed; FTC and EU implementation guidance may add requirements.
