Skip to content
Americans for Propriety
Menu

Brief · tech and data rights

The TAKE IT DOWN Act, now that platforms must comply

A federal law against non-consensual intimate imagery, including AI deepfakes, took its second and larger step on May 19, 2026, when the platform takedown mandate went live. What the law does, how the 48-hour removal process works, and the over-removal concerns critics have raised.

May 21, 2026 · 6 min read · AfP Research

A law in two stages

The TAKE IT DOWN Act — formally, the Tools to Address Known Exploitation by Immobilizing Technological Deepfakes on Websites and Networks Act — was signed into law on May 19, 2025. It is the first federal statute squarely aimed at non-consensual intimate imagery, the category often called “revenge porn,” and it explicitly reaches AI-generated deepfakes as well as authentic images.

The law took effect in two stages. Its criminal prohibitions applied immediately on signing. Its second and more contested half — the obligation on online platforms to build a notice-and-removal system — was given a one-year runway. That runway closed on May 19, 2026. As of this week, covered platforms are legally required to take down flagged material on a fixed timetable, and the Federal Trade Commission has begun enforcing that requirement.

This brief explains what the law does, how the takedown mechanism works, and why the same provision that protects victims has drawn sustained free-expression objections.

What the law criminalizes

The act makes it a federal crime to knowingly publish intimate visual depictions of an identifiable person without consent. Two features of the criminal section are worth noting:

  • It covers synthetic images. “Digital forgeries” — images altered or generated by AI to appear authentic — are treated alongside real photographs. This closes a gap that many older state revenge-porn statutes left open.
  • Penalties scale with the victim. Distributing non-consensual intimate imagery of an adult carries up to two years in prison; imagery of a minor, up to three. Threats to distribute such material are also criminalized, with somewhat lower maximum terms.

The criminal provisions passed with near-unanimous support: the Senate approved the bill in February 2025, and the House followed 409–2 in April 2025.

How the platform takedown mechanism works

The second section of the law — the part that went live on May 19, 2026 — places obligations on “covered platforms,” a broad category that includes social media, messaging, image- and video-sharing, and gaming services that host user-generated content.

A covered platform must:

  • Provide a clear, accessible reporting process. Victims, or their authorized representatives, must be able to notify the platform of non-consensual intimate imagery and request removal, and the platform must conspicuously explain how.
  • Remove flagged content within 48 hours of a valid request.
  • Make a reasonable effort to remove identical copies of the same material.

Enforcement runs through the FTC. A platform that fails to reasonably comply is treated as having committed an unfair or deceptive act or practice under the FTC Act — the agency’s standard enforcement hook — exposing it to civil penalties (currently set at $53,088 per violation). The FTC has signaled it intends to use that authority: on May 20, 2026, one day after the mandate took effect, it sent warning letters to roughly a dozen major technology companies, telling them to come into compliance immediately and pointing them toward hash-matching tools and existing victim-support databases (The Record).

The free-expression and over-removal concerns

The protective purpose of the takedown mandate is not seriously disputed. The implementation design is. Civil-liberties groups — most prominently the Electronic Frontier Foundation — supported the goal but opposed the bill, and the objections center on a structural mismatch in the takedown section.

The core concern is breadth without a verification step. The 48-hour clock leaves a platform little time to confirm that flagged content is in fact non-consensual intimate imagery rather than lawful speech. The rational response to a tight deadline and per-violation penalties is to remove first and ask questions later. Critics argue the takedown provision’s triggering language is broader than the narrower definitions used in the criminal section, which widens the range of content a request could sweep in (EFF).

Three specific worries follow from that design:

  • No penalty for bad-faith requests. The statute does not build in a clear deterrent against frivolous or abusive takedown notices, and offers no counter-notice or restoration process comparable to the one in copyright’s DMCA. A request can therefore remove lawful content with little friction.
  • Potential for misuse against critics. Because anyone can file a request and platforms face pressure to comply fast, well-resourced actors could use the system to suppress unflattering but lawful images. President Trump publicly mused that he would invoke the law for himself, which sharpened these concerns (EFF).
  • Encrypted services. Many covered messaging apps use end-to-end encryption. Critics argue a removal mandate either cannot be meaningfully enforced there or creates pressure to weaken encryption.

Defenders respond that victims of non-consensual intimate imagery have had no fast, reliable removal route at all, that the harm is acute and time-sensitive, and that the FTC’s enforcement discretion can be calibrated as a body of practice develops. Both points can be true at once: a real protective gap is being closed, and the mechanism chosen to close it carries a genuine over-removal risk. How the FTC interprets “reasonably comply” — and whether it treats good-faith handling of contested requests as compliant — will determine which tendency dominates.

Where enforcement stands

On the criminal side, the law has already produced a result. In April 2026, a Columbus, Ohio man, James Strahler II, pleaded guilty to charges including publication of digital forgeries — the first conviction under the TAKE IT DOWN Act — in a case involving AI-generated imagery of both adult and minor victims (NBC News). That case combined the new offense with existing cyberstalking and child-exploitation charges, which is likely to be a common pattern: the act will often be one count among several rather than a standalone prosecution.

On the platform side, enforcement is only days old. The compliance mandate took effect May 19, 2026; the FTC’s warning letters went out May 20. The next year of FTC practice — which requests it treats as valid, how it weighs platforms’ handling of disputed notices, whether it brings a penalty action — will show whether the takedown system protects victims efficiently or becomes a tool for removing lawful speech.

What to ask your representatives

  • Should the takedown provision include a counter-notice or restoration process, and a penalty for knowingly false requests, to deter bad-faith removals?
  • Does the FTC have the staffing and the interpretive guidance to enforce the platform mandate consistently — and to distinguish good-faith compliance from over-removal?
  • How should the law’s removal obligations apply to end-to-end encrypted services without creating pressure to weaken encryption?
  • Will they support oversight of the law’s first year of platform enforcement, so that over-removal patterns, if they emerge, are documented rather than assumed away?

← All briefs