TAKE IT DOWN Act: Platform Compliance Guide (FTC Enforcement Begins May 19, 2026)

By AI Laws by State Research Team · Updated 2026-05-17 · More guides

On May 19, 2025, President Trump signed S.146, the Tools to Address Known Exploitation by Immobilizing Technological Deepfakes On Websites and Networks Act, into law. The criminal provisions (Section 2) took effect on enactment. The platform notice-and-takedown obligation (Section 3) included a 1-year on-ramp and becomes enforceable May 19, 2026 — this Tuesday. This is the first federal statute targeting AI-generated intimate deepfakes and nonconsensual intimate imagery (NCII) with a removal mandate.

1. What the Act Does (in 90 Seconds)

The Act has two operative pieces:

• Section 2 — Federal criminal prohibition on knowingly publishing nonconsensual intimate visual depictions of an identifiable adult or minor, including AI-generated “digital forgeries” (deepfakes). Penalties up to 3 years (depictions of minors) or 2 years (adults) federal prison, plus fines and restitution. This took effect on enactment in May 2025.
• Section 3 — Platform notice-and-takedown duty requiring covered online services to maintain a process for victims (or authorized representatives) to request removal and to act within 48 hours. This is the Tuesday May 19, 2026 deadline. The FTC enforces; violations are treated as violations of an FTC rule defining unfair or deceptive acts or practices.

2. Who Is a “Covered Platform”?

The Act defines a covered platform broadly. You are in scope if your service is a website, application, online service, or mobile app that — in the regular course of trade or business — either:

• Primarily provides a forum for user-generated content (messages, photos, videos, games, real-time communications), or
• Publishes, curates, hosts, or makes available content of nonconsensual intimate visual depictions in the regular course of business.

That sweeps in social media, image-and-video sharing services, messaging apps, real-time communication platforms, gaming services with user-uploaded content, and many AI-image generation and storage services. Excluded: broadband internet access service (ISPs), email providers, and services for which user-generated content is not a primary function (e.g., online banking, payments, healthcare records, scheduling, B2B SaaS). Nonprofits are covered.

3. What Content Is Covered?

Two categories trigger the takedown duty:

1. Authentic intimate visual depictions — real photos or videos showing an identifiable individual’s nudity or sexually explicit conduct, published without that person’s consent.
2. Digital forgeries — AI-generated, deepfake, or otherwise altered visual depictions that are indistinguishable from an authentic intimate visual depiction of an identifiable individual. The Act’s digital-forgery definition explicitly anticipates generative-AI outputs.

The Act covers depictions of both adults and minors. Depictions of minors invoke heightened criminal penalties under Section 2.

4. The 48-Hour Removal Duty in Detail

Once a platform receives a valid removal request from an identifiable victim (or person authorized to act on their behalf), it must, within 48 hours:

• Remove the depicted content; and
• Make a reasonable effort to identify and remove any known identical copies of the depicted content on the platform.

A valid request must include: (1) a physical or electronic signature, (2) sufficient information to identify the depiction and locate it on the platform, (3) a brief statement that the requester believes in good faith the depiction is nonconsensual, and (4) contact information. The Act permits platforms to require additional reasonable verification but warns that the verification process cannot itself be used to delay or deny otherwise valid requests.

5. Required Notice and Process Disclosures

Section 3 requires covered platforms to provide a plain-language notice of the notice-and-takedown process. The notice must be:

• Clear and conspicuous;
• Easy to read and understand;
• Accessible to individuals with disabilities; and
• Available in the languages in which the platform offers its services.

Platforms must also provide each requester with an identifying number, code, or URL sufficient to allow the requester to track the status of the request.

6. Penalties & Enforcement

The FTC has signaled it will treat the 48-hour clock as strict. FTC Chairman Andrew Ferguson has indicated that platforms should use hashing technology and coordinate with NCMEC’s CyberTipline and StopNCII.org to identify known copies and meet the duty.

7. Compliance Checklist (By Tuesday May 19, 2026)

1. Determine if you are a covered platform. Most services with user-generated photos, video, or messaging are in scope. If unclear, treat as covered.
2. Build a dedicated notice-and-takedown intake. Web form + email + (for higher-risk platforms) in-product report flow. Capture the four required elements.
3. Issue tracking numbers automatically. Every valid request must get a unique identifier and a status check.
4. Define the 48-hour clock. SLAs, on-call rotation, escalation path. Start the clock at intake, not at engineering triage.
5. Stand up duplicate-detection. Use PhotoDNA, NCMEC hashing, or commercial CSAM/NCII fingerprinting to find known identical copies and remove them within the same 48-hour window.
6. Coordinate with NCMEC and StopNCII.org on hash-sharing for minor and adult NCII respectively.
7. Publish the plain-language notice. Help center + ToS link + in-product reporting menu. Translate into every language your service is offered in.
8. Train your moderation and legal teams. Two failure modes draw FTC attention: missing the 48-hour window, and over-removing legitimate content. Build a written abuse-of-process appeal path.
9. Document everything. Retain receipt timestamps, removal timestamps, hash-match logs, and appeal outcomes. The FTC’s first wave of investigations will turn on documentation gaps.
10. Map the state-law overlay. Most states have NCII statutes that run alongside the federal Act. See the Deepfake Penalty Tracker for the 50-state map.

8. How TAKE IT DOWN Interacts with State Laws

The Act does not preempt state NCII or deepfake statutes — it creates a federal floor that runs concurrently. Roughly 49 states plus DC have an NCII or deepfake statute on the books; many have civil and criminal causes of action that go further than the federal Act (e.g., longer statutes of limitation, statutory damages, attorney’s fees). See our Deepfake Laws by State (2026) guide and the Deepfake Penalty Tracker for the full state map.

9. Common Compliance Mistakes to Avoid

• Treating it like DMCA. The TAKE IT DOWN Act is faster (48 hours vs. DMCA’s “expeditious”), narrower (NCII + AI deepfakes only), and stricter on duplicates (you must look for them).
• Burying the request form. A buried abuse form is not “clear and conspicuous.” The FTC has signaled it will publicly compare platform intake flows.
• Refusing requests for procedural reasons. The Act permits verification but penalizes verification used to delay or deny otherwise valid requests.
• Ignoring foreign-language notice. If you offer service in Spanish, the notice must be in Spanish too. This is one of the most common gaps in pre-existing trust-and-safety stacks.
• Forgetting nonprofits. A 501(c)(3) running a community forum is still covered.

10. What to Watch (Post-May 19)

The FTC has discretion to issue interpretive guidance and to bring its first cases. Watch for: (a) an FTC compliance guide expansion or workshop in late 2026; (b) state AG coordination — expect state AGs to file parallel UDAP claims for the same conduct; (c) emerging case law on what counts as “identical copies” for fingerprinted-but-modified imagery. The DOJ is separately enforcing Section 2 criminal cases. Subscribe below for daily updates — we monitor and brief every FTC enforcement action under the Act.

11. Related Tools & Guides

• Deepfake Penalty Tracker — state-by-state criminal & civil penalties
• Deepfake Laws by State (2026)
• AI Disclosure & Transparency Tracker
• Federal AI Preemption: DOJ Task Force vs. State AI Laws
• AI Law Penalties by State