A year ago, Congress put online platforms on the clock. On May 19, 2025, President Trump signed the Take It Down Act into law, creating a new federal framework aimed at stopping the online spread of nonconsensual intimate imagery, such as real images, AI-generated “deepfakes,” and other harmful content circulated across websites, social-media platforms, messaging tools, and even video games. The act does two things: It creates criminal liability for knowingly publishing certain nonconsensual intimate imagery (NCII for short), and it requires covered online platforms to maintain a notice-and-removal process for takedown requests. The criminal provisions took effect immediately, and the platform obligations, enforced by the Federal Trade Commission, came with a one-year runway.
That runway has now ended. On May 19, 2026, the notice-and-removal requirements took effect, and the FTC announced it had begun enforcement. The agency immediately sent warning letters to several unnamed platforms for possible violations — consistent with Chairman Andrew Ferguson’s earlier calls for major platforms, including Amazon, Alphabet, Meta, TikTok, and X, to establish the required systems and procedures and his warning that the FTC would “vigorously enforce” the act.
This post explains who is covered, what the act requires, how the FTC may enforce it, and what practical risks platforms should address now. Given the FTC’s prompt enforcement of this law, companies should pay close attention to who and what the act covers, how certain terms are defined, and what the FTC is focused on from an enforcement perspective.
The Take It Down Act: A Brief Overview
The Take It Down Act covers (1) any person who knowingly publishes or threatens to publish certain kinds of NCII using an interactive computer service, and (2) “covered platforms” (a defined term that is explained in more detail below).
Individuals: Criminal Liability for Publication of NCII
For authentic “intimate visual depictions” of identifiable adults, the government must prove that (i) the defendant knowingly published the depiction, (ii) the defendant knew, or under the circumstances should have known, that the identifiable individual being depicted had a reasonable expectation of privacy, (iii) what was depicted was not a matter of public concern, (iv) what was depicted was not voluntarily exposed by the identifiable individual in either a public or commercial setting, and (v) the defendant’s publication caused or was intended to cause harm, including psychological, financial, or reputational harm.
Although these elements are nuanced and merit close analysis, it is important to note that the law does not prohibit the publication of every image a person would rather keep private. For example, an “intimate visual depiction” is defined by refence to certain types of nudity or sexual content, under which an ordinary swimsuit photo would likely not qualify. Other elements narrow the offense further. For example, the prohibited content cannot be something the depicted person had at some point voluntarily displayed in public. A key point for companies is that the question of whether content crosses the line may be something that is highly fact-specific or legally uncertain.
For “digital forgeries” (e.g., AI-generated images), the requirements are almost identical. Digital forgeries are defined as (i) “any intimate visual depiction of an identifiable individual created” using “computer-generated or technological means” (including AI) (ii) that are “indistinguishable from an authentic visual depiction” to a reasonable viewer. For digital forgeries, instead of a reasonable expectation of privacy, the government must prove that the forgery was published without the consent of the individual being depicted.
Minors get special protection. For depictions of minors, authentic or forged, the government need only prove (i) knowing publication and (ii) the intent to (a) abuse, humiliate, harass, or degrade or (b) arouse or gratify someone’s sexual desire.
The act also prohibits making threats to engage in any of the above-described conduct for the purpose of intimidation, coercion, extortion, or to create mental distress.
And anyone who violates any of these prohibitions may be punished, fined, imprisoned, or subjected to forfeiture or restitution.
“Covered Platforms”: Notice and Removal Obligations
Who is covered? The second part of the act applies to “covered platforms.” As defined, these are online services, applications, websites and mobile applications that (a) “serve[] the public” and (b) either (i) “primarily provide[] a forum for use-generated content” or (ii) in the regular course of business “publish, curate, host, or make available content of nonconsensual intimate visual depictions.”
The act contains a notable carveout, however, that excludes certain services, applications, or websites even if they have chat, comment, or interactive functionality. For it to apply, (a) the functionality must be “incidental to, directly related to, or dependent on” providing non-user-generated, preselected content and (b) the relevant service, application, or website must “consist[] primarily” of that kind of content. The carveout does not apply, however, to platforms that “publish, curate, host, or make available” NCII content “in the regular course of” their business.
In short, the act is largely aimed at social-media platforms and other kinds of apps and websites or services with similar functionalities, like image and video sharing. But who specifically is covered may turn on challenging questions, like which features are “incidental” or what the “primary” type of content on an app is. Therefore, any company that provides a service, application or website to the general public that can be used to send or receive content should carefully assess whether they are covered by the act.
What must “covered platforms” do? Covered platforms must have a notice-and-removal process that (a) allows individuals (or someone acting on their behalf) to notify platforms that they are hosting NCII and (b) allows them to request that it be removed. Platforms must provide users with clear-and-conspicuous notice of this functionality in easy-to-read, plain language. And once a valid removal request is received, platforms must remove the content within 48 hours and make reasonable efforts to identify and remove known identical copies.
The act requires that requests to take down NCII include (i) a physical or electronic signature, (ii) sufficient information to locate the NCII, (iii) a brief statement of the requester’s good-faith belief that the depiction was not consensual, and (iv) the requester’s contact information.
The act gives platforms a safe harbor that precludes them from liability for removing material in good faith and based on facts or circumstances from which it seems apparent that the content was NCII. This safe harbor applies even if it is later determined that the reported material that was taken down was not NCII and was published legally.
What is the enforcement regime? The act empowers the FTC to enforce the notice-and-removal regime (including against nonprofits that would otherwise exceed its jurisdiction). A violation of the act’s notice-and-removal requirements is considered an unfair or deceptive act or practice that also violates Section 5 of the FTC Act. As a result, the FTC may impose civil penalties in addition to seeking equitable relief, such as restitution, disgorgement, injunctions, bans, and the imposition of mandatory remediation and compliance programs.
Anticipated Challenges and Potential Risks
Critics of the act have raised significant First Amendment concerns. The 48-hour takedown deadline is short, and the act incentivizes platforms to remove content. Platforms face liability if they fail to take down unlawful material fast enough, while they also are granted a safe harbor that may protect them from liability if they remove lawful content. In the eyes of critics, the incentive is to over remove content, potentially sweeping in lawful and protected speech, such as satire, art, journalism, and political commentary.
There are also questions about scope and definitional ambiguity in the act. Services that primarily host original content but have comment, chat, or messaging features, services that aggregate or curate user content without hosting it, and emerging generative-AI tools that produce (rather than merely host) imagery all must consider potential risk under the act.
Open Questions for Businesses with Limited Social Features
All websites and apps that let users communicate must ask themselves (or their counsel) whether they are covered by the act. The above-mentioned questions about the act’s scope have real-world implications that extend beyond companies that identify as legacy social-media platforms. For example, businesses of all kinds frequently incorporate “social-media-lite” features into their products and services — for example, letting users share comments, videos, or photos. Consider a fitness app that hosts an online forum for members to share workout photos. Or a supplement brand that lets customers post before-and-after shots. In either situation, if it’s possible for a user to upload a nude photo of someone without their consent, there may be a real question of whether the company must implement a notice-and-removal system.
Until the act starts to be interpreted and applied, many of these legal questions will remain open — like how to determine what a website’s “primary” kind of content is, especially when apps and websites host all sorts of content, some user-generated and some intermixed with material created or selected by the companies themselves. Likewise, which features in an integrated product are considered “incidental”? Answers to these and similar questions will start to be clarified by the FTC and by courts, but the process will take time.
For now, uncertainty creates risk. Companies operating on the internet or in the app store cannot assume that they fall outside of the act, as an incorrect assumption means exposure to enforcement and the specter of large civil penalties. Instead, a prudent approach is for companies to carefully analyze their business, including by (1) thoughtfully identifying each and every product and feature that might let users share visual content, (2) assessing whether businesses qualify as “covered platforms” under the sometimes complex provisions of the act, and (3) if the answer is unclear, considering whether to adopt notice-and-removal processes to mitigate risk. Companies should consult counsel rather than assume the act is irrelevant to them.
Moreover, the act does not exist in a vacuum. It sits alongside, and in some places overlaps with, an existing patchwork of state NCII laws, Section 230 of the Communications Act of 1934, the Digital Millennium Copyright Act, and private civil remedies that could exist, including under 15 U.S.C. § 6851. In particular, companies that may have grown comfortable relying on the protections of Section 230 may nevertheless risk liability under the Take It Down Act due to hosting user content.
Key Takeaways
For platforms that host or enable user-generated content, the first question is coverage. Companies should assess each product or service — not just the overall business — to determine whether it qualifies as a “covered platform.”
If the act applies (or might apply), the next question is operational readiness. Platforms need a clear, easy-to-find, plain-language process that allows individuals — or someone acting for them — to report NCII and request removal. They also need internal workflows capable of meeting the 48-hour deadline, including after hours and on weekends, as well as procedures for identifying and removing known identical copies. Even if platforms already operate mature trust-and-safety programs, they will need to revisit whether their existing processes satisfy the act.
Finally, documentation matters. The act’s safe harbor may protect good-faith removals, but platforms should be able to show what they received, what they did, when they did it, and why. Strong records of requests, decisions, timing, and rationale will be critical if months or years later the FTC or a federal judge asks how a platform handled a takedown request.









