Overview
The Federal Trade Commission (FTC) has outlined its enforcement approach for the Take It Down Act, a federal law targeting non-consensual intimate imagery (NCII) including AI-generated deepfakes. The commission plans to use civil penalty authority, targeted investigations, and inter-agency coordination to hold platforms accountable for failures to remove reported content.
What the Take It Down Act Requires
Signed into law in 2025, the Take It Down Act compels online platforms to remove reported non-consensual intimate imagery — including both real and AI-generated synthetic content — within 48 hours of a verified complaint. Failure to comply exposes platforms to significant civil penalties enforced by the FTC.
Key provisions:
- 48-hour removal window from the time a verified complaint is received
- Covers AI-generated deepfakes as well as real imagery
- Applies to social media, messaging platforms, and content-sharing sites
- Requires platforms to maintain clear and accessible reporting mechanisms
FTC's Enforcement Plan
The FTC indicated it will pursue enforcement through several channels:
- Civil fines — Platforms that fail to comply face penalties for each violation, with fines potentially stacking per piece of unremediated content
- Targeted investigations — The agency will open investigations based on consumer complaints and referrals from victim advocacy organizations
- Pattern-of-practice cases — Platforms with systemic failures to remove NCII will face broader enforcement actions beyond single-incident penalties
- Coordination with DOJ — Criminal referrals are possible for the most egregious cases
Expert Concerns
While privacy advocates broadly welcome the law, several experts raised concerns about the FTC's capacity to meaningfully enforce it at scale:
- Resource constraints — The commission's enforcement division is already stretched across competition, privacy, and consumer protection mandates
- Prioritization questions — Critics ask whether NCII complaints will receive the same urgency as major data privacy violations
- Platform compliance variance — Large platforms with established trust and safety teams may comply readily, while smaller operators may lag without dedicated oversight pressure
- Detection challenges — AI-generated deepfakes continue to improve in quality, making accurate detection and attribution increasingly difficult
Implications for the Cybersecurity Community
The Take It Down Act intersects with cybersecurity in several ways. NCII and deepfake campaigns are increasingly weaponized in:
- Corporate extortion — Executives and employees targeted with synthetic imagery to coerce sensitive disclosures
- Social engineering — Deepfake audio and video used in phishing and vishing attacks
- Credential theft — Synthetic identity material used to bypass identity verification systems
Security teams should familiarize themselves with the Act's requirements as organizations operating any form of user content platform may fall within its scope.
What's Next
The FTC is expected to publish formal enforcement guidance and rulemaking around platform compliance requirements in the coming months. Victim advocacy groups, platform legal teams, and digital rights organizations are all closely watching how the commission translates the law's text into operational practice.