For tech and social media companies that may qualify as covered platforms, the federal TAKE IT DOWN Act is no longer a future compliance issue but an immediate enforcement risk. The Department of Justice (DOJ) recently announced the first conviction and another new criminal case under the law, which aims to combat the spread of nonconsensual intimate imagery online, including AI-generated and digitally altered content. In conjunction with the Department of Homeland Security, the DOJ also recently secured a federal warrant to seize two domains that were being used to publish digitally forged nonconsensual intimate images and videos in violation of the law. Simultaneously, the Federal Trade Commission (FTC) announced its enforcement of the law, which involves oversight of platforms, broadly defined to include social media companies, message forums, video gaming sites and other sites hosting or sharing user-generated content. The recent activity by these agencies reflects the government’s first steps to enforce the new law through both criminal prosecution and regulatory oversight and serves as a warning shot that covered platforms’ compliance obligations no longer are theoretical but rather will be subject to active scrutiny and enforcement risk.

Background

In May 2025, President Donald Trump signed the Tools to Address Known Exploitation by Immobilizing Technological Deepfakes on Websites and Networks Act, or the TAKE IT DOWN Act (TIDA or the Act), following its passage in Congress with broad bipartisan support. The Act’s stated purpose is to prevent the online sharing and publication of nonconsensual intimate imagery (NCII), a goal that the law aims to accomplish in two ways: (1) by criminalizing the sharing of NCII, and (2) by requiring covered platforms to establish reporting processes and to remove instances of NCII within 48 hours of receiving a valid report.

Crucially, the Act’s prohibition on the sharing of NCII extends not only to real photos and videos but also to “digital forgeries”—images “created through the use of software, machine learning, artificial intelligence, or any other computer-generated or technological means.”

1. Targeting Individual Violators

TIDA makes it unlawful to knowingly publish or threaten to publish intimate visual depictions¹ or digital forgeries of another individual without consent. The Act provides tiered criminal penalties, including fines and/or imprisonment, with heightened penalties in cases that involve minors.

1. Imposing New Obligations on Covered Platforms

In addition to imposing criminal penalties on individual violators, the Act subjects “covered platforms” to notice-and-removal obligations. A “covered platform” is defined as “a website, online service, online application, or mobile application” that (1) “serves the public” and (2) either (a) “primarily provides a forum for user-generated content, including messages, videos, images, games, and audio files,” or (b) in the regular course of business “publish[es], curate[s], host[s], or make[s] available content of nonconsensual intimate visual depictions.”

The Act requires that covered platforms establish a reporting process through which individuals (or an authorized person acting on their behalf) can report and request the removal of nonconsensual intimate visual depictions of themselves posted on the platform. A covered platform must also provide a “clear and conspicuous notice” of the process it has established, which must include information regarding the platform’s removal responsibilities under TIDA and a description of how individuals can submit requests for removal.

In addition to the reporting and notice provisions, covered platforms must affirmatively remove instances of NCII within 48 hours of receiving a valid removal request.² Platforms must also “make reasonable efforts” to find and remove identical copies of imagery that has been reported and removed. The Act includes a safe harbor provision that shields platforms from liability if they, in good faith, remove material that reasonably appears to depict nonconsensual intimate content even if that content is later determined to be lawful.

The TIDA deadline for complying with these provisions was May 19, 2026. Covered platforms’ violations of TIDA will be treated as a violation of an FTC rule and may result in civil penalties of $53,088 per violation.

Recent FTC Activity

In the lead-up to the Act’s May 19, 2026 deadline, FTC Chairman Andrew Ferguson sent letters to more than a dozen technology companies to remind them of TIDA’s requirements. The advice in the chairman’s letters is echoed in this May 2026 guidance from the FTC. The guidance makes clear that TIDA applies broadly to companies that host or facilitate user-generated content and requires them to implement an accessible, plain-language notice-and-removal process for both real and AI-generated NCII. And that the FTC will be monitoring to make sure that covered platforms act quickly to remove reported NCII content and identical copies. Further, covered platforms must make it easy for users and nonusers alike to submit removal requests and should also maintain tools and tracking processes that help document compliance and prevent re-uploading.

As part of its oversight efforts, the FTC launched the website TakeItDown.ftc.gov. The site allows individuals to submit complaints about platforms that have failed either to act on valid requests for the removal of images or to establish a process for individuals to submit removal requests in the first place.

Practical Takeaways for Companies

The government’s recent TIDA activity in both the criminal and regulatory spheres sends an unmistakable message of heightened scrutiny of individuals involved with NCII and the covered platforms on which NCII is found. In particular, tech and social media companies that fall within the broad definition of covered platforms must ensure that they have implemented effective reporting and removal processes.

• Do not assume the Act applies only to traditional social media platforms. As noted, the definition of what qualifies as a “covered platform” under the Act is very broad, reaching almost any site that hosts user-generated content. Whether a particular company or service qualifies is likely to require a fact-specific analysis. A business need not look like a traditional social media company to face risk under the Act. If a company operates a public-facing website, application or online service that hosts or makes user-generated content available, it should carefully assess whether the Act’s obligations apply.

• Assume the FTC will expect a live, user-friendly takedown workflow now—not later. Companies that may qualify as covered platforms should confirm immediately that they have a clear, conspicuous and easy-to-use removal process that works across all relevant surfaces where user-generated content appears, including posts, messages, comments, uploads and other features through which intimate imagery could be shared. The process should be accessible not only to users of the service but also to individuals who do not have any relationship with the platform.

• Translate the statute into a usable, cross-functional internal decision framework. Companies should proactively review and understand TIDA’s definitions and prohibitions to be prepared to make quick, defensible decisions regarding whether reported content must be removed. Companies should align legal, trust-and-safety, product, engineering, privacy and customer support teams on ownership, escalation, tooling and response protocols before an urgent request arrives.

• Build for a 48-hour compliance clock, not an ordinary moderation queue. The Act requires covered platforms to evaluate valid requests, remove covered content and make reasonable efforts to identify and remove identical copies within 48 hours. For many companies, that means creating an escalation path that can operate continually, assigning clear internal ownership across safety, legal, privacy and customer support teams, and ensuring that outsourced moderation or vendor support can meet the same deadline.

• Treat duplicate detection as a core compliance capability. The Act requires reasonable efforts to identify and remove identical copies of reported imagery within the same 48-hour window. Companies should evaluate now whether they have practical tools, such as hashing, image matching or other detection methods, to identify reposts quickly across the relevant parts of the service and to document what efforts were made.

• Do not limit risk analysis to authentic images. The Act prohibits the dissemination not only of authentic images or videos but also of AI-generated content and deepfakes that meet the law’s definition of “digital forgery.” Companies should assess whether existing moderation rules, classifier tools and escalation criteria are equipped to identify both authentic and synthetic content that may trigger the Act.

• The Act’s good-faith safe harbor supports prompt action in close cases. The Act provides protection for platforms that in good faith disable access to or remove material believed to be covered, even if the content is later determined to be lawful. Companies should take that protection into account when designing review standards and escalation rules for time-sensitive decisions.

• Recordkeeping will be critical in the event of FTC scrutiny. Platforms should document and track their intake of reports, removal timing and efforts to locate copies of offending images. This type of audit trail will be necessary to demonstrate compliance to the FTC.

Conclusion

The above recommendations are not intended to be an exclusive or exhaustive list of actions but instead represent steps that covered platforms should take to reduce any potential legal exposure under TIDA. WilmerHale can assist companies in thinking through these new obligations and designing policies and procedures to comply. What is abundantly clear is that TIDA has now gone live, and so too have the government’s enforcement efforts.