A federal deepfake law, finally with teeth
The FTC began enforcing the TAKE IT DOWN Act on May 19, 2026 — exactly one year after President Trump signed S.146 into law. Days earlier, Chairman Andrew Ferguson sent letters to Alphabet, Amazon, Apple, Automattic, Bumble, Discord, Match Group, Meta, Microsoft, Pinterest, Reddit, SmugMug, Snapchat, TikTok and X, reminding them that any covered platform that fails to remove nonconsensual intimate imagery (NCII) or AI-generated nonconsensual deepfakes within 48 hours of a valid request now faces civil penalties of up to $53,088 per violation under Section 18 of the FTC Act. On May 22, the Commission followed up with letters to twelve "nudify" sites whose entire business model is generating the exact imagery the statute targets.
The same week, the FTC stood up takeitdown.ftc.gov, where victims can report platforms that miss the 48-hour window. The agency also urged companies to hash flagged images and share fingerprints with the National Center for Missing & Exploited Children (for minors) and StopNCII.org (for adults), so duplicates can be suppressed across services without re-uploading the underlying material.
The harm is real, and prior law moved too slowly
The strongest case for federal preemption here is straightforward. Generative-AI image tools have collapsed the cost of producing photorealistic NCII to roughly zero. Schools have reported clusters of deepfake harassment cases targeting students; adult victims describe losing jobs and absorbing stalking incidents in the hours before viral content can be taken down. Forty-eight states criminalize NCII distribution, but state criminal cases move in months, not hours, and platform-by-platform civil remedies under defamation or right-of-publicity law are slower still. By the time a victim has counsel, the file has been mirrored.
A federal floor — a single statutory takedown procedure, predictable penalties, and a centralized victim portal — addresses the timing problem in a way patchwork state law cannot. Senate passage was unanimous (S.146, February 13, 2025) and the House vote was 409-2: this is the rare tech bill that united Senators Cruz and Klobuchar and gave a politically polarized Congress an off-ramp on a hard issue.
But the 48-hour rule has no anti-abuse circuitry
The statute defines a "valid removal notice" as little more than a signature, an identification of the image, a good-faith statement that the depiction is nonconsensual, and contact information. There is no counter-notice procedure of the kind 17 U.S.C. § 512(g) provides under the DMCA, and no penalty for filing a knowingly false claim. Platforms that remove in good faith are shielded from liability; platforms that refuse face statutory civil penalties scaled to each instance. The incentives point one direction.
The DMCA experience is instructive. Empirical studies of safe-harbor takedowns have repeatedly found that a meaningful fraction of notices target non-infringing content, with political speech and competitor criticism prominent among false claims. The Cato Institute's policy brief on TAKE IT DOWN notes that the new regime omits even the DMCA's modest counter-notice and perjury provisions, and predicts that "this takedown regime will likely be even more abused." Politicians could allege that a critical edit is nonconsensual; subjects of legitimate journalism could file to bury embarrassing footage. The 48-hour clock means platforms will lean on automated classifiers that the EFF has documented routinely misclassify satire, sex education, and reporting on the very crimes the Act addresses.
Encryption is the conspicuous unanswered question
The statute exempts email and curated services but does not explicitly exempt private messaging or encrypted storage. An open letter signed by the ACLU, EFF, Internet Society, Center for Democracy & Technology, the Tor Project and cryptographers including Phil Zimmermann warned Congress before passage that end-to-end encrypted providers cannot inspect content to remove "identical copies" — meaning compliance is technically impossible without breaking the encryption. The FTC's May 19 guidance does not resolve this. Signal, iMessage, WhatsApp and encrypted cloud-storage providers now face vague obligations enforced by an agency that has not committed to a non-circumvention safe harbor. Pushing providers to weaken encryption to demonstrate compliance would also harm NCII victims themselves, who disproportionately rely on encrypted channels to escape abusive partners and preserve evidence.
A more proportionate path
The right fix is narrow and largely textual. First, add an explicit carve-out for end-to-end encrypted services and zero-knowledge storage providers, mirroring the existing email exemption. Second, import the DMCA's counter-notice mechanism and § 512(f)-style liability for knowingly false takedown demands — both well-tested mechanisms that survived a quarter-century of platform-scale litigation. Third, scope hash-sharing obligations to images confirmed by NCMEC or StopNCII review rather than each platform's automated classifier, to avoid building a federally encouraged image database fed by unverified user claims.
None of those changes weaken the core entitlement victims now have: a one-page request, a 48-hour clock, and a federal regulator with a portal and a penalty schedule. They simply prevent the same machinery from becoming a censorship tool — and a credibility problem for an Act that, in its actual purpose, deserves to succeed.