The Enforcement Moment
In mid-June 2026, the U.S. Department of Justice and Department of Homeland Security seized two deepfake websites — CFAKE.com and SOCFAKE.com — in a coordinated operation with French and Italian law enforcement. A suspect was arrested in Nice on June 10; the domains fell on June 12, pursuant to a warrant from the U.S. District Court for the District of New Jersey. It was the first use of federal domain-seizure authority under the TAKE IT DOWN Act, the law signed by President Trump in May 2025 that criminalizes the publication of nonconsensual intimate imagery, real or AI-generated.
The seizures were the visible peak of a broader enforcement wave. By May 19, 2026 — exactly one year after the law's signing — the Federal Trade Commission had formalized its oversight role, launched a public complaint portal at TakeItDown.ftc.gov, and sent warning letters to fifteen major technology platforms, including Alphabet, Meta, Apple, Microsoft, TikTok, Snapchat, and X. The first criminal conviction under the law — James Strahler II, an Ohio man who used more than two dozen AI tools to fabricate explicit imagery of six adult neighbors — had already been entered on April 7, 2026. Taken together, these actions mark the first time the United States has operationalized a platform liability regime that deliberately routes around Section 230 immunity rather than rewriting it.
The Section 230 Architecture — and the Bypass
Section 230 of the Communications Decency Act (47 U.S.C. § 230) remains the bedrock of U.S. platform law. It immunizes online services from civil and state-law liability for user-generated content and has been interpreted broadly to block lawsuits holding platforms responsible for what their users post. Congress has long debated amending or repealing Section 230 — but those debates have repeatedly stalled, burdened by partisan grievances on both sides.
The TAKE IT DOWN Act (Pub. L. 119-12) found a different path. It does not mention Section 230. Instead, it imposes platform duties through two channels that Section 230 cannot easily touch. First, criminal law — which Section 230 expressly does not preempt under 47 U.S.C. § 230(e)(1). Second, FTC enforcement under the unfair or deceptive acts or practices (UDAP) authority of Section 5 of the FTC Act. Non-compliance with the law's 48-hour content-removal requirement becomes an unfair or deceptive practice, carrying a civil penalty of $53,088 per violation. The FTC — not private victims, who have no direct cause of action under the statute — is the enforcement backstop.
This architecture echoes the logic of FOSTA-SESTA (2018), which carved an explicit exception into Section 230's text for sex-trafficking enforcement. The TAKE IT DOWN Act avoids that carve-out, betting instead that parallel statutory duties can be imposed without touching Section 230's language. Whether this bet holds is, as the University of Baltimore Law Review has noted, still unresolved: courts have not yet ruled on whether Section 230 bars FTC enforcement based on a platform's failure to remove specific content. That litigation is coming.
The Real Case for the Law
Before cataloguing the concerns, the law's rationale deserves honest engagement. AI-generated nonconsensual intimate imagery is not a hypothetical harm. The TAKE IT DOWN Act passed 409-2 in the House and unanimously in the Senate — not the signature of a narrow or partisan carve-out, but of a genuine legislative consensus that the patchwork of state laws had failed victims. The statute's origin story — a Texas high school where students fabricated explicit images of classmates using AI tools, with law enforcement initially powerless to act — illustrates a real and documented gap in federal law.
The DOJ's first enforcement target was not a low-level individual abuser but a website infrastructure producing and monetizing deepfake pornography of politicians, royalty, journalists, and athletes across multiple countries. The prosecution was internationally coordinated and targeted commercial infrastructure rather than isolated bad actors. Measured against that harm, a 48-hour removal window and FTC penalty authority are proportionate tools.
The Trade-offs That Remain Unresolved
The Electronic Frontier Foundation and Center for Democracy and Technology have raised the most substantive objections, and they deserve engagement. The law's removal trigger is drafted more broadly than its criminal prohibition: platforms face civil penalty exposure for content that may not meet the criminal standard. The 48-hour compliance window, extended to all "known identical copies," creates structural pressure to scan private communications — potentially including end-to-end encrypted messages — or to auto-remove content without human review. The EFF has specifically warned that providers of encrypted services may face notice obligations they cannot physically comply with without breaking encryption, creating incentives to abandon it entirely.
There is no DMCA-style counter-notice process. The statute includes no penalty for bad-faith takedown requests. Early content moderation research consistently shows that aggressive over-removal is the rational response to any regime where false negatives carry civil liability and false positives do not. The Regulatory Review has flagged the algorithmic censorship risk: a platform that removes a disputed image to avoid a $53,088 fine will not pause to verify the requester's claim.
The FTC's warning letter list — encompassing every major platform, from Reddit and Pinterest to Automattic and SmugMug — signals broad enforcement ambition. But with two Democratic FTC commissioners dismissed in early 2025, the Cyber Civil Rights Initiative has raised a legitimate concern about selective enforcement: whether platforms disfavored by the current administration will face scrutiny that more compliant or ideologically aligned ones do not. That concern is structural, not speculative.
What This Model Signals
The TAKE IT DOWN Act's enforcement architecture is a proof of concept for post-230 platform regulation: impose procedural obligations; attach civil penalty authority to non-compliance; use criminal law for the most egregious conduct; leave Section 230's text intact. The EU's Digital Services Act took a structurally similar approach — mandatory due-diligence obligations with regulatory enforcement rather than private liability. The United States is, under the TAKE IT DOWN Act, converging on that model for a narrow but high-salience content category.
Whether the model holds depends on litigation that has not yet materialized. If a major platform challenges FTC enforcement under a Section 230 defense, the outcome will determine whether Congress has actually built a durable workaround or merely deferred the confrontation. Until then, the June 2026 enforcement wave represents a real and consequential shift — not the death of Section 230, but the emergence of a regulatory strategy designed to make Section 230's scope less important than it once was.