Two things happened in 2025 that together rewrote the deepfake NCII landscape: AI image generation became cheap and ubiquitous, and the TAKE IT DOWN Act (Pub. L. 119–12) became law. Industry data places deepfake-related attacks at a roughly nine-fold increase since 2023, and the U.S. federal response — for the first time — explicitly targets the production and publication of intimate forgeries of identifiable individuals.

This guide maps the new legal stack as it actually operates on May 19, 2026 (the day the platform-compliance provisions took effect) and walks through the practical playbook a victim, advocate, or creator uses to remove intimate deepfakes from the open web.

The federal regime: what the TAKE IT DOWN Act actually changed

The Act was signed by President Trump on May 19, 2025, following near-unanimous support (409-2 in the House, unanimous in the Senate). It amends Section 223 of the Communications Act of 1934 to create federal criminal liability for the knowing publication of "intimate visual depictions" — including AI-generated "digital forgeries" — and imposes a takedown obligation on covered platforms. Read the National Association of Attorneys General summary.

Three operative changes

  1. Criminalization of intimate-deepfake publication. The knowing publication of a "digital forgery" of an identifiable individual is a federal crime, with a sentence of up to 2 years for adult-victim cases and up to 3 years for minor-victim cases. Threatening to publish is itself criminal, even if no publication occurs.
  2. 48-hour platform removal. Covered platforms must establish a notice-and-removal process by May 19, 2026. On receiving a valid written request, the platform has 48 hours to remove the content and to take "reasonable efforts" to identify and remove identical copies.
  3. FTC enforcement. Non-compliance is a deceptive practice under § 5 of the FTC Act, enforceable by the FTC with civil penalties, injunctions, and consumer redress. The first round of formal warning letters to major platforms went out in April 2026.

What the Act does not do

  • It does not require platforms to monitor content proactively. The trigger is a valid notice.
  • It does not preempt stronger state laws — state NCII laws and state private rights of action continue to apply.
  • It does not create a private right of action against platforms. Victims still rely on DMCA copyright (where available) or state remedies for monetary damages.
  • It does not extend to non-intimate forgeries or to satire, parody, or matters of public concern (with carve-outs applying mainly to adult-victim cases).

State law: 46 states and counting

The DEA tracked 46 states with deepfake-NCII laws as of spring 2026, with state-by-state variation:

StateStatuteScopeNotes
CaliforniaSB 926, AB 1831, AB 2355Criminal + civilPolitical-deepfake disclosures; AI intimate imagery
TexasSB 365CriminalEffective 2024; broadly covers deepfake NCII
New YorkA02249 / § 50-eCivil + criminalEnhanced publicity rights including AI likeness
WashingtonHB 1205CriminalEffective July 27, 2025; "forged digital likeness"
PennsylvaniaAct 35 (SB 649)CriminalEffective September 5, 2025; satire carve-out
GeorgiaSB 9Criminal + civilPassed March 2025; comprehensive deepfake protections
TennesseeELVIS ActCriminal + civilVoice/likeness protections; AI replication covered
MinnesotaHF 1370CivilCivil damages for political deepfakes
FederalTAKE IT DOWN Act (Pub. L. 119–12)Criminal + administrativeFirst federal criminal statute covering NCII + digital forgeries

Source: stackcyber deepfake legislation tracker and Halock compliance summary. Always check your state's most-current statute before relying on this table.

The "reasonable person" standard for digital forgeries

The Act borrows the First-Amendment-friendly reasonable-person test from Wikipedia: TAKE IT DOWN Act: a depiction counts as a digital forgery if "a reasonable person would believe" it to be authentic. This avoids criminalizing obvious satire, cartoons, and clearly doctored material — but it also makes litigation fact-intensive. Evidence that the victim never appeared in the relevant setting, or that no photographic record of the depicted event exists, becomes central.

What counts as a "covered platform"

Social platforms, image hosts, content forums, hosting providers serving user-generated content, and similar services. The Act specifically excludes:

  • Broadband internet access providers.
  • Email providers.
  • Encrypted peer-to-peer messaging apps (Signal, Wire).
  • Apps whose primary purpose is non-user-generated editorial content with chat features.

Read more on the statute's scope.

The practical deepfake removal playbook

Step 1 — Collect evidence of the forgery

Three artifacts matter: the forged image/video (preserve an MHTML of the page or a full-page screenshot), a clear original that proves you were not depicted in the depicted setting, and chain-of-custody records for both. If you have an authentic photograph of you in the same setting that the forgery depicts, that is the strongest evidence — it makes the "reasonable person" standard directly testable.

Step 2 — File with the platform

For a covered platform, send the notice under the Act's takedown regime: identify the depiction, identify the URL, attest in writing that the depiction was created without consent, identify yourself (or your authorized agent). The platform has 48 hours to comply.

Step 3 — File a DMCA copyright notice in parallel

If the underlying work is also your copyrighted photograph (your face, your image), a DMCA § 512(c) notice addresses the same content under a different authority. The two channels are complementary.

Step 4 — Report to law enforcement

NCII publication including AI deepfakes is a federal crime since May 19, 2025. Report to:

  • Local police and your county district attorney (state criminal charges).
  • FBI's Internet Crime Complaint Center (ic3.gov) for federal prosecution.
  • FTC (reportfraud.ftc.gov) for platform non-compliance with the 48-hour rule.

Step 5 — File hash submissions to StopNCII.org

For deepfakes derived from an existing authentic image of you, that original image can be hashed and submitted to StopNCII.org. Coverage is keyed to perceptual hash of the source image, which means re-uploads of any obvious derivative are blocked. AI-generated imagery that does not closely hash-match an original is harder to detect — that is the current technical frontier.

Need help running the deepfake workflow?

Shield automates the full chain: reference capture, evidence preservation, federal/state notice drafting, platform dispatch under the 48-hour rule, and continuous hash scanning. Confidential intake →

What the 48-hour rule actually looks like in practice

Between May 19 and July 1, 2026 — roughly six weeks of platform-compliance deadlines — major covered platforms had to publish their notice-and-removal procedures, train intake moderators on the new regime, and integrate the FBI / FTC reporting pathways. Morgan Lewis's compliance analysis tracks the leading patterns. In practice, the rule looks like:

  • Submit through the platform's existing "report intimate content" or similar trust-and-safety form; many platforms added a TAKE IT DOWN-specific intake in May 2026.
  • The platform has 48 hours from valid notice to remove and to make reasonable efforts to remove identical copies.
  • Failure escalates to FTC enforcement (deceptive practice under § 5) and may give rise to state-AG investigations.

The remaining gaps

Three unresolved issues as of May 2026:

  1. AI variants that don't close-hash-match an original. If a deepfake is generated from a textual prompt with no source image, perceptual hash matching against the victim's existing images does not catch it. Detection requires model-based deepfake classifiers, which are less reliable than hash matching.
  2. Cross-border enforcement. Generative platforms and hosts outside the U.S. are outside the Act's jurisdictional reach. The EU Directive 2024/1385 aims to close this gap by June 14, 2027 (transposition deadline).
  3. Platform safe harbor for good-faith removals. The Act includes a safe harbor for platforms that remove content under a good-faith belief — this may disincentivize aggressive enforcement in ambiguous cases.

What Shield does for deepfake-NCII cases

Shield's case pipeline covers both halves of the workflow: chain-of-custody preserved evidence (critical for the "reasonable person" standard), federal takedown under the TAKE IT DOWN regime, parallel DMCA for the underlying work, state-law escalation where applicable, and FTC complaints on platform non-compliance. Our survivors workflow maps the personal experience; this piece maps the legal stack it runs on.


Frequently asked questions

Is creating an AI deepfake NCII image of me a federal crime in 2026?

Yes. The TAKE IT DOWN Act (Pub. L. 119–12, signed May 19, 2025, enforcement active from May 19, 2026) makes it a federal crime to knowingly publish NCII — including a "digital forgery" — of an identifiable individual when intended or reasonably causing harm. Prison terms: up to 2 years for adult victims, up to 3 years for minors. The first federal conviction under the Act was issued in April 2026 (Ohio).

What is a "digital forgery" exactly?

Under the Act, a digital forgery is intimate visual depiction (image or video) that was created or altered using software (including AI) such that it would reasonably appear to a viewer to be authentic. The "reasonable person" standard is the operative test. The Act excludes non-intimate forgeries and de minimis doctored imagery — the focus is on content meeting the NCII definition under 47 U.S.C. § 223(h)(2).

Does the law require platforms to remove AI deepfakes proactively?

No, not proactive monitoring. The TAKE IT DOWN Act is a notice-and-takedown regime: once a covered platform receives a valid written request, it has 48 hours to remove the content and take "reasonable efforts" to identify and remove identical copies. Proactive monitoring by platforms is a contractual / industry norm (StopNCII.org participation, hash matching) rather than a federal mandate under this Act.

What platforms are considered "covered"?

Public-facing websites, online services, or mobile applications that primarily provide a forum for user-generated content — social networks, image hosts, forums, blogs that take comments. The Act explicitly excludes broadband ISPs, email providers, encrypted peer-to-peer comms (Signal), and apps that publish preselected editorial content with limited user-comment features.

My deepfake was made of me as a minor. Does the Act apply differently?

Yes. For minors the Act carries stricter penalties (up to 3 years vs. 2 for adults), and the public-concern/voluntary-exposure exceptions available for adult victims do not apply. CSAM is separately criminalized under 18 U.S.C. § 2252 and § 2252A and reported via NCMEC CyberTipline (report.cybertip.org).

Does the Act give me a private right of action (a civil lawsuit)?

The TAKE IT DOWN Act itself does not create a private right of action against platforms (only FTC enforcement). However, many states — including New York — do provide a private right of action for NCII and digital forgeries. The proposed DEFIANCE Act (reintroduced after May 2025) would add federal civil damages; the Senate passed it in January 2026.

Shield Editorial
NCII Response Team

Practitioners on the Shield operations floor writing from real DMCA filings, reverse-image searches, and chain-of-custody cases. Content reviewed by counsel before publication.