The spread of AI generated intimate imagery has turned what was already a serious online safety issue into a fast- moving platform governance problem. The Federal Trade Commission’s (FTC) latest stakeholder letter makes clear that covered platforms will be expected to have systems in place before enforcement begins. This week, the FTC sent a stakeholder letter to covered platforms signaling that the agency expects them to be ready by May 19, 2026, when Section 3 of the TAKE IT DOWN Act (TIDA) becomes enforceable. The letter emphasizes that platforms receiving a valid removal request must remove the reported intimate image or video, along with known identical copies, within 48 hours. The FTC also urges platforms to make requests easy to submit, including for people without platform accounts, and suggests request-level tracking so users, platforms, and law enforcement can identify the same takedown matter. The enforcement message is direct: TIDA violations will be treated as FTC rule violations and may carry civil penalties of up to $53,088 per violation.
TIDA applies to certain websites, online services, apps, and mobile applications that serve the public and primarily provide a forum for user-generated content, or that regularly publish, curate, host, or make available nonconsensual intimate depictions. It covers both authentic intimate visual depictions and “digital forgeries,” including AI-generated or technologically altered intimate images that appear indistinguishable from authentic depictions. Covered platforms must maintain a clear, conspicuous, plain-language notice-and-removal process that allows an identifiable individual, or an authorized representative, to request removal of nonconsensual intimate content.
Once a valid request is received, the platform must act as soon as possible and no later than 48 hours remove the content and make reasonable efforts to remove known identical copies. Forty-eight hours is not much time to verify a request, locate reported content, identify known identical copies, coordinate internal teams, and document the response. This means that covered platforms should act now, including mapping where covered content can appear, making reporting channels easy to find and use, assigning clear internal ownership, testing duplicate-detection tools, and deciding how request tracking, records, vendor support, and hashing will work in practice. Before the first 48-hour clock starts, the process should already be built, tested, and ready to run.
TIDA is another example of privacy, safety, and AI governance converging into concrete operational obligations. Companies should not treat this as a narrow content-moderation issue. Compliance may require intake workflows, identity and authorization checks, escalation paths, duplicate-detection capabilities, documentation, and defensible timing controls. Platforms should also assess whether hashing or similar tools can help prevent re-uploads, while accounting for the privacy, security, and retention risks that come with handling highly sensitive images. More broadly, regulators are signaling that user-safety obligations need to be built into product design, not handled only after complaints arrive. For companies in scope, the work now is to understand where this content can surface, align reporting channels, moderation tools, records, and vendor support, and make sure the response process works before the clock is running.
