Take It Down Act (TIDA) 2025: What Businesses Must Know

The Take It Down Act (TIDA), signed into law in April 2025, is now fully operative. The law creates federal criminal liability for publishing non-consensual intimate imagery (NCII), including AI-generated synthetic content, and imposes mandatory takedown obligations on online platforms. This alert addresses the provisions most relevant to our clients. TIDA matters most to clients who have websites, especially those that allow user-generated content to be posted.

TIDA makes it a federal crime to knowingly publish or threaten to publish intimate images of an identifiable person without their consent. Critically, the law covers both real photographs or videos and AI-generated or digitally altered depictions, including so-called deepfakes, that appear to depict an identifiable individual in an intimate context. The law contains two distinct tracks of obligation: criminal liability for individuals who publish or threaten to publish covered content, and a civil compliance regime for online platforms that host user-generated content.

Online platforms that host user-generated content must:

Failure to comply exposes platforms to civil enforcement. The Federal Trade Commission has authority to treat non-compliance as an unfair or deceptive act or practice under Section 5 of the FTC Act, which carries substantial civil penalty exposure. Platforms that operate in good faith and maintain compliant reporting and removal processes receive a degree of safe harbor protection, but that protection is conditioned on actually building and operating the required infrastructure. The safe harbor provision is not automatic.

AI Governance and Generative AI Developers

TIDA is one of the first federal laws to explicitly address AI-generated intimate imagery by name. Organizations developing or deploying generative AI tools, including image generation models, video synthesis tools, face-swapping applications, and similar technologies, should assess whether their systems can be used to produce covered content and what safeguards exist to prevent that use.

While TIDA's criminal provisions target the person who publishes the content rather than the tool developer directly, developers face significant reputational, regulatory, and civil litigation risk where their tools are foreseeably misused. AI governance programs should address TIDA exposure through model use policies, output filtering, terms of service enforcement, and audit mechanisms. Investors and enterprise customers are increasingly treating NCII safeguards as a due diligence item.

Cybersecurity and Incident Response

Cybersecurity firms engaged in threat intelligence, dark web monitoring, or incident response may encounter NCII in the course of client engagements. TIDA does not create a blanket exception for security research, and firms should ensure that internal protocols address how such material is handled, documented, and escalated, including whether and how law enforcement referrals are made. Exposure to covered content in the course of legitimate security work should be addressed in engagement policies and training.

Data Privacy

TIDA intersects with existing data privacy frameworks in several important ways. Platforms subject to both TIDA and state privacy laws, particularly those covering sensitive data or biometric information, must coordinate takedown and deletion workflows carefully. A TIDA takedown request, for instance, may also trigger deletion rights under applicable state law. Privacy-by-design principles applied during platform development should now account for TIDA's reporting and removal infrastructure as a baseline requirement, not an afterthought.

Cannabis and Psychedelics

While this sector is not a primary target of TIDA's regulatory framework, operators running consumer-facing platforms, patient communities, or e-commerce environments with user-generated content functionality should confirm that their platforms either fall outside TIDA's scope or have compliant takedown mechanisms in place. The law's definition of "online platform" is broad.

Platforms hosting user-generated content should update their terms of use and audit existing content moderation and reporting infrastructure against TIDA's 48-hour removal requirement. AI developers and deployers should review acceptable use policies, output filtering capabilities, and terms of service to address NCII risk explicitly. Cybersecurity teams should update incident response and engagement protocols to address procedures for handling NCII discovered during security work. All entities with websites that can host user content should ensure relevant staff have been trained on TIDA obligations and internal escalation procedures.

Questions About TIDA Compliance?

Our attorneys advise clients at the intersection of emerging technology, content regulation, and evolving law. If you have questions about your organization's obligations under TIDA, or would like assistance assessing your platform's compliance posture, please contact your relationship attorney or reach out to our data privacy and AI governance teams.

This alert is provided for informational purposes only and does not constitute legal advice. Application of the Take It Down Act to specific facts and circumstances requires individualized legal analysis.

RLG’s Legal Library 📰

Browse the full Legal Library here.

Get this news direct to your inbox 🪄
Did someone forward this to you? Stay in touch with the Rudick Law Group.