The FTC Just Sent Warning Letters to Meta, Apple, Google, TikTok, and Eight Others—You Now Have 48 Hours to Remove Intimate Images or Pay $53,088 Per Violation

What Happened

On May 20, 2026, the Federal Trade Commission, under Chairman Andrew Ferguson, sent warning letters to twelve of the largest online platforms in the United States: Alphabet, Amazon, Apple, Automattic, Bumble, Discord, Match Group, Meta, Microsoft, Pinterest, Reddit, SmugMug, Snapchat, TikTok, and X. The letters notified the companies that the FTC believes they lack adequate processes for victims to request removal of non-consensual intimate imagery, in violation of the Take It Down Act (TIDA), which became enforceable that same day.

The maximum penalty per violation: $53,088. The maximum number of violations is not capped. For platforms with hundreds of thousands of pieces of relevant content, the theoretical exposure runs into hundreds of millions of dollars. Reporting at The Record noted that the warning is the FTC's first major enforcement action under the new statute.

What the Take It Down Act Requires

Congress passed the Tools to Address Known Exploitation by Immobilizing Technological Deepfakes On Websites and Networks Act—the awkward backronym is real—and President Biden signed it in May 2025. The law gave platforms exactly one year to build compliance infrastructure before enforcement began on May 20, 2026. The substantive obligations:

• 48-hour removal. Once a victim submits a valid request, the platform has 48 hours to take the content down.
• Hashing technology to find duplicates. Removing one copy is not enough. The platform must hash the offending image or video and proactively scan for duplicate uploads.
• Hash sharing with two clearinghouses. For content depicting minors, platforms must share hashes with the National Center for Missing and Exploited Children (NCMEC). For adults, with StopNCII.org. This creates a shared denylist that all participating platforms can use.
• Prominent homepage notices. The TIDA removal process must be discoverable in a clear, visible location—not buried four clicks deep in a settings menu.
• Direct removal requests from individual posts. Every piece of content must have an explicit option to "request removal under TIDA."
• Tracking numbers. Each request receives a unique identifying number so the victim can check on it.

Platforms that fail any of these requirements face the $53,088-per-violation penalty.

Why the FTC Picked These 12

The warning letters were not random. Each of the named firms hosts user-generated content at a scale where TIDA compliance is meaningful. Meta and Alphabet are the two largest content platforms in the country. Apple, Google Play, and Microsoft each operate app stores and cloud storage where intimate imagery can be uploaded. TikTok, Snapchat, Discord, Reddit, Pinterest, X, and SmugMug all host user-uploaded media at scale. Bumble and Match Group operate the major dating platforms—targets for sextortion and non-consensual sharing. Automattic, the company behind WordPress.com, hosts millions of blogs.

Companies not on the list are not exempt from TIDA. They are simply not the FTC's first priority. Smaller platforms should read the warning letters as a preview of what is coming for them in the next enforcement wave.

What "Non-Consensual Intimate Imagery" Covers

TIDA covers both authentic intimate images shared without consent—what was previously called "revenge porn"—and AI generated deepfake content depicting a real person in intimate situations. The deepfake provision is the more legally consequential half. Before TIDA, victims of deepfake non consensual imagery had limited federal recourse. They could pursue state-law claims, copyright claims if their face was sourced from a copyrighted image, or defamation. None of those provided a fast removal mechanism. TIDA does.

The law's definitional details matter. The image or video must depict the victim either nude or engaged in sexual activity. It must have been shared without the victim's consent—either because consent was never given, or because the consent was for private sharing only. The platform must have a way for the victim to attest to non-consent. For deepfakes, the victim does not need to prove the image is fake; the FTC's interpretation is that consent applies to the depicted person regardless of whether the depiction is real.

Compliance Costs—and Compliance Mistakes

For large platforms with existing trust-and-safety operations, TIDA compliance is straightforward in principle and very expensive in practice. Each removal request requires human review (because automated systems make mistakes that can themselves be lawsuit-generating). The 48-hour window forces 24/7 staffing or a fully automated triage pipeline that escalates only the ambiguous cases. The hash-sharing infrastructure needs to be built once and maintained forever.

The deeper compliance risk is the opposite of under-removal. A platform that aggressively removes content based on TIDA claims without sufficient verification can be sued for wrongful removal by the original poster, especially if the content turns out to be legitimate journalism, art, or speech protected by the First Amendment. The 48-hour window favors over-removal. Platforms will need internal appeal processes to handle the inevitable mistakes.

Civil liberties groups have spent the past year warning that TIDA's compliance pressure will be used opportunistically to suppress lawful speech. Their concern is not theoretical—similar removal regimes in Germany (NetzDG) and the UK have generated documented over-removal. The FTC's enforcement posture will determine whether TIDA tips the same way.

The Broader 2026 Regulatory Picture

TIDA enforcement starts in a year when the FTC is already heavily active in privacy and content regulation. In the past four weeks alone, the agency has banned Kochava from selling location data, settled with OkCupid over facial recognition image transfers, and updated COPPA's children's privacy rules. The Department of Justice is also active, the FCC continues to pursue CPNI fines, and twenty states now have comprehensive privacy laws.

For compliance officers, the cumulative effect is a regulatory environment that requires building general infrastructure—data minimization, consent workflows, removal pipelines, hash sharing partnerships—rather than treating each statute as a discrete compliance project. The platforms named in the FTC's TIDA letter have all of this infrastructure to some degree. The question is whether it scales to the new statutory requirements.

What Victims Can Do Now

• Submit to StopNCII.org first. StopNCII generates a hash from the offending image and shares it with participating platforms, who then proactively block re-uploads. This works even before TIDA compliance pipelines are built.
• Use the platform's TIDA submission form. All twelve named platforms must publish one. If you cannot find it, the FTC wants to hear about that too.
• Keep your tracking number. The 48-hour clock starts when the platform receives the request, not when they acknowledge it. Document the timestamp.
• If the 48 hours pass without removal, file a complaint with the FTC. The agency is actively building the case file for enforcement.
• For minor victims, the Cyber Tipline at NCMEC remains the primary reporting path, separate from TIDA but parallel to it.

Why Email Matters in This Story

Sextortion campaigns—the major source of non-consensual intimate imagery threats today—almost always begin with email. The classic chain: a phishing or social engineering message extracts an intimate image from the victim, the attacker then threatens to distribute the image to the victim's contacts unless paid. Email tracking pixels are an active part of these campaigns; attackers use them to confirm the victim opened the threat, time follow up messages for maximum pressure, and gather IP-based location data to make the threat feel more menacing.

TIDA helps victims after the worst case happens. The earlier intervention—blocking the surveillance infrastructure that lets sextortion operators measure their leverage in the first place—is a problem TIDA does not solve. That is where blocking tracking pixels and limiting what an attacker can learn from a sent email starts to matter.