Skip to content
Magist
AnalyzeRegulationsVendorsCounselUpdatesCompareAbout
← All Controls

Non-consensual intimate imagery (NCII) takedown procedure

ncii-takedown-procedureDomain: content-moderationType: process

Description

The federal TAKE IT DOWN Act is the first US statute to impose a fixed takedown deadline for non-consensual intimate imagery on platforms that host user-generated content, and is also the first US statute to make explicit that the deadline applies equally to AI-generated synthetic intimate imagery as to photographic imagery. The deepfake provision is the part of the statute that closed the prior gap most prominent state laws had left open; pre-TAKE-IT-DOWN, a platform could decline a takedown request for synthetic NCII on the basis that the underlying content was not actually a recording of the depicted person, and that opacity was the operative loophole the statute foreclosed. The substantive rule has three parts that together set the operational shape. An accessible reporting mechanism that any user can invoke without an account, reachable from the platform's main interface rather than buried in a help center; the FTC's implementing guidance treats burial as a violation in its own right, on the theory that an inaccessible reporting surface is functionally equivalent to no reporting surface. Validation of the report, with the platform applying a documented review against the statutory definition rather than treating every claim as automatically true or automatically false. And removal of the content within 48 hours of a valid request, with the clock running from receipt of the report rather than from the conclusion of the review. Adjacent obligations attach when the imagery involves a minor, and the operational system has to handle the two pathways without conflating them. 18 U.S.C. Section 2258A requires independent reporting to the National Center for Missing and Exploited Children's CyberTipline when the platform obtains actual knowledge of apparent child sexual abuse material, on a faster clock (as soon as reasonably possible), with chain-of-custody preservation of the reported content for law enforcement. The CyberTipline pathway carries criminal-evidence preservation duties that the adult-NCII pathway does not, which means the routing decision at the moment of triage is consequential: a piece of imagery handled through the wrong pathway can either over-preserve content the operator has no statutory basis to retain or under-preserve content that should have been held for law enforcement. The cleanest operational pattern is two named queues with named on-call responders, plus a documented routing decision captured per report. The practical decomposition of a working procedure has five pieces. The user-facing reporting form, accessible from every content surface where intimate imagery could appear and from the main help center, with no account requirement and no rate limit on legitimate reports. The triage queue with named responders and documented decision criteria for the validation step; ambiguous reports get escalated rather than refused. The 48-hour SLA tracker that measures against the statute's clock rather than the operator's internal SLA, with breach alerts at the 24- and 36-hour marks. The minor-pathway escalation including the CyberTipline submission and the chain-of-custody preservation. And the recordkeeping that captures the report, the validation steps, the takedown action, and the timeline; the records defend against both the statute's enforcement actions and the private right of action that the statute creates for affected individuals. The hash-matching infrastructure offered by StopNCII.org (adult), the NCMEC Take It Down service (minors), and PhotoDNA (CSAM) does meaningful upstream work by detecting known imagery at upload time and blocking it before it surfaces on the platform at all. The hash-matching layer does not replace the takedown procedure, because the platform still receives reports of imagery the hashes have not yet captured (newly created content, especially AI-synthesized content that has not entered any reference corpus), but it materially reduces the volume of reports the takedown queue has to process. Most operators with substantive UGC volume run at least one hashing service alongside the reporting-and-takedown workflow.

Applicability

Applies when: business model role is intermediary or mixed AND features include ugc, social-features, ephemeral-content, synthetic-media, live-streaming, or file-sharing.

How predicates are evaluated

Required by (3 regulations)

  • Marco Civil

    Lei nº 12.965, de 23 de abril de 2014 (Marco Civil da Internet), regulated by Decreto nº 8.771, de 11 de maio de 2016

  • IT Rules 2021

    Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, issued under the Information Technology Act, 2000 (Act No. 21 of 2000), as amended by the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Amendment Rules, 2023

  • TAKE IT DOWN

    TAKE IT DOWN Act §3-§4: 48-hour takedown of NCII (including AI-generated synthetic intimate imagery) on receipt of a valid request, accessible reporting mechanism, enhanced minor-involving protections, recordkeeping. Note: TAKE IT DOWN Act platform notice-and-removal obligations take effect 2026-05-19 (one-year implementation window from signing). Criminal prohibitions took effect on signing 2025-05-19. The 48-hour platform takedown requirement becomes operative 2026-05-19; until that date, ROSCA + Section 230 + state revenge-porn statutes are the operative framework for NCII removal.

    Pub. L. No. 119-xxx (TAKE IT DOWN Act of 2025)

    Source →

Fulfilled by (6)

  • stop-ncii · partial · low effort · $
    StopNCII.org (operated by SWGfL): adult-NCII hash-matching service that platforms can integrate to detect known intimate imagery at upload time.
  • take-it-down-ncmec · partial · low effort · $
    Take It Down (NCMEC): minors-NCII hash service for content depicting persons under 18 at the time of imagery.
  • photodna · partial · low effort · $
    Microsoft PhotoDNA hashes match known CSAM + can extend to NCII corpora; widely deployed across UGC platforms.
  • hive · partial · medium effort · $$
    Hive AI moderation classifiers cover NCII / CSAM / synthetic-imagery detection at scale.
  • thorn-safer · partial · medium effort · $$
    Thorn's Safer platform: CSAM detection + content moderation tooling that supports NCII workflows.
  • In-house build · high effort
    In-house implementation needs reporting form + ticketing + 48-hour SLA tracker + minor-account escalation + recordkeeping; most operators integrate at least one hashing service.

Magist does not accept payment from vendors. Methodology.

Evidence formats

  • user-facing NCII reporting mechanism (accessible from content surfaces + help center)
  • takedown request log with intake → action timestamps
  • 48-hour SLA compliance audit
  • minor-involved content escalation log + CyberTipline report receipts
  • synthetic-imagery (deepfake) detection + handling SOP

Magist provides legal information based on publicly available regulatory sources. It does not constitute legal advice and does not create an attorney-client relationship. Consult a licensed attorney in your jurisdiction before making compliance decisions.

Magist

Pre-launch regulatory analysis for product teams. Built by a lawyer, designed for PMs.

Tools

  • Analyze
  • Guided walkthrough
  • Vendors
  • Find counsel
  • Saved analyses

Reference

  • Scope by business model
  • Scope by jurisdiction
  • App ratings
  • Regulations
  • Compare regulations
  • Enforcement
  • Browse Controls
  • Vendor coverage
  • Radar
  • Pulse
  • Changelog
  • Guides
  • Regulatory updates
  • Open data
  • Corpus license
  • Ontology
  • State of Compliance

Solutions

  • For legal teams
  • For engineering
  • For executives
  • For law firms
  • For investors
  • For teams →

About

  • About Magist
  • Methodology
  • Editorial standards
  • Reviewers
  • Coverage status
  • Corrections
  • Trust
  • Coverage scope
  • How we handle data
  • Sub-processors
  • FAQ

Built by Neel Patel, a practicing in-house games attorney. Games touch more compliance domains at once than anything else in tech — Magist was designed around that.

Magist provides legal information based on publicly available regulatory sources. It does not constitute legal advice and does not create an attorney-client relationship. Consult a licensed attorney in your jurisdiction before making compliance decisions. Operated by a Washington-licensed attorney. Not licensed in California or other US states. Magist provides legal information; consult a licensed attorney in your jurisdiction.

Magist is an instrument, not a consultancy. It does not sell compliance services or take payment from vendors for placement; the analysis is the same for everyone. No vendor, sponsorship, or referral fees, ever.

MethodologyLimitationsDisclosures

© 2026 Magist
TermsLicensePrivacySecurityLinkedIn