Recent legislation aims to limit the spread of non-consensual intimate images, but its reach has limits.
Originally designed to exempt internet service providers from publisher and distributor liability and protect certain forms of content moderation, Section 230 of the Communications Decency Act has been under siege for decades. This tension culminated in the May 2025 enactment of the Tools to Address Known Exploitation by Immobilizing Technological Deepfakes on Websites and Networks Act, commonly known as the TAKE IT DOWN Act, designed to protect victims’ non-consensual intimate images from spreading online.
Although Section 230 historically fostered internet growth, critics contend it protects both good and “bad Samaritans” that are not liable. Recent reform attempts have followed three trends. Some reforms focus on narrowing immunity, such as the Allow States and Victims to Fight Online Sex Trafficking Act (FOSTA) and Stop Enabling Sex Traffickers Act (SESTA)—statutes that amend Section 230 and aim to hold platforms criminally liable for facilitating sex trafficking. Others try “sunsetting” Section 230 entirely. Still others shift toward procedural compliance, and the TAKE IT DOWN Act would adopt this last approach.
This structural approach is especially critical in the context of privacy protection. Both authentic and fake non-consensual intimate images circulating online have catastrophic effects on a victim’s private life and cause severe psychological harm. Scholars, such as Danielle Keats Citron, have long advocated criminalizing the spread of non-consensual intimate images and reforming Section 230 to incentivize internet service providers to take action. As of October 2025, nearly every state has criminalized non-consensual intimate images. Content generated using artificial intelligence (AI), however, has proliferated on the internet at an alarming rate, and existing privacy-based laws cannot regulate synthetic images. Even with state-level legislation, jurisdictional obstacles across states and the shield of Section 230 still undermine the effectiveness of existing legislation on non-consensual intimate images. Consequently, there is an urgent case for federal-level legislation of non-consensual intimate images.
To address these gaps, the TAKE IT DOWN Act would introduce two critical regulatory interventions.
The first would be the federal criminalization of the online spread of non-consensual intimate images. Because privacy protection is inherently contextual, reasonable privacy expectations depends on the nature of the social relationships at issue. Consent in one scenario does not automatically extend to others. In the case of intimate or nude images, the consent given within a trustful and intimate relationship does not imply consent for use outside that relationship. As a result, although offenses involving authentic intimate visual depictions are evaluated not in terms of “consent” but rather “reasonable expectation of privacy,” this framework can be interpreted as protecting victims even when they initially consented to the creation of the intimate visual material. Their reasonable privacy expectations protect them from expanding consent to uploading or public spread of the visual depictions. Violations of the TAKE IT DOWN Act by spreading non-consensual intimate images could result in imprisonment of up to two years or up to three years if minors are involved.
The second would be the introduction of a “notice-and-takedown” mechanism for platforms. The Act provides that, within one year, covered online platforms would have to establish a process whereby an identifiable individual may notify and ask for removal, much as the Digital Millennium Copyright Act (DMCA) requires. After receiving a valid removal request, the platforms must delete the intimate visual depiction and make reasonable efforts to identify and remove any known identical copies of such depiction within 48 hours.
A recent amendment to the Crime and Policing Bill in the United Kingdom also orders platforms to take action within 48 hours. As James Grimmelmann of Cornell Law School has observed, “this development is not entirely surprising,” as notice-and-takedown mechanisms have been used for lots of non-copyright claims to get platforms’ attention. Unlike FOSTA and SESTA, which act as a carve-out from Section 230, noncompliance with the TAKE IT DOWN Act would constitute an unfair or deceptive practice under the Federal Trade Commission Act. Instead of directly narrowing Section 230’s scope, the TAKE IT DOWN Act would primarily impose compliance requirements as a “structural regulation” that uses content-neutral frameworks like privacy law to circumvent constitutional challenge.
Although the TAKE IT DOWN Act would represent a step in the right direction, it still suffers from vagueness and loopholes undermining effectiveness. One loophole would lie in the definition of platforms covered by the Act. Concerning the spread of non-consensual intimate images, the TAKE IT DOWN Act would exempt “a person who possesses or publishes an intimate visual depiction of himself or herself.” The exception is perhaps intended to protect the publishers themselves as victims, but it may nonetheless shield bad-faith actors from criminal liability, particularly in cases arising in an intimate relationship where the distinction between victim and offender is contested. Moreover, the selective scope of covered platforms would risk both over-inclusiveness by burdening low-risk entities, such as non-profit organizations, and under-inclusiveness by leaving potentially harmful preselected-content platforms outside the regulatory ambit.
In addition, victims may suffer secondary victimization under the TAKE IT DOWN Act—additional harm caused by potential privacy leakage through the victim’s complaint. Consider Instagram’s practice that allows victimized users to document and report an Instagram post anonymously. Victims without an Instagram account can report with the help of a friend. Although identifiable information is still required, it is unclear how information security is safeguarded and whether such complaints would cause the secondary victimization to the victims.
Furthermore, the TAKE IT DOWN Act would lack sufficient safeguards against abuse. Platforms would have to take action against non-consensual intimate images as “good Samaritans” while heightened legal exposure prompts platforms to over-censor the alleged content. Platforms would face a dilemma: enforcement by the U.S. Federal Trade Commission (FTC) as “new common law”—where the FTC shapes industry standards through enforcement actions rather than formal rulemaking—for delayed deletion versus immunity for “good faith” over-removal. Internet service providers will be held liable for information publication rather than information removal. As a result, they have a strong institutional incentive to remove the content based on the notices, a trend exacerbated by algorithmic false positives.
The over-removal is compounded by the lack of liability for demonstrably fraudulent notice. Unlike with the DMCA, the absence of a counter-notice mechanism in the TAKE IT DOWN Act may be a deliberate systemic design choice to prevent secondary victimization. Nonetheless, it will undoubtedly be exploited by bad-faith complainers to attack legitimate usage.
The TAKE IT DOWN Act would represent a strategic, albeit imperfect, development in platform governance. The ultimate success of the Act relies on the robust safeguards for free speech while protecting privacy. Only time will tell whether such a notice-and-takedown mechanism effectively will provide adequate justice or instead adds insult to injury. It remains to be seen whether such legislation will establish a precedent for future legislation that attempts to regulate content without triggering Section 230 reform or scrutiny under the U.S. Constitution’s First Amendment.
