Are Deepfakes Illegal? State and Federal Laws Explained (2026)
May 14, 2026
Last Updated: May 13, 2026
Deepfake legislation has expanded rapidly across the United States, with 46 states having enacted laws targeting AI-generated synthetic media as of spring 2026. The regulatory landscape addresses two primary concerns: election manipulation through deceptive political content and non-consensual intimate imagery (NCII).
The federal TAKE IT DOWN Act, signed into law in May 2025, provides the first nationwide framework for addressing intimate deepfakes, with platform compliance requirements now in effect as of May 19, 2026. States continue to lead on election-related restrictions, with 30 states now having enacted those protections ahead of the 2026 midterms.
This tracker provides an overview of deepfake legislation at both federal and state levels, organized by category and compliance requirements.
Learn more about deepfake detection on our blog.
Federal Law: TAKE IT DOWN Act
President Trump signed the TAKE IT DOWN Act (Tools to Address Known Exploitation by Immobilizing Technological Deepfakes on Websites and Networks Act) on May 19, 2025, following near-unanimous congressional support (409-2 in the House, unanimous in the Senate). The law represents the first major federal response to AI-generated intimate imagery.
Provisions
Criminal Prohibition: The law makes it a federal crime to knowingly publish or threaten to publish non-consensual intimate imagery using an interactive computer service, regardless of whether the content is authentic or AI-generated. Penalties include up to two years imprisonment for adult victims and up to three years for minors. The first conviction under the law came in April 2026, when an Ohio man was convicted for using AI to create and distribute NCII targeting adults and children in his community.
Platform Requirements: Covered platforms were required to implement a notice-and-takedown process by May 19, 2026. Upon receiving a valid takedown request, platforms must remove the content within 48 hours and make reasonable efforts to remove known copies. A "covered platform" includes any website, online service, or mobile application that provides a forum for user-generated content or regularly deals with intimate imagery as part of its business.
Enforcement: The Federal Trade Commission oversees platform compliance. Violations are treated as unfair or deceptive trade practices under the FTC Act, with civil penalties of up to $53,088 per violation. In advance of the May 2026 deadline, FTC Chairman Andrew Ferguson sent formal warning letters to more than a dozen major platforms, including Meta, Apple, Microsoft, TikTok, Reddit, Snapchat, and X, signaling the agency's intent to actively investigate and enforce the law.
Consent Clarification: The law explicitly states that prior consent to create an image or share it with another person does not constitute consent for publication.
First Amendment Concerns
Several civil liberties groups, including the Electronic Frontier Foundation and the Center for Democracy & Technology, have raised concerns about the law's vague language and potential for abuse. Critics note the takedown mechanism could be exploited by bad-faith actors to remove legitimate content, similar to problems observed with Digital Millennium Copyright Act (DMCA) enforcement. The law requires takedown requesters to act in "good faith" but provides limited mechanisms to challenge improper requests. Enacted in 1998, the DMCA provides a framework for copyright holders to protect their works from unauthorized use online.
Election Deepfakes by State
As of May 2026, 30 states have enacted laws specifically addressing deepfakes in political communications, up from 28 at the start of the year. Most laws focus on disclosure requirements rather than outright bans, requiring political advertisements containing AI-generated content to include clear disclaimers. Typical requirements include statements such as "This ad was generated or substantially altered using artificial intelligence."
California's AB 2839, enacted in September 2024, faced immediate legal challenges. A federal judge struck down portions of the law in August 2025, finding that key provisions conflicted with Section 230 of the Communications Decency Act and were likely unconstitutional under the First Amendment. Minnesota's similar law has also been challenged by X (formerly Twitter), with early rulings suggesting courts remain skeptical of sweeping prohibitions on political deepfakes.
States With Election Deepfake Laws
| State | Law | Enacted | Key Requirements |
|---|---|---|---|
| Alabama | HB 172 | May 2024 | Prohibits deceptive political synthetic media during campaign periods |
| Arizona | HB 2394, SB 1359 | May 2024 | Disclosure requirements for AI-generated election content |
| California | AB 2355, AB 2839 | Sept. 2024 | Disclaimer requirements; portions struck down Aug. 2025 |
| Colorado | HB 1147 | May 2024 | Disclosure requirements for synthetic media in campaigns |
| Delaware | HB 316 | Oct. 2024 | Labeling requirements for AI political content |
| Florida | HB 919 | April 2024 | Disclosure requirements for political deepfakes |
| Hawaii | SB 2687 | July 2024 | Broad enforcement standing including local prosecutors |
| Idaho | HB 664 | March 2024 | Disclosure requirements for AI election communications |
| Indiana | HB 1133 | March 2024 | Transparency requirements for synthetic media |
| Kentucky | SB 4 | March 2025 | Disclosure and civil/criminal penalties |
| Maryland | 2026 law | 2026 | Disclosure requirements; 30th state to enact election deepfake protections |
| Michigan | HB 5144 | Nov. 2023 | Early adopter with disclosure requirements |
| Minnesota | HF 1370, HF 4772 | May 2023/2024 | Prohibits misleading deepfakes; under legal challenge |
| Mississippi | SB 2577 | April 2024 | Disclosure requirements for election deepfakes |
| Montana | SB 25 | 2025 | Injunction, civil fines ($500), criminal referral for repeat offenders |
| New Mexico | HB 182 | 2024 | Disclosure requirements |
| South Dakota | 2025 law | 2025 | Disclosure requirements for 2026 midterms |
| Texas | SB 751 | 2023 | Early adopter; prohibits deceptive political deepfakes |
| Utah | SB 131 | 2024 | Disclosure requirements |
| Washington | SB 5152 | 2023 | Early adopter; disclosure requirements |
| Wisconsin | 2024 law | 2024 | Disclosure requirements |
Note: This table includes major enacted laws. Additional states have pending legislation or laws addressing related issues. Visit Public Citizen's tracker for real-time updates.
Non-Consensual Intimate Imagery (NCII)
As of early 2026, 46 states have enacted laws addressing sexually explicit deepfakes. All 50 states and the District of Columbia have some form of NCII protection, though many older laws were written before AI-generated content became prevalent and may not explicitly cover synthetic media.
The federal TAKE IT DOWN Act now provides a nationwide baseline, but state laws often provide additional remedies including civil causes of action that allow victims to sue for damages.
State NCII Deepfake Laws
| State | Law | Criminal/Civil | Key Features |
|---|---|---|---|
| Alabama | HB 161 | Criminal | Clarifies AI-generated content falls within privacy-harm framework |
| California | SB 926, AB 1831 | Both | Civil remedies and criminal penalties; specific AI provisions |
| Georgia | SB 9 | Both | Passed March 2025; comprehensive deepfake protections |
| New Jersey | April 2025 law | Both | Third-degree crime; up to $30,000 fine; civil damages |
| New York | A02249 | Civil | Enhanced publicity rights; registration requirements |
| Oklahoma | HB 1364 | Criminal | Strengthened penalties for synthetic intimate content |
| Oregon | HB 2299 | Criminal | Unlawful dissemination of synthetic intimate imagery |
| Pennsylvania | Act 35 (SB 649) | Criminal | Effective Sept. 2025; misdemeanor to felony; satire carve-out |
| Tennessee | ELVIS Act | Both | Voice/likeness protections; applies to AI replication |
| Washington | HB 1205 | Criminal | Effective July 2025; "forged digital likeness" prohibition |
Note: This table highlights select state laws with explicit AI/deepfake provisions. Most states have general NCII laws that may also apply. Visit Public Citizen's intimate deepfakes tracker for comprehensive coverage.
Right of Publicity and Voice Protection
Several states have expanded traditional right of publicity laws to address AI-generated content. Tennessee's ELVIS Act (Ensuring Likeness Voice and Image Security Act), enacted in 2024, specifically prohibits using AI to mimic a person's voice without permission. New York's 2025 legislation added new civil remedies and registration requirements for protecting individuals from unauthorized AI replication.
These laws are particularly relevant for entertainment industry concerns about AI replication of performers' voices and likenesses, but they also provide broader protections against fraud and identity theft using synthetic media.
Federal Preemption Debate
Congressional Republicans attempted to insert a 10-year moratorium on state AI regulation into the "One Big Beautiful Bill" budget reconciliation package in 2025. The House passed the provision in May 2025, but the Senate voted 99-1 to strip it from the bill before President Trump signed the legislation on July 4, 2025. The moratorium drew opposition from a bipartisan coalition of 40 state attorneys general and 17 Republican governors, as well as 260 state legislators who argued states needed to retain authority to protect constituents from AI-related harms.
Federal preemption efforts have not ended, however. Late 2025 saw congressional Republicans consider adding a moratorium to the National Defense Authorization Act for 2026, though it was ultimately not included. President Trump's December 2025 executive order on AI directs federal agencies to challenge state AI laws deemed to impede a "minimally burdensome national standard." These efforts face ongoing legal challenges and create compliance uncertainty for businesses operating across state lines.
With the moratorium off the table for now, states retain full authority to regulate AI and synthetic media. More than 1,000 state AI bills were introduced in 2025 alone, and that pace has continued into 2026 legislative sessions.
What to Watch in 2026
The 2026 midterm elections are pushing election deepfake legislation into high gear. Maryland's recent enactment made it the 30th state with election deepfake protections, and additional states are advancing bills ahead of November. With AI tools capable of producing convincing synthetic media in minutes, lawmakers on both sides of the aisle have treated election integrity as the clearest case for action.
On the NCII side, the legal focus is shifting from individual creators and distributors to the platforms and infrastructure that enable deepfake production at scale. Expect 2026 and 2027 legislation to target generative AI platforms, payment processors, and hosting services that facilitate the creation or distribution of non-consensual synthetic content.
FTC enforcement of the TAKE IT DOWN Act is also new territory to watch. The agency's posture going into the May 2026 compliance deadline was aggressive, with formal warning letters to major platforms and a stated willingness to pursue civil penalties. How the FTC handles its first enforcement actions will shape how platforms across the industry size their compliance obligations.
Business Compliance Considerations
For Online Platforms
TAKE IT DOWN Act Compliance (in effect May 2026): Implement a notice-and-takedown process for NCII. Create clear reporting mechanisms for users. Establish 48-hour removal workflows. Document good-faith compliance efforts. Provide conspicuous notice of the removal process. Consider using hashing technology to prevent reappearance of removed content, and share hashes with NCMEC's Take It Down service for content involving minors and StopNCII.org for adult victims.
For Political Advertisers and Campaigns
Disclosure Requirements: Inventory all AI-generated or AI-modified content. Add required disclaimers to political communications. Track state-specific timeframes (typically 60-90 days before elections). Train staff on synthetic media identification and labeling. Document compliance efforts. With 30 states now carrying election deepfake laws into the 2026 midterms, multi-state campaign operations should conduct a state-by-state disclosure audit.
For All Companies
Deepfake Detection: Implement detection tools for synthetic media targeting employees or executives. Train staff to recognize deepfake audio and video in business communications. Establish verification protocols for high-value transactions or sensitive requests. Consider voice authentication safeguards for wire transfers and similar approvals.
Vendor Assessment: Evaluate AI vendors' compliance with applicable deepfake laws. Review contracts for liability allocation related to synthetic media. Assess content moderation practices for user-generated platforms.
Key Dates
| Date | Event |
|---|---|
| May 19, 2025 | TAKE IT DOWN Act signed; criminal provisions effective immediately |
| July 4, 2025 | One Big Beautiful Bill signed without AI moratorium; states retain regulatory authority |
| July 27, 2025 | Washington HB 1205 takes effect |
| Sept. 5, 2025 | Pennsylvania Act 35 (deepfake) effective |
| April 2026 | First criminal conviction under TAKE IT DOWN Act (Ohio) |
| May 19, 2026 | TAKE IT DOWN Act platform compliance deadline; FTC enforcement now active |
| Nov. 2026 | 2026 midterm elections; state election deepfake disclosure laws in effect across 30 states |
Leading Deepfake Detection Platforms
Understanding the law is only half the equation. Businesses also need the tools to detect deepfakes before they cause harm. No single platform covers every threat vector, so the right choice depends on where your exposure is greatest.
Most deepfakes are created using one of two AI architectures: generative adversarial networks (GANs), which pit two competing neural networks against each other to produce increasingly realistic synthetic output, or diffusion models, which gradually refine random noise into photorealistic imagery or video. Detection platforms fight back using several complementary methods. Convolutional neural networks (CNNs) are trained on millions of real and synthetic media samples to catch pixel-level artifacts invisible to the human eye. Biometric liveness checks use challenge-response tests, 3D depth sensing, and micro-expression analysis to verify that a live person, not a rendered face, is present during a video call. Forensic metadata analysis examines compression artifacts, noise patterns, and device signatures that synthetic content typically fails to replicate accurately. The Coalition for Content Provenance and Authenticity (C2PA) standard takes a different approach: cryptographic provenance metadata embedded at creation time creates a verifiable chain of custody so platforms can confirm whether content has been altered since it was captured. Here is a current look at the leading platforms putting these methods into practice.
Reality Defender is the most widely cited enterprise platform for multi-modal detection. It identifies synthetic media in real time across video calls, audio, images, and text, and integrates directly into tools like Zoom and Microsoft Teams. Best suited for enterprises that need live meeting protection and executive communication security.
Pindrop Pulse specializes in audio deepfake detection for call centers and financial institutions. It analyzes acoustic patterns and voice authenticity in real time, catching synthetic speech before a fraudulent transaction can be authorized. If your primary exposure is phone-based impersonation, this is the category leader.
Sensity AI takes a forensic threat intelligence approach, using multi-layer CNN analysis and forensic metadata examination to identify manipulated media. It monitors platforms and networks for synthetic content and provides detailed reports with heat maps showing exactly where manipulation occurred. Well suited for KYC workflows, investigations, and trust and safety teams.
CloudSEK XVigil embeds deepfake detection inside a broader threat intelligence platform. It correlates suspicious synthetic media with fake profiles, impersonation campaigns, and dark web activity, giving SOC teams the context to act on alerts rather than just flag them.
iProov focuses on biometric liveness verification with injection attack detection, meaning it catches synthetic video piped directly into a verification SDK rather than just uploaded files. Its challenge-response system uses 3D depth analysis and texture examination to confirm a live person is present. Particularly relevant for regulated industries where identity verification is a compliance requirement.
HyperVerge is built for fintech onboarding and KYC compliance, with strong detection of face swaps and synthetic documents at sub-second speeds. It is a natural fit for financial services firms dealing with surging synthetic identity fraud.
Hive Moderation provides high-volume content moderation with deepfake detection built in. If your business runs a platform with user-generated content, even limited upload or comment features, Hive handles detection at the scale those environments require.
Resemble AI Detect is built by a voice synthesis company, which means its detection model is trained against some of the most sophisticated voice cloning available. It is focused exclusively on audio and is a strong choice for businesses looking to add a dedicated voice layer to an existing security stack.
Intel FakeCatcher uses physiological signal detection rather than GAN artifact analysis, examining blood flow patterns in video frames to determine liveness. That approach is more durable as generative AI improves at eliminating visual artifacts. It supports C2PA content provenance verification and is best suited for broadcasters and media firms running at data-center scale on Intel infrastructure.
Netarx, a STACK Cybersecurity partner, helps enterprises design and deploy deepfake defense programs that span multiple detection tools, policies, and verification workflows. Rather than a single platform, Netarx provides the strategic layer that ties detection technology to your incident response and compliance posture.
One honest caveat for any deployment: detection accuracy varies significantly by content type and generation method. As GAN and diffusion model outputs improve at eliminating the artifacts CNNs are trained to find, novel deepfake techniques can temporarily outpace detection models until they are retrained. No single tool is a complete solution. The most effective approach combines automated detection with out-of-band verification protocols for high-stakes decisions like wire transfers, vendor changes, and executive authorizations.
Free Download
Deepfake Compliance Checklist
TAKE IT DOWN Act requirements, 30-state election disclosure obligations, and internal controls for every business type.
For guidance on detecting deepfakes in your enterprise, see our Deepfake Detection Guide. If your business wants to understand its exposure or build stronger defenses, email info@stackcyber.com or call (734) 744-5300.