AI Deepfakes and Your Rights: What to Do If Your Image or Voice Is Used Without Consent

What is a deepfake and why does it matter legally

A deepfake is AI-generated or AI-manipulated synthetic media — video, audio, or images — that depicts a real person doing or saying something they did not do or say, in a way that appears realistic. The technology has become dramatically more accessible since 2023, enabling the creation of convincing fake video, fake voice recordings, and fake intimate imagery using nothing more than a few reference photos and a widely available AI tool. The legal landscape has responded rapidly, particularly around the most harmful categories of deepfakes: non-consensual intimate imagery and politically deceptive content.

Two categories of deepfake harm are now addressed by law across most major jurisdictions. The first and most legislatively active is non-consensual intimate imagery (NCII) — AI-generated or AI-manipulated sexual or intimate images of a real person without their consent, sometimes called "deepfake porn." The second is election-related deepfakes — AI-generated content designed to deceive voters about candidates, often by depicting them saying things they never said.

United States — federal law as of 2025-2026

The United States now has its first federal law directly targeting AI-generated content. The TAKE IT DOWN Act (Tools to Address Known Exploitation by Immobilizing Technological Deepfakes on Websites and Networks Act) was signed into law by President Trump on 19 May 2025 following near-unanimous congressional support (409-2 in the House). It is the first major federal statute addressing AI-generated harm to individuals.

The TAKE IT DOWN Act does two things. First, it makes it a federal crime to knowingly publish non-consensual intimate visual depictions — whether authentic or AI-generated — using an interactive computer service. Penalties are up to two years imprisonment for adult victims and up to three years where minors are depicted. Second, it requires covered platforms — websites and mobile applications that host user-generated content — to implement a notice-and-takedown process by 19 May 2026. Upon receiving a compliant takedown notice, platforms must remove the content within 48 hours and make reasonable efforts to remove known copies. The FTC oversees platform compliance; failure to comply constitutes an unfair or deceptive trade practice.

The DEFIANCE Act (Disrupt Explicit Forged Images and Non-Consensual Edits Act) passed the US Senate unanimously in January 2026. It creates a federal civil right of action allowing victims of non-consensual sexually explicit deepfakes to sue creators, distributors, and those who knowingly host such content. Statutory damages could reach $150,000 per violation, or $250,000 where linked to sexual assault, stalking, or harassment. As of May 2026, the Act was pending House approval.

At the state level, 47 states had enacted some form of deepfake-related legislation by mid-2025, primarily focused on intimate imagery and election content. Key state laws include: Tennessee's ELVIS Act (effective July 2024) establishing civil remedies for unauthorised AI use of a person's voice or likeness; New York's digital replica law requiring written consent and compensation for AI recreation of individuals; and numerous state criminal statutes for NCII.

European Union — EU AI Act and ePrivacy

In the EU, deepfake-related obligations operate through two frameworks. First, the EU AI Act's transparency obligations under Article 50 require that AI-generated or AI-manipulated content — including synthetic audio, video, images, and text — be labelled or watermarked to indicate it is AI-generated. This obligation applies from 2 August 2026 for new systems and from 2 December 2026 for watermarking of AI-generated content under the Omnibus agreement reached on 7 May 2026. AI-generated deepfake content that realistically depicts real people must carry disclosures. The EU AI Act Omnibus also adds a new prohibited practice (effective 2 December 2026): AI systems designed to generate non-consensual intimate imagery, including "nudifier" applications that strip clothing from images of real people.

Second, existing criminal law in EU member states addresses deepfake intimate imagery. Germany, France, the Netherlands, and others have criminal provisions covering non-consensual intimate image distribution that apply to AI-generated content. The EU's Digital Services Act requires platforms to implement effective notice-and-action mechanisms for illegal content, including deepfakes that constitute criminal offences under national law.

United Kingdom — Online Safety Act 2023

The UK Online Safety Act 2023, which came into full effect for regulated services in 2024, created a new criminal offence of sharing or threatening to share intimate images without consent — including AI-generated deepfake intimate imagery. Platforms regulated under the Act must implement systems to remove illegal content, including NCII and deepfakes, promptly upon notification. Failure to comply with Ofcom's enforcement actions can result in fines of up to £18 million or 10% of global annual turnover.

The UK's approach prioritises platform accountability over individual creator liability, though creating or sharing deepfake intimate imagery without consent is also a criminal offence at the individual level. Under the Online Safety Act's duty of care framework, platforms with user-generated content must take proactive steps to prevent illegal deepfake content from appearing, not merely respond to reports after the fact.

Australia — Criminal Code and Online Safety Act

In Australia, non-consensual sharing of intimate images — including AI-generated deepfakes — is criminalised under amendments to the Criminal Code Act 1995 and corresponding state and territory legislation. The Online Safety Act 2021 gives the eSafety Commissioner powers to require platforms to remove non-consensual intimate images, including deepfakes, with enforcement capabilities backed by civil penalties. The eSafety Commissioner has an adult cyber abuse scheme that individuals can use to request removal of harmful material.

What to do if you are a victim of a deepfake

If you discover a deepfake of you online — intimate, political, or reputational — the immediate steps across jurisdictions are similar. First, document the content: take screenshots with timestamps and URL records before requesting removal, as platforms may delete evidence when they remove content. Second, report to the platform directly using their reporting mechanism — under the TAKE IT DOWN Act in the US, covered platforms must respond within 48 hours; under the Online Safety Act in the UK, regulated platforms have equivalent obligations. Third, contact the relevant authority: in the US the FBI's Internet Crime Complaint Center (IC3) for federal criminal offences; in the UK Ofcom or the police; in Australia the eSafety Commissioner. Fourth, preserve evidence for potential civil action — particularly in the US where the DEFIANCE Act creates a federal civil right to sue for damages.