Non-consensual intimate imagery (NCII) victimization is now mainstream: according to the Cyber Civil Rights Initiative's 2017 nationwide study, 1 in 12 American adult social media users have been victims of NCII, and 1 in 8 have been targeted. In the UK, the Revenge Porn Helpline logged 22,275 reports in 2024 — a 20.9% jump in a single year and a forty-fold increase since 2015. Ninety percent of victims are women.
This guide is the practitioner workflow we use on the Shield operations floor: a five-stage process for removing NCII from the open web that combines the long-standing Digital Millennium Copyright Act (DMCA) section 512(c) takedown with the new federal baseline established by the TAKE IT DOWN Act (Pub. L. 119–12), which became effective May 19, 2025 and triggered the platform-compliance deadline on May 19, 2026. If you want the survivor-first version of this workflow — the human side, evidence preservation, mental-health scaffolding — see our companion piece, How to Remove Non-Consensual Intimate Images: A Step-by-Step Guide for Survivors.
Why the NCII takedown playbook changed in 2026
Three forces rewrote the playbook in the past 18 months:
- The TAKE IT DOWN Act moved NCII takedowns from a private contractual fight to a federal compliance problem. Platforms classified as covered platforms — public-facing user-generated-content sites — must remove NCII within 48 hours of a valid notice, and the FTC enforces it under § 5 of the FTC Act. Non-compliance is a deceptive practice. Read the statute summary.
- AI-generated NCII ("deepfakes") is now the dominant growth vector. Industry reporting places deepfake-related attacks at a nine-fold increase since 2023. The TAKE IT DOWN Act explicitly covers "digital forgeries" — AI-generated intimate imagery that appears to depict a real person.
- Hash-based proactive detection via StopNCII.org is now industry-standard. As of December 2025, sixteen platforms participate, including Meta (Facebook, Instagram), Reddit, OnlyFans, TikTok, Bumble, Bing, and Google. Submitting your reference images to a hash database prevents re-uploads before a takedown is necessary.
The legal stack you'll be working with
Most NCII cases draw on four overlapping legal authorities. The interaction matters — picking the wrong one loses you time.
1. 17 U.S.C. § 512(c) — the DMCA safe harbor
The workhorse. Hosts, search engines, and user-generated-content platforms receive a copyright liability shield in exchange for removing infringing material when given a valid notice. Almost every NCII image is also a copyrighted work (you took the photo, or the photographer assigned it to you), so a § 512(c) notice is almost always available. Required elements: identification of the work, identification of the infringing URL, contact info, a good-faith statement, a perjury-penalty signature.
2. State NCII criminal and civil statutes
All 50 states plus DC have some form of NCII law as of May 2025 (the last state, South Carolina, joined the union). Penalties range from misdemeanors (1 year) to felonies (5+ years). Most provide a private right of action with statutory damages. CCRI maintains a state-by-state tracker.
3. The TAKE IT DOWN Act (2025)
Federal criminalization of NCII publication (including digital forgeries), with 2-year prison sentences for adult-victim cases and 3-year sentences for minors. The headline compliance feature: covered platforms must remove NCII within 48 hours of a verified notice, or face FTC civil penalties. The first federal conviction under the Act was issued in April 2026 in Ohio.
4. Section 230 carve-outs and platform contracts
Section 230 of the Communications Decency Act does not shield platforms from federal criminal NCII liability after the 2025 amendments. This means platforms face real downstream exposure for failing to operate a notice-and-removal system.
The 5-stage NCII DMCA workflow
This is the structure we use to move NCII cases from "we found a leak" to "the URL is gone and not coming back." Each stage has measurable outputs.
Stage 1 — Reference
The case starts with one or more reference images: the original media you want to protect. Three things must happen before any takedown:
- Hash the reference set. Compute cryptographic and perceptual hashes (SHA-256, pHash, dHash, PhotoDNA where available) and store them in a private vault. These are what platform hash-matching systems consume. Shield does this on-device; the originals never leave a verified pipeline.
- Submit to StopNCII.org if you're an adult victim. StopNCII.org shares your hashes with 16 participating platforms, which then block re-uploads proactively. NCMEC's Take It Down service does the same for minors.
- Document chain of custody. Each custody handoff is a timestamped entry: who collected what, when, from which device, with which tool. This is what makes the evidence survive a counter-notice dispute.
Stage 2 — Locate
Find every public copy. This is more than a Google search:
- Reverse image search across Google Lens, TinEye, Yandex, Bing Visual Search, and per-platform search. Each engine indexes a different slice of the web; combining them typically finds 3–5× more hits than any single one.
- Username and persona searches on Telegram, Reddit, Discord, leak forums, and the major tube sites. Use Google dorking:
site:reddit.com "username",inurl:leak "username", etc. - Surface-web monitoring for re-upload detection — most programs fail because they only scan once.
- MHTML workspace capture for one-off URL preservation (a full pageload with all assets, useful for court).
A disclosure: this is precisely what Shield was built to do at scale — perceptual hashing, MHTML capture, continuous re-scan, and per-finding chain-of-custody packets.
Stage 3 — Notice
For every URL you find, send a notice. The recipients fall into three buckets:
- Covered platform (most social networks) — 48 hours under the TAKE IT DOWN Act.
- Host or registry (the server operator or domain registrar from a Whois lookup) — DMCA safe-harbor pressure.
- Search engine (Google, Bing) — separate notice to de-index surviving URLs and any cached copies.
Each notice is a different document because the legal regime and the recipient's compliance system are different. Send one notice per URL — bundling 50 URLs into a single notice is the most common mistake because most automated intake systems only honor the first URL.
Stage 4 — Takedown
Measured at the URL level: success rate, time-to-removal, and whether the URL is archived or replaced by a redirect.
| Platform category | Typical time-to-removal | DMCA success rate | Notes |
|---|---|---|---|
| Compliant social (Reddit, Instagram, X/Twitter) | 24–72 hours | 85–95% | Standardized notice forms; automated triage |
| Adult platforms (OnlyFans, Pornhub, Fansly) | 48 hours – 7 days | 70–90% | Own DMCA teams; copyright-protected user submissions |
| Forum / imageboard sites | 3–14 days | 60–75% | User-driven uploads; multi-notice often needed |
| Telegram & encrypted channels | Variable | 40–60% | Hash-based blocking works; chat content is harder |
| Foreign hosts (RU, CN, offshore) | Weeks – months | 20–40% | Pressure via payment processors is more effective than DMCA |
Source: aggregated data from Ceartas, DMCA.com, Rulta, and 2026 industry reports.
Stage 5 — Monitor
Removal without monitoring is temporary. Industry data shows 30–60% of removed NCII reappears within 90 days, typically on a different host or behind a slightly modified filename. The TAKE IT DOWN Act's "reasonable efforts to identify and remove any known identical copies" requirement is legally limited to exact copies — for re-cropped or color-altered re-uploads you still need perceptual hash matching.
Set up continuous re-scan of your reference set, alert on new surface-web matches, and treat every alert as a fresh Stage 1.
Step-by-step: filing a single DMCA notice that gets results
- Verify the URL is live and capture an MHTML or full-page screenshot with timestamp. Note user-agent, IP, and any identifying metadata the page exposes.
- Identify the most responsive recipient. For social platforms, use the in-platform reporting flow (Twitter/X "report intimate content," Meta's "intimate imagery" form). For sites without a takedown form, send DMCA notices to the host first — the host's safe harbor is contingent on action.
- Draft the notice with all six required § 512(c) elements: identity of the copyrighted work, identity of the infringing URL, contact info, good-faith statement, perjury statement, physical or electronic signature.
- File under penalty of perjury. Counter-notice abuse is real; courts take perjury-attested statements seriously.
- Log the notice in your case file: who received it, when, what URLs were included, what response came back.
- Escalate if no action within 7 days: send to the host again with the original notice attached, then to the upstream provider, then to the search engine.
Need this workflow run for you?
Shield automates the full pipeline — perceptual hashing, multi-platform reverse search, signed DMCA dispatch, and continuous re-scan — for survivors, advocates, agencies, and creators. See pricing → · Talk to operations →
Common pitfalls
Pitfall 1 — Bundling URLs into one notice
Most automated intake systems only honor the first URL. Ten notices for ten URLs beats one giant notice every time.
Pitfall 2 — Skipping chain of custody
Without timestamps and tool provenance, the uploader's counter-notice defeats the takedown. A complete custody packet is the difference between "URL removed" and "URL stayed down."
Pitfall 3 — Treating the 48-hour rule as universal
The TAKE IT DOWN Act applies to covered platforms. Hosts, registrars, and search engines have separate deadlines and procedures. Apply the right rule to the right recipient.
Pitfall 4 — Not filing a counter-notice response
If the uploader counter-notices, you have 10 business days to file a federal action to keep the content down. Most survivors don't know this; they assume the removal is permanent. It is not.
When to escalate to counsel
Bring in a lawyer when:
- The uploader counter-notices and you want the content to stay down.
- The operator is a repeat infringer generating high removal volumes.
- The case involves deepfake NCII of a minor — state mandatory-reporting rules apply.
- You need a court order (e.g., to unmask an anonymous uploader under § 512(h)).
- The platform's actions are insufficient and an FTC complaint or state-AG action would help.
How Shield fits into this workflow
Shield's stack maps 1:1 to the five-stage workflow above. Reference images are hashed on-device; the MHTML workspace captures full-page evidence with cryptographic timestamps; findings are organized by case; DMCA notices are dispatched with per-URL templates; and continuous re-scan monitors for re-uploads. We don't replace your advocate or your lawyer — we make the operations layer cheap enough to run at the scale NCII actually demands.
Frequently asked questions
How long does a DMCA takedown take after the TAKE IT DOWN Act?
For "covered platforms" (public-facing user-generated content sites — social networks, forums, image hosts), the federal deadline since May 19, 2026 is 48 hours from a valid written request. For traditional DMCA § 512(c) notices on hosts and registries that are not classified as covered platforms, the historical 10–14 business day average still applies, and compliant platforms (Pornhub, Reddit, Twitter/X, Instagram, OnlyFans) typically act within 24–72 hours.
Is filing a DMCA takedown free?
Yes. A 17 U.S.C. § 512(c) takedown notice is free to draft and send yourself. Many survivors and creators file these directly. Third-party takedown services charge anywhere from $0 (OnlyFans handles its own platform) to $300+/month for creator-protection agencies. The trade-off is your time and the per-notice accuracy — a malformed notice triggers a counter-notice and resets the clock.
Can the uploader counter-notice and put my images back up?
Possibly, yes. After a DMCA takedown the uploader has 10–14 business days to file a sworn counter-notice under § 512(g). If they do, the host must restore the content unless you file a federal lawsuit within 10 business days. This is why evidence preservation and chain-of-custody matter — without them you cannot meet the burden in court.
Does the TAKE IT DOWN Act apply to deepfakes?
Yes. The Act defines "digital forgery" as AI-generated intimate imagery that a reasonable person would believe depicts a real identifiable individual. Both real and AI-generated NCII are criminalized under federal law and subject to the 48-hour removal requirement on covered platforms.
What happens if the platform ignores my notice?
Under DMCA § 512(c), repeat infringer policies mean a platform that ignores valid notices loses its safe-harbor protection and becomes directly liable for copyright infringement. Under the TAKE IT DOWN Act, the FTC can treat non-compliance as an unfair or deceptive practice and pursue civil penalties. Practically, you escalate to the hosting provider and, if that fails, to the domain registrar — both of whom are responsive to legal pressure.