The FTC has a narrow AI mandate. Chair Andrew Ferguson made that explicit before the Senate Commerce Committee on or around April 20, 2026, in testimony covered by both CyberScoop and JDSupra. The agency isn’t building a general AI regulatory apparatus. It’s enforcing one specific law, using existing authority, with a specific operational requirement.
That requirement: under the Take It Down Act, platforms must remove non-consensual AI-generated deepfakes within 48 hours of receiving a take-down notification, according to Ferguson’s testimony characterization. That’s the clock. May 2026 is reportedly when the FTC begins investigating platforms that miss it.
What the testimony established
Ferguson’s characterization of the FTC’s authority is worth sitting with. The agency’s AI enforcement power comes from Section 5 of the FTC Act, the deceptive and unfair practices standard that the FTC has applied to data privacy, advertising, and consumer protection for decades. It’s not a new power. It’s an existing enforcement tool being applied to a new category of harm.
According to JDSupra’s coverage of the testimony, Ferguson explicitly described the FTC as “not a general AI regulator.” That framing is significant. It means platform compliance teams shouldn’t read the Take It Down Act enforcement posture as a signal that the FTC is building toward broader AI rulemaking. The agency is doing exactly what the statute authorizes, no more.
Ferguson’s testimony also referenced a recent DOJ conviction under the Take It Down Act. That specific claim hasn’t been independently verified and should be understood as a reference made during testimony rather than a confirmed legal outcome.
Why it matters
The 48-hour clock is operational, not aspirational. It requires platforms to have detection systems capable of identifying flagged content, escalation paths that can process and act on take-down notices at speed, and record-keeping that can demonstrate compliance during an FTC investigation. None of that infrastructure can be built between a notice and a deadline.
For platforms that host user-generated content, social media, hosting services, content platforms, the question isn’t whether to comply. It’s whether current trust-and-safety operations can actually meet the 48-hour window at scale.
Context and precedent
The Take It Down Act represents a targeted US approach to a specific harm, rather than a comprehensive AI governance framework. That’s deliberate. US federal AI policy has consistently favored agency-specific enforcement using existing authorities over new horizontal legislation. The EU has taken the opposite approach, systemic risk classification, prospective obligations, and penalties across a broad range of AI applications. The FTC’s testimony signals the US is staying on its current path.
What to watch
May 2026 is the reported enforcement start date. Before that date, platforms should have their 48-hour removal workflows documented and tested. After it, any complaint that triggers an FTC investigation will be evaluated against whether the platform’s system actually worked. The investigation itself won’t be public immediately, but enforcement actions under Section 5 that result in consent decrees or civil penalties will be. The first publicized action under the Act will set expectations for the rest of the industry.
TJS synthesis
The FTC’s Take It Down Act posture is the clearest picture yet of what US AI enforcement looks like in practice: specific, authority-grounded, and operationally demanding even when jurisdictionally narrow. The 48-hour window isn’t a soft target. Platforms that treat it as aspirational are building toward enforcement exposure. The compliance work here is infrastructure, not paperwork.