$35M for Billing, a Letter for Revenge Porn

Introduction

On May 13, 2026, the Federal Trade Commission's Bureau of Consumer Protection got Shutterstock to pay $35 million for making subscriptions hard to cancel. Six days later, the same bureau began enforcing the TAKE IT DOWN Act, the law that gives platforms 48 hours to pull your image down if someone weaponizes it. Its enforcement move was 15 reminder letters and 12 warning letters. The director who signed the Shutterstock complaint, Christopher Mufarrige, also signed the nudify letters.

What Actually Happened in That Week

Congress did not pass this law quietly. The TAKE IT DOWN Act cleared the House 409-2 in April 2025, passed the Senate by unanimous consent, and President Trump signed it on May 19, 2025 as Public Law 119-12. It does two things. It makes publishing nonconsensual intimate imagery a federal crime, and it forces "covered platforms" (social media, messaging apps, image and video hosts) to build a takedown system. Once a victim sends a valid request, the platform has 48 hours to remove the image and make a reasonable effort to scrub identical copies. Platforms got one year to comply. The clock ran out on May 19, 2026.

That was enforcement day. Here is what the FTC did with it. On May 11, eight days early, Chairman Andrew Ferguson sent letters to 15 named companies (Alphabet, Amazon, Apple, Automattic, Bumble, Discord, Match Group, Meta, Microsoft, Pinterest, Reddit, SmugMug, Snapchat, TikTok, and X) reminding them the law existed and that the agency stood "ready to monitor compliance, investigate violations, and enforce." On May 20, the bureau sent 12 more letters to companies running AI "nudify" tools, the apps that take a clothed photo and generate a fake nude. Those companies "appeared to be in violation." They were urged to "immediately come into compliance." None were fined or sued. And unlike almost every other FTC enforcement target, none were named publicly.

The Shutterstock case ran the other way. The Commission voted 2-0 to authorize a complaint, filed it in federal court in the Southern District of New York, and walked away with $35 million in refunds for customers who'd been stuck in a subscription they couldn't easily exit. Days before mailing letters about intimate image abuse, the same agency showed exactly what it does when it decides a problem is worth its time. So the question worth chasing is why billing got the courtroom and revenge porn got the printer.

The Legal Detail Most Coverage Skipped

There's a real reason you might expect the FTC to go soft on a brand-new statute. Normally, when a company commits an "unfair or deceptive" act under Section 5 of the FTC Act, the agency can't just fine them. It has to win an administrative case first, get a cease-and-desist order, and only then can a second violation trigger penalties. That's the structural gap that has hamstrung FTC enforcement for years.

The TAKE IT DOWN Act doesn't work that way. Section 3(b) says a platform's failure to comply "shall be treated as a violation of a rule defining an unfair or a deceptive act or practice under section 18(a)(1)(B)" of the FTC Act. That single phrase routes the whole thing through the rule-violation track. Translation: the FTC does not need a prior order. The day a platform blows the 48-hour window on a valid request, the agency can take it straight to federal court and ask for civil penalties of up to $53,088 per violation. That's the same penalty mechanism behind the Shutterstock settlement, which leaned on the Restore Online Shoppers' Confidence Act, a law that uses the exact same "treated as a rule violation" device.

So the FTC has the same tool and the same legal posture in both situations, with only the target changing. The bureau used the federal-court route to wring that settlement out of a stock-photo company over billing friction, then reached for the letter template when the subject was intimate image abuse.

I want to be fair about one thing, because the honest version is stronger. The FTC almost certainly could not have filed a winnable lawsuit on day one. To sue, it needs a documented violation: a platform that got a valid request and let the 48 hours lapse. On May 19, the compliance period had just begun. Letters as a first step are defensible. The real question isn't whether the FTC should have sued on Tuesday, it's whether the agency that found that much urgency in a subscription cancellation will ever bring the first case here at all, and what its opening posture tells you about the answer.

Who Benefits

Start with the platforms, because they wrote the tell themselves. When the bill was moving, the major companies didn't fight it. The Senate Commerce Committee's December 2024 release listed Google, Microsoft, Meta, TikTok, Bumble, Match Group, IBM, and the U.S. Chamber of Commerce as backers. NetChoice, which sues over internet regulation as a reflex, sat this one out. Mary Anne Franks, who runs the Cyber Civil Rights Initiative, told The Verge what that silence might mean: "My fears about this, and I hope I'm wrong, is that the reason why the companies aren't mad about this is because they know it's never actually going to be used against them."

What the platforms get is cover without consequence. They backed a popular law, issued statements about compliance, and absorbed a reminder letter that demands nothing they can be sued over. The 12 nudify companies got something rarer. Most FTC targets are named in a complaint the day the agency moves. These 12 stayed anonymous, which means no headline, no investor question, no court docket. They got a private nudge and a window to stand up a web form before anyone outside the building knows who they are. The Australian eSafety Commissioner handled a single nudify service the same week with a Direction to Comply, a 14-day deadline, and real financial exposure. The FTC sent twelve unsigned-for-the-public letters and a deadline of "immediately."

The third beneficiary is the administration running the agency. The TAKE IT DOWN Act was championed by First Lady Melania Trump, a detail Ferguson includes in nearly every statement about it. Enforcement theater delivers a clean political win: a new victim portal at TakeItDown.ftc.gov, a stern press release, a law signed and "enforced," all serving a White House priority. President Trump told a joint session of Congress he'd "use that bill for myself, too" because "nobody gets treated worse than I do online." Franks called that "an announcement right from the highest level that this law is not going to be used in a principled way, but rather to settle personal scores." The administration takes the credit, the platforms keep the practical relief, and the people the law was named for get a complaint portal.

The Resource Story

You could argue the FTC simply can't afford to fight. Ferguson told Congress in May 2025 that NCII enforcement would need segregated IT infrastructure and specially trained investigators, and that handling this material "takes a real psychological toll." At the same hearing he confirmed the agency was cutting roughly 10% of its staff, down to about 1,100 employees, the lowest headcount in a decade. The FTC's proposed FY2026 budget would trim more than $42 million, including over $18 million from the Bureau of Consumer Protection, the same bureau now responsible for this law.

That's a real constraint. The trouble is, the FTC's own behavior cuts straight against it. The bureau that says it lacks resources for NCII work still found the resources to build, vote on, file, and settle the Shutterstock case over subscription billing in the same two-week stretch. Nobody spends capacity evenly across every mandate. Somebody decided the billing case got the investigators and the revenge-porn law got the form letter. Ferguson knows the cost of getting it wrong: at an April 2026 oversight hearing, Commissioner Mark Meador cited a recent NCII case where the FTC won an injunction but couldn't recover what "would have been millions of dollars in compensation for exploited victims." TAKE IT DOWN was built to close exactly that gap, and the agency's answer to it was a stack of letters.

The scale underneath all this is the part that makes the posture hard to defend. Deepfake and nudify apps have been downloaded 705 million times from the Apple and Google stores, per the Tech Transparency Project. Roughly 1 in 12 U.S. adults has experienced nonconsensual intimate image victimization at least once, per research in the APA journal Psychology of Violence; studies put the share of victims who are women around 90%. And X, which got a reminder letter rather than even a warning one, hosted a flood of AI-generated sexual images earlier this year. The Centre for Countering Digital Hate estimated Grok produced about 3 million such images in 11 days, including roughly 23,000 depicting minors. A New York Times analysis counted at least 1.8 million sexualized images of women on the platform in nine days. That platform's enforcement consequence, so far, is a PDF reminding it the law is on the books.

The Bottom Line

The legal authority is real and immediate. What the FTC has done instead, in the first days of enforcement, is send paper to companies that publicly backed the law and never named the ones it caught apparently breaking it. Nobody can fairly say the FTC failed on day one, because day one was always going to be a letter. But the agency's opening move matched, almost exactly, what the platforms were betting on when they decided not to fight the law.

The agency now has a year of enforcement history starting from a blank page, and the only number that will settle the question is how many civil complaints it actually files. The first one is the one to watch. If it lands on a nudify operator nobody's heard of rather than a platform where millions of these images already live, you'll know which victims the $53,088 was really for. This story is developing. So far the FTC has filed zero of those complaints.