Skip to main content
Information Technology & BPO

Deepfake Laws in 2026: How India, the EU, and the US Are Barring AI Generated Fake Content

June 22, 2026By HRU LEGAL

Deepfake Laws in 2026: How India, the EU, and the US Are Barring AI-Generated Fake Content

The Problem That Can No Longer Wait

A video of a CEO announcing a company's collapse goes viral. A politician is shown saying something he never said. A woman finds her face on explicit content she never consented to. A student receives what appears to be a leaked exam paper from a credible-looking source.

Each of these is now a routine deepfake scenario, not a theoretical one. And in 2026, the world's major jurisdictions have finally moved from discussing the problem to imposing hard legal obligations on platforms, businesses, and in some cases the creators themselves.

India, the EU, and the US have each enacted or brought into force significant deepfake-related legal frameworks this year. They have arrived at broadly similar goals through very different legal routes, and the differences matter enormously for any business operating across more than one of these jurisdictions.

India: The Fastest Mover, the Broadest Framework

India moved first and moved fast. On 10 February 2026, MeitY notified the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Amendment Rules, 2026, which came into effect just ten days later on 20 February 2026. The speed from notification to enforcement was notable even by global standards.

The centrepiece of the new framework is the formal recognition of "Synthetically Generated Information" or SGI as a distinct regulatory category. SGI covers audio, visual, or audio-visual material that is artificially or algorithmically created or altered and likely to be perceived as indistinguishable from a real person or real-world event. The definition expressly includes deepfakes, AI-generated impersonations, fabricated documents, and deceptive synthetic news or messages, while carving out routine editing, colour correction, accessibility improvements, and content that does not materially distort the underlying reality.

The three-hour takedown rule is the provision that generated the most immediate industry reaction. Once a platform receives a lawful notice or government order regarding harmful AI-generated content, it has three hours to remove it. The previous standard was 36 hours. Missing the three-hour window means the platform loses its safe harbour protection under Section 79 of the IT Act and becomes liable as if it had created the content itself, a potentially catastrophic exposure for large platforms hosting millions of pieces of content daily.

Significant Social Media Intermediaries face additional obligations. They must label AI-generated content prominently, with a visible watermark covering at least 10 percent of image or video surface area, or an audible notice lasting at least 10 percent of audio duration. They must embed permanent metadata including a unique identifier for traceability. And they must periodically inform users every three months about the legal consequences of creating or sharing prohibited deepfake content.

The criminal framework sitting beneath the IT Rules is equally significant. Section 66C of the IT Act criminalises identity theft through impersonation using unique identification features, which Indian courts have interpreted to include facial geometry and voice biometrics, making non-consensual deepfake creation an act of statutory identity theft punishable by up to three years imprisonment and a fine of up to Rs 1 lakh. Section 66D covers cheating by personation using computer resources. Sections 66E, 67, and 67A criminalise sexually explicit electronic content. The Bharatiya Nyaya Sanhita 2023 adds further criminal exposure through provisions on defamation and criminal intimidation. Where deepfakes process biometric data without consent, the DPDP Act 2023 applies with penalties reaching Rs 250 crore.

Corporate liability runs through Section 85 of the IT Act, which pierces the corporate veil: directors, managing directors, and chief compliance officers can be personally held liable where contraventions occur with their consent, connivance, or through neglect.

The gap the legal community has pointed out is that India's framework remains primarily reactive. It addresses the downstream consequences of deepfake misuse rather than creating a standalone criminal offence for the upstream act of intentionally creating and distributing harmful synthetic content. That gap is expected to be addressed through dedicated legislation in the next parliamentary cycle.

The European Union: Transparency as the Core Obligation

The EU has taken a structurally different approach. Rather than building its deepfake regime around rapid content removal, the EU AI Act focuses on transparency, disclosure, and the ability of users to recognise synthetic content. The transparency obligations under Article 50 of the EU AI Act apply from 2 August 2026.

Under Article 50, providers of AI systems that generate or manipulate image, audio, or video content must ensure that outputs are marked in a machine-readable format detectable as artificially generated. Deployers, meaning entities that use generative AI systems for professional purposes, must disclose to users when content constitutes a deepfake, defined in the Act as AI-generated or manipulated content that imitates real persons, objects, places, or events in a way that could mislead someone into believing it is genuine.

The European Commission has been developing a Code of Practice on AI-generated content transparency to serve as the operational roadmap for compliance. A proposed common EU icon featuring the capitalised acronym "AI" is being developed for visible labelling of synthetic content. Modality-specific requirements specify that labels must appear consistently throughout short videos, at the beginning and at regular intervals for longer videos, and as audible disclaimers for audio content. Penalties for non-compliance with AI Act requirements can reach 35 million euros or 7 percent of global annual revenue.

Artistic and fictional works receive a carve-out, but it is narrower than many businesses assumed. Content that serves primarily an informative or commercial purpose cannot benefit from this artistic exemption, which means AI-generated deepfakes of real people used in commercial advertising fall squarely within the disclosure obligations regardless of how creative the campaign is.

The Digital Services Act adds a layer on top of the AI Act for large platforms designated as Very Large Online Platforms. These must include deepfake and synthetic content in their risk assessments, maintain transparency about their content moderation practices, and cooperate with researchers and regulators on synthetic media concerns.

The United States: Narrower Federal Laws, Growing State Patchwork

The US has not enacted a comprehensive national deepfake framework. Instead, it has moved on the most politically visible harm category: non-consensual intimate deepfake imagery.

The TAKE IT DOWN Act, signed into law in 2025, criminalises the publication of non-consensual intimate visual depictions including AI-generated deepfakes, and imposes a binding 48-hour removal obligation on covered platforms upon receipt of a valid notice. The Federal Trade Commission enforces this removal obligation, meaning platform compliance is a regulatory matter rather than purely a private one.

The DEFIANCE Act, which took effect in January 2026, provides civil remedies for victims of non-consensual intimate deepfakes with damages reaching up to USD 250,000. Together these two federal laws create criminal, civil, and platform accountability for the most severe category of deepfake harm.

Beyond these narrow federal laws, deepfake regulation in the US is primarily a state matter. By 2026, 47 states have enacted deepfake-related laws, with 64 new state laws enacted in 2025 alone. These laws focus primarily on intimate imagery and election manipulation. Unlike India or the EU, the US has no federal mandate for AI content labelling or detection, making the American framework the narrowest of the three on platform obligations but among the most aggressive on criminal penalties for the specific category of non-consensual intimate content.

What This Means for Platforms and Businesses

Any platform or business with users, content, or operations across India, the EU, and the US now faces three different compliance obligations simultaneously.

In India, the operational priority is the three-hour takedown window. No platform can meet that obligation without automated detection infrastructure, pre-built takedown workflows, and a designated compliance team with authority to act without waiting for legal sign-off on each decision. The labelling and watermarking requirements are additionally demanding for platforms that host user-generated content at scale.

For the EU, the August 2026 deadline for Article 50 compliance means businesses need to audit every AI-generated content workflow now: identify where synthetic content is produced or deployed, what disclosure infrastructure exists, and what technical changes are required to achieve machine-readable marking. Human review remains essential, particularly where businesses want to rely on editorial exemptions.

For the US, the 48-hour TAKE IT DOWN Act window for intimate imagery complaints requires structured intake and triage processes. The absence of broader federal labelling obligations means US-only operations face lighter technical burdens, but the 47-state patchwork creates complexity for anything involving users across multiple states.

The businesses most exposed to deepfake liability in 2026 are those that produce AI-generated marketing content featuring real people, operate platforms where users can create or share synthetic media, use AI voice cloning or avatar technology in customer-facing applications, or distribute content without verifying whether it has been synthetically altered. For each of these, the compliance question is no longer whether obligations exist but how quickly they can be operationalised.

This Blog is for general informational purposes and does not constitute legal advice. For guidance on deepfake compliance, platform liability, or AI content regulation, please contact our team.