Synthetic Media Compliance: EU AI Act, GDPR, and Deepfake Regulations

5–9 weeks

Typical engagement

EU · UK · US · Global

Jurisdictions covered

Platforms · Media · Brands

Who we work with

EU AI Act Article 50 is in force

The EU AI Act’s transparency obligations for synthetic content (Article 50) require providers and deployers of AI systems that generate synthetic audio, video, image, or text of real people to disclose that the content is AI-generated — in a machine-readable format and in a way that is clear to the end user. This applies to marketing videos, AI avatars, voice clones, and AI-generated news illustrations. Non-compliance creates enforcement risk from national AI authorities.

GDPR applies to every face and voice

Facial images and voice recordings are biometric data under GDPR. Creating synthetic media that replicates a real person’s appearance or voice — even from publicly available material — requires a legal basis. For AI-generated content, the practical legal basis is explicit consent from the person depicted. Platforms that generate synthetic media using third-party images or voices without consent are processing biometric data without a legal basis.

Platform policies are ahead of the law

Major platforms — YouTube, Meta, TikTok, LinkedIn — have already implemented AI content disclosure requirements and are enforcing them through content removal and account restrictions. In some cases, platform policies are stricter than applicable law. A synthetic media compliance framework needs to address both regulatory requirements and platform-specific disclosure standards — which differ by platform and are changing rapidly.

Election content triggers a completely different compliance regime

AI-generated content depicting candidates, elections, or political events is subject to a separate and stricter layer of regulation in the US, EU, and several other jurisdictions. Platform policies for election content are enforced with near-zero tolerance — automated removal, no appeals window, and potential permanent demonetisation. A general synthetic media compliance framework does not cover election content risk. If your platform, brand, or clients operate in political advertising or news, election-specific content rules require a dedicated compliance stream.

✓

✓

✓

✓

✓

✓

✓

✓

✓

✓

✓

✓

Step 01 · Week 1

Product and content mapping

We map your product and content flows: what synthetic media your platform generates or hosts, who the people depicted are, how the content reaches end users, and which platforms distribute it. We determine which regulatory frameworks apply and in which combinations.

Step 02 · Weeks 2–3

Regulatory and platform analysis

We analyse your obligations under EU AI Act Article 50, GDPR, UK Online Safety Act, and applicable US frameworks. We review the platform policies of your primary distribution channels and identify where your current practices create gaps.

Step 03 · Weeks 3–6

Compliance framework design

We design the disclosure and labelling system: visual labels, machine-readable markers, user-facing disclosures. We draft the updated terms of service, client compliance documentation, and content moderation policy. We allocate provider vs deployer obligations between you and your B2B clients.

Step 04 · Weeks 6–9

Implementation and training

We support rollout: product team briefing on technical labelling requirements, trust and safety team training on deepfake edge cases, enterprise client compliance memos, and platform-specific disclosure setup. We review the final implementation against each applicable framework.

Question 1 of 4

Next →

Marketing Platform · Germany

German platform generating AI avatar marketing videos for e-commerce and advertising clients. Content distributed on social media and client websites across the EU. EU AI Act Article 50 transparency obligations and major platform labelling requirements required a formal compliance framework.

Consumer Platform · USA/EU

Global platform where users created entertainment deepfake videos. Large volumes of biometric data (faces, voices) processed without explicit consent from depicted persons. GDPR, US DEFIANCE Act, and UK Online Safety Act all applicable.

Media · UK

UK news media holding using generative AI for illustrations, B-roll video, event reconstructions, and localisation. Audience in EU, UK, and US. EU AI Act disclosure requirements, UK Online Safety Act safety duties, and US political deepfake laws all applicable.

Article 50 of the EU AI Act requires providers of AI systems that generate synthetic audio, video, image, or text content to ensure that the outputs are marked in a machine-readable format so they can be identified as artificially generated or manipulated. For content depicting real people (deepfakes), the obligation goes further: the content must be labelled in a way that is clear and distinguishable to the persons viewing it. This applies to AI avatars, synthetic voices, AI-generated video of real people, and AI-generated images depicting real individuals. The obligation applies to providers (who build the AI system) and can extend to deployers (who use it commercially).

A provider is the company that develops and places an AI system on the market — the platform that builds the synthetic media generation technology. A deployer is the company or individual that uses that AI system in their own products or services — typically the brand or agency using the platform to create marketing content. Both can carry transparency obligations under Article 50. The platform (provider) must ensure the system is capable of labelling outputs. The brand or agency (deployer) must ensure the labelling is actually applied when the content is published. B2B platforms need to address how these obligations split between them and their clients in contracts and terms of service.

The EU AI Act and the related Code of Practice on AI and disinformation specify that machine-readable labels should be embedded in the content itself — not just added as a visible caption. Technically, this means embedding metadata (such as C2PA content credentials), watermarking, or other signals that allow automated systems and platforms to detect that the content is AI-generated. Visual labels (text or icons visible to viewers) are also required, but they don’t substitute for the technical markers. The specific technical standards are still being finalised through implementing acts, but the C2PA standard is the leading candidate.

Yes. Facial images and voice recordings are biometric data under GDPR — even when used to train an AI model or generate synthetic output. Processing biometric data requires explicit consent as the legal basis (or, in limited cases, other Article 9 grounds). This means: using publicly available photos or videos of real people to create AI avatars, generate synthetic voices, or produce deepfakes requires explicit consent from the person depicted — regardless of where the source material came from. Platforms that process biometric data to generate synthetic media without consent are in breach of GDPR.

The UK Online Safety Act 2023 criminalises the sharing of intimate deepfakes — AI-generated or manipulated intimate images of real people — without their consent. This applies to individuals who share such content and creates platform liability for failing to have systems in place to detect and remove it. Beyond intimate deepfakes, the Act imposes broader safety duties on platforms: risk assessments for illegal and harmful content (including AI-generated harmful content), systems for reporting and removing such content, and transparency obligations about moderation practices. Platforms with UK users need to conduct a risk assessment under the Act that specifically addresses synthetic media.

The US regulatory landscape for synthetic media is fragmented — primarily at the state level, with some federal developments. The DEFIANCE Act (2024) creates a federal civil cause of action for victims of non-consensual AI-generated intimate images. Many states have passed or are passing laws targeting political deepfakes (requiring disclosure in political advertising), intimate deepfakes (criminal penalties), and election interference through synthetic media. California, Texas, New York, and Illinois have the most developed frameworks. For platforms operating nationally, compliance requires mapping the strictest applicable state requirement for each content category — or building a national standard based on the most demanding state laws.

YouTube, Meta, TikTok, and LinkedIn all have policies requiring disclosure of AI-generated content — with varying technical requirements and enforcement mechanisms. YouTube requires creators to disclose AI-generated realistic content; Meta requires labelling of AI-generated images on Facebook and Instagram using industry-standard signals (C2PA, IPTC); TikTok requires labels for AI-generated content that could mislead. During election periods, these platforms apply stricter rules on political synthetic content. Platform policies are enforced through content removal, account restrictions, and demonetisation — often faster and more damaging commercially than regulatory enforcement. Compliance must address both the law and the platform rules.

The EU AI Act Article 50 includes an exemption for content that is “evidently artistic, creative, satirical or fictional” — where disclosure would be inappropriate or unnecessary given the clearly creative nature of the work. However, this exemption is narrow: the satirical or fictional nature must be evident from the content itself, not just from context. A realistic-looking deepfake video of a politician, even if intended as satire, is unlikely to qualify for the exemption if a reasonable viewer could mistake it for real. The exemption is clearer for obviously stylised, exaggerated, or animated content. We advise on where specific content types fall on this spectrum and how to document the basis for any exemption claimed.