By Three separate legal regimes are converging on the same operational question for digital marketing teams: when an image, video, or audio clip in your content stack is AI-generated or AI-manipulated, the output has to be marked, in a way that machines can detect and, in some cases, in a way that audiences can see. The EU AI Act's Article 50, California's SB 942 (as amended by AB 853), and New York's synthetic performer law each answer the "how" question differently, and each has a different trigger, enforcer, and penalty band.
The common ground is worth stating clearly. None of these laws mandates a specific technical standard. C2PA Content Credentials are the most mature provenance standard available today and are widely expected to be a central compliance tool, but neither the EU AI Act nor SB 942 nor the NY synthetic performer law makes C2PA itself mandatory. The draft EU Code of Practice explicitly rejects any single technique, promoting a multi-layered approach (metadata, imperceptible watermarks, and logging or fingerprinting). Planning around a multi-layered approach centred on C2PA is a defensible technical choice. Planning around C2PA alone, or treating a single manifest as the end of compliance, is not.
Three regimes, three triggers
EU AI Act Article 50
Article 50 of the EU AI Act sets out the core transparency obligations for generative AI. Two provisions matter most for marketing teams:
- Article 50(2) obliges providers of AI systems (including general-purpose AI) generating synthetic audio, image, video, or text to ensure the outputs are marked in a machine-readable format and detectable as artificially generated or manipulated. Technical solutions must be effective, interoperable, robust, and reliable as far as technically feasible, taking into account the state of the art and costs. The obligation does not apply to AI systems that perform only assistive editing or that do not substantially alter input data or its semantics, or where authorised by law for criminal-offence detection or prosecution.
- Article 50(4) obliges deployers of AI systems generating or manipulating image, audio, or video content that constitutes a deep fake to disclose that the content has been artificially generated or manipulated. Limited exemptions apply for criminal-offence-related uses and for evidently artistic, creative, satirical, or fictional content (with minimal non-intrusive disclosure required in those cases).
Article 50 applies from 2 August 2026. Penalties for breaches fall under Article 99(4): up to €15 million or 3% of total worldwide annual turnover, whichever is higher. The scope reaches non-EU providers and deployers whenever output produced by the AI system is used in the EU, so US agencies serving European audiences are directly in scope.
The draft EU Code of Practice on transparency
On 17 December 2025 the European Commission, through the AI Office, published the first draft of the Code of Practice on Transparency of AI-Generated Content. The final Code is expected in May or June 2026. The Code is voluntary, but in practice it is likely to become the benchmark against which regulators measure Article 50 compliance.
The draft Code has three features marketing teams should internalise now:
- Multi-layered marking is expected. Providers must combine metadata embedding (provenance information and digital signatures in the file), imperceptible watermarking (embedded during training, inference, or in the output), and logging or fingerprinting to verify outputs even after marks have been stripped. No single standard, C2PA included, is presented as sufficient on its own.
- Preservation and anti-removal duties. Providers must technically ensure existing detectable marks are retained when content is used as input and transformed into a new output. Providers must also contractually prohibit deployers and third parties from removing or tampering with marks.
- A standardised visual indicator. The draft proposes an EU-wide "AI" visual marker for synthetic content, with modality-specific disclosure rules for deepfakes (persistent visual indicators for live video, visible labels for recorded video and images, audible disclaimers for audio).
California's AI Transparency Act (SB 942, as amended by AB 853)
SB 942, the California AI Transparency Act, was signed on 19 September 2024 with an original 1 January 2026 operative date. AB 853 (signed 13 October 2025) expanded the scope and delayed the operative date to 2 August 2026 to align with the EU AI Act. Governor Newsom's signing message explicitly acknowledged "implementation challenges" and encouraged follow-up legislation in 2026 before the law takes effect. Expect further amendments.
The statute applies to "covered providers," defined as persons that create, code, or otherwise produce a generative AI system with more than 1,000,000 monthly visitors or users that is publicly accessible within California. Core obligations:
- Make available a free AI detection tool that allows users to assess whether image, video, or audio content was created or altered by the provider's GenAI system.
- Offer users an option to include a visible manifest disclosure (label or watermark) in GenAI-created content.
- Include a latent disclosure (machine-detectable provenance information) in image, video, or audio content generated by the system.
- Include licensing provisions requiring third-party licensees to preserve disclosures.
AB 853 extended obligations beyond covered providers to generative AI hosting platforms (starting 1 January 2027), large online platforms (defined as public-facing social media, file-sharing, or mass-messaging services exceeding 2 million monthly users), and capture device manufacturers. Penalties are civil: up to $5,000 per violation per day, enforceable by the California Attorney General, city attorneys, or county counsel. The law excludes providers of non-user-generated video game, television, streaming, movie, or interactive experiences, and applies only to image, video, or audio content (not text).
New York's synthetic performer disclosure law
On 11 December 2025, Governor Hochul signed SB 8420-A, amending New York General Business Law §396-b to require conspicuous disclosure of synthetic performers in advertisements. The law takes effect on 9 June 2026.
A "synthetic performer" is a digital asset created or modified using generative AI, or a software algorithm, that appears to give the impression of a human performance and does not represent any identifiable natural person. Any person who, for a commercial purpose, produces or creates an advertisement containing a synthetic performer must conspicuously disclose that fact, where the person has actual knowledge a synthetic performer is in the advertisement. Civil penalties are $1,000 for a first violation and $5,000 per subsequent violation. There is no private right of action.
The law contains important exemptions: it does not apply to audio-only advertisements; to uses of AI solely for language translation of a human performer; to advertisements for expressive works (films, TV, documentaries, video games) where the synthetic performer's use is consistent with the underlying work; and it protects media publishers that disseminate the advertisement. The statute also expressly disclaims any effect on Section 230 of the Communications Decency Act.
What is not in this package
The Colorado AI Act (SB 24-205) and New York's RAISE Act are frequently cited alongside the laws above but address different problems. Colorado's law, effective 30 June 2026, governs algorithmic discrimination in consequential decisions, not synthetic content labelling. New York's RAISE Act (signed 19 December 2025, effective 1 January 2027) applies only to large frontier-model developers with $500 million or more in annual revenue and focuses on safety frameworks and incident reporting, not watermarking. Confusing these with the Article 50 / SB 942 / synthetic performer regime creates scope and compliance errors.
The federal context
On 11 December 2025, President Trump signed an executive order proposing a federal policy framework for AI that could preempt state AI laws deemed inconsistent with it. The order does not automatically invalidate SB 942, the NY synthetic performer law, or other state AI laws. Those laws remain enforceable unless and until federal courts rule otherwise. The EU AI Act is unaffected by US federal policy. For planning purposes, treat all three regimes as live.
Why C2PA is the default technical choice (and its limits)
The Coalition for Content Provenance and Authenticity (C2PA) publishes the Content Credentials specification, which embeds cryptographically signed manifests describing creation history, edits, and AI-specific metadata into the asset. C2PA is supported by Adobe, Microsoft, Google, OpenAI, Meta, BBC, AFP, Leica, Nikon, Sony, and others. For image, video, and audio workflows, Content Credentials are the most widely implemented provenance approach available.
Two caveats matter. First, C2PA manifests can be stripped by platforms that recompress or re-encode assets. Meta, LinkedIn, Instagram, and others have variable preservation behaviour, and the EU draft Code's insistence on multi-layered marking reflects this reality. Manifests alone are not enough. Second, C2PA is a standard, not a law. Implementing C2PA does not automatically satisfy Article 50, SB 942, or the NY synthetic performer law. Each regime has its own specific obligations, and C2PA implementation is one input to compliance rather than the whole of it.
A practitioner's five-step plan
Step 1: Audit AI generation and editing pipelines
List every tool that creates or materially alters image, video, or audio assets with AI: Midjourney, DALL-E, Stable Diffusion, Photoshop Firefly, Runway, ElevenLabs, Synthesia, and whatever your creative team actually uses. Identify export points and formats (JPEG, PNG, WebP, MP4, WAV). Flag any manual post-processing step that strips metadata, because stripping a C2PA manifest after generation does not remove your Article 50 exposure, it just moves the burden to the soft-binding and fingerprinting layers. Map where the output of each tool ends up: social platforms, paid media, email, owned web, or client deliverables.
Step 2: Set up signing credentials
For C2PA-based workflows, obtain an X.509 certificate from a CA listed on the C2PA Trust List. The specification supports ECC (P-256, P-384, P-521) and RSA (2048, 3072, 4096-bit) keys. Store signing keys in a hardware security module or cloud KMS, not in source control. Install the open-source c2pa-rs (Rust) or c2pa-js library, or use native Content Credentials support in Adobe Creative Cloud. Validate the end-to-end signing pipeline with the c2patool CLI before integrating it into production.
Step 3: Generate and sign manifests with AI-specific assertions
Create a manifest using the C2PA JUMBF container. Include the mandatory c2pa.actions assertion with the c2pa.created action. Set digitalSourceType to the IPTC value for trained algorithmic media (http://cv.iptc.org/newscodes/digitalsourcetype/trainedAlgorithmicMedia). Record the AI model identifier, version, and relevant prompt metadata as c2pa.ingredient.v3 entries with an inputTo relationship, consistent with the C2PA 2.x specification. Hash the asset bytes (excluding the manifest padding) with SHA-256, sign the claim with COSE (ES256 for ECC P-256 keys), and embed the manifest store in the asset or externalise it via a cloud repository with an HTTP Link reference.
Step 4: Add durable soft bindings and test resilience
Layer an imperceptible watermark using an algorithm that survives typical platform processing (recompression, resizing, cropping). Consider third-party watermarking services or model-native watermarking (some GenAI providers embed marks during inference). Maintain a fallback manifest repository so content stripped of metadata can still be matched against the original signed record via perceptual hashing. Test ingestion and re-download on each platform in your distribution list, because preservation behaviour varies and changes over time.
Step 5: Build governance and disclosure processes
Integrate verification UI where feasible so audiences can see the Content Credentials pin on owned properties. Build internal review gates that flag synthetic performers for the NY conspicuous disclosure requirement, and deepfakes for the Article 50(4) disclosure requirement. Maintain a provenance compliance playbook with credential inventory, signing key rotation schedule, per-campaign manifest identifiers, deepfake and synthetic performer determination records, and audit logs. Train the creative and legal teams on the boundary cases, especially when AI is used for "assistive editing" (outside Article 50(2)) versus substantial alteration (inside Article 50(2)).
Who carries the liability
Providers under the EU AI Act (OpenAI, Adobe, Midjourney, Stability, Anthropic, and similar) carry the Article 50(2) marking obligation at the generation layer. Deployers (agencies, creators, enterprises, platforms that use AI-generated content under their own authority) carry Article 50(4) deepfake disclosure, preservation duties that flow through the draft Code of Practice, and local disclosure obligations (SB 942 for distribution on California-accessible large platforms, NY §396-b for synthetic performers in New York advertising).
EU AI Act penalties for Article 50 breaches reach up to €15 million or 3% of worldwide turnover, under Article 99(4). California SB 942 penalties reach $5,000 per day per violation. NY synthetic performer violations are $1,000 first and $5,000 subsequent, with no private right of action but reputational and platform-level risk in addition. Insurance coverage for AI Act administrative fines is still evolving, and agency contracts should allocate these risks explicitly between advertiser, agency, and creative partners.
An illustrative scenario
The following is a hypothetical designed to illustrate how the rules interact. It does not describe any real enforcement action.
Imagine a mid-sized agency launches an influencer campaign in October 2026 for a luxury watch brand using Midjourney-generated synthetic performers, distributed across Instagram, TikTok, and paid programmatic in the EU and New York. The agency implements C2PA manifests at export but does not apply a soft-binding watermark, and does not add a conspicuous on-screen disclosure for the synthetic performers.
Three separate issues arise. In the EU, once the files pass through platforms that strip metadata, the assets no longer carry machine-readable provenance, potentially triggering Article 50(2) scrutiny at the provider layer (the GenAI model operator) and, for the deepfake-like content, Article 50(4) disclosure failures at the deployer layer (the agency and brand). In New York, the absence of a conspicuous synthetic performer disclosure on ads distributed to New York viewers exposes the agency to NY GBL §396-b penalties. In California, if Instagram and TikTok qualify as large online platforms and the GenAI system used has more than 1 million monthly California users, SB 942 obligations layer on top.
A multi-layered approach (C2PA manifest plus soft-binding watermark plus visible on-screen "AI-generated" disclosure for synthetic performers and deepfakes) would have addressed the technical and disclosure elements of all three regimes. The commercial cost in scenarios like this is usually not the fine itself; it is the combination of platform enforcement actions, remediation re-shoots, client contract penalties, and the reputational impact of being the case study everyone else learns from.
Compliance FAQ
Is C2PA mandatory under the EU AI Act or SB 942?
No. Neither law mandates C2PA specifically. The EU AI Act requires machine-readable marking that is effective, interoperable, robust, and reliable under the state of the art. The draft Code of Practice recommends a multi-layered approach combining metadata (which C2PA provides), imperceptible watermarks, and logging or fingerprinting. C2PA satisfies the metadata layer well, but relying on it alone does not satisfy the multi-layered expectation.
What free tools support full C2PA embedding today?
The open-source c2patool CLI, c2pa-rs (Rust), and c2pa-js (JavaScript) libraries are maintained by the Content Authenticity Initiative and are free to use. Adobe Content Credentials are available in Creative Cloud applications. Several certificate authorities offer C2PA-compliant signing certificates. Soft-binding watermarking typically requires either third-party services or model-native capabilities from the GenAI provider.
How do I protect C2PA credentials when platforms strip metadata?
Combine the hard-binding hash in the C2PA manifest with an imperceptible soft-binding watermark, and maintain an external manifest repository addressable via perceptual hash lookup. This triple-layer approach (metadata, watermark, fingerprint recovery) is what the draft EU Code of Practice anticipates and what commercial provenance tooling increasingly provides by default. Test preservation on every platform in your distribution list and re-test after major platform updates.
What internal documentation should an agency maintain?
A provenance compliance playbook covering: AI tool inventory; signing certificate and key rotation records; per-asset manifest identifier register; synthetic performer and deepfake determinations with sign-off; disclosure templates for each jurisdiction (EU deepfake, NY synthetic performer, California pre-use); preservation test records for major distribution platforms; training records; and incident response procedures for removed or corrupted provenance. Treat these as auditable records rather than internal notes.
Can I rely on the vendor's watermarking to satisfy my obligations?
Only partially. For Article 50(2) marking, the provider obligation rests primarily on the AI system provider (the GenAI model operator), not on you as a deployer. For Article 50(4) deepfake disclosure, the obligation is yours regardless of what the vendor does. For SB 942, the covered provider bears the manifest and latent disclosure obligation, but AB 853 also imposes preservation and interface obligations on large online platforms. For the NY synthetic performer law, the person who produces or creates the advertisement is liable; the vendor's watermark is not a defence to the conspicuous-disclosure requirement.
The bottom line
Three regimes, three effective dates across 2026, one workflow. Teams that treat Article 50, SB 942, and the NY synthetic performer law as a combined implementation project rather than three separate compliance exercises tend to build a cleaner content pipeline and spend less in aggregate. The technical anchors are multi-layered marking (manifest plus watermark plus fingerprint recovery), clear disclosure rules for deepfakes and synthetic performers, and a provenance playbook that survives audit. The dates are fixed. The tooling is mature enough to deploy. The compliance question is whether your next campaign ships with the evidence trail it needs.
Last updated: April 2026. This article is educational content and is not legal advice. Obligations depend on jurisdiction, system classification, platform behaviour, and content type. Consult qualified counsel before making compliance decisions.