AI-Generated Imagery: A Privacy Problem Hiding in Plain Sight 2026
AI-generated images and videos are no longer a futuristic privacy concern. They are already part of everyday digital life. With widely available generative AI tools, it has become easier to create realistic images, videos, and audio that appear to show real people doing or saying things that never happened. This creates a serious privacy challenge: a person’s face, body, voice, identity, or reputation can be used without their knowledge or consent.
In February 2026, the European Data Protection Board supported a joint statement on AI-generated imagery issued by 61 privacy and data protection authorities worldwide. The statement raised concerns about AI systems that create realistic images and videos of identifiable individuals without their knowledge or consent, including non-consensual intimate imagery, defamatory depictions, and other harmful content. The authorities were especially concerned about risks to children and vulnerable groups.
From a privacy law perspective, this is not just about “fake content.” It is about personal data. A person’s image, voice, and likeness can identify them. In some cases, the data involved may also be biometric data, especially where facial or voice characteristics are processed to uniquely identify someone. The UK Information Commissioner’s Office has emphasized that organisations using AI and biometric technologies must be transparent, fair, and put appropriate governance and technical measures in place to protect people from harm.
For organisations, this means that AI-generated imagery should be assessed through familiar privacy principles. Is there a lawful basis for processing? Has the organisation clearly explained how personal data is used? Is the use fair and proportionate? Have risks to individuals been assessed before deployment? These are not abstract questions. A marketing team using AI-generated models, a social media platform offering image-generation features, or an employer experimenting with synthetic video tools may all create privacy risks if real people can be identified or imitated.
The EU AI Act adds another layer. Article 50 requires certain AI-generated or manipulated content to be marked or disclosed. Deepfakes and AI-generated content must be disclosed as artificially generated, and information must be provided clearly and accessibly. The European Commission has also published a Code of Practice to support compliance with AI Act transparency obligations, which apply from 2 August 2026.
In the United States, regulators are also paying attention. The Federal Trade Commission has warned that AI-generated deepfakes can “turbocharge” impersonation fraud and has proposed stronger protections against AI-enabled impersonation of individuals.
The key lesson for privacy professionals is simple: AI-generated imagery should not be treated as a purely creative or technical issue. It is a governance issue. Organisations should build safeguards from the start, including clear policies, abuse-prevention measures, transparency notices, complaint and takedown routes, and special protections for children.
For CIPP/E and CIPP/US candidates, this topic is also a useful reminder of how privacy law evolves. The core principles remain familiar: transparency, fairness, accountability, data minimisation, and individual rights. But new technologies create new ways for those principles to be tested.
AI can generate images in seconds. Privacy professionals need to make sure trust is not destroyed just as quickly.
