Deciding if your deepfake is ethical: a consent, harm, and purpose test
Making a deepfake is not unethical by default. What decides it is whether the depicted person agreed, whether the result could hurt them, and what you intend to do with it. Run those three checks before you generate anything. If the subject consents, no harm is plausible, and the purpose is honest, you are likely on solid ground. Fail any one of them and you have a problem the software will not fix for you.
Is it ethical to create a deepfake at all?
Yes, sometimes. The technology cuts both ways. A deepfake can be a labelled satire of a willing friend, or it can be a weapon aimed at someone who never agreed to appear. Same tool, opposite ethics.
Think of it the way you would think of a knife. Useful in a kitchen, dangerous in the wrong hand, and never the moral agent itself. Generative AI now lets anyone build a convincing fake in seconds, no Photoshop skill required, which means the old friction that once limited misuse is gone. That shifts the entire ethical weight onto one place: your choices as the creator. The model does not consent, weigh harm, or judge purpose. You do.
The three-test ethics check before you create
Before you render, put your planned project through three questions. Each one targets a different way a deepfake goes wrong, and together they sort almost any project into one of three buckets.
- Consent: has the depicted person actually agreed to this specific use, knowing where it will appear?
- Harm: could the finished piece damage their reputation, safety, or dignity, even if you never meant it to?
- Purpose and profit: is the aim genuinely benign, like art, teaching, or satire, and are you making money off their likeness?
Now combine the answers. Clear consent, no foreseeable harm, honest purpose: ethical, go ahead. Consent present but some harm or commercial gain in play: conditional, which means you tighten scope, label it, and document agreement before proceeding. No consent or real risk of harm: off-limits, full stop, regardless of how clever the result would be.
Consent as a spectrum: explicit, implied, public-figure, posthumous
Consent is rarely a simple yes or no. It runs along a spectrum, and the most common mistake creators make is collapsing it into one assumption: that a public image is fair game.
It is not. Putting your face or voice into the public does not hand strangers implied consent to remix it. People keep control over how their identity is represented even after they go public. David Attenborough made that plain when he disapproved of an unauthorized clone of his voice, despite a career spent in front of cameras. Fame is exposure, not permission.
Explicit consent is the baseline you should aim for. A systematic review in PMC frames it this way: in principle, consent from the depicted person must be obtained, and only where that is genuinely impracticable can a legitimate interest stand in, and even then only with real data-security and governance safeguards around the likeness. Posthumous depiction is the hardest corner of the spectrum. Synthetic resurrection can recreate a dead person's face and voice, which forces an unresolved question: who controls a deceased relative's likeness, and who gets to say no on their behalf?
How to obtain and document consent (worked example)
Getting consent is only half the job. Recording it is the other half, and it is the half competitors skip. A face or a voice is biometric data, so employer-side guidance from EHS Careers is blunt about it: secure explicit consent for that data, and comply with privacy laws such as California's CCPA and Illinois' BIPA when you use someone's likeness.
What does a usable consent record actually contain? Picture a creator making a birthday parody of a friend. Before rendering, they write down the terms and have the friend confirm them. Here is the shape of that record.
- Who is depicted and what biometric data is used, such as facial images, a voice sample, or both.
- What is being created: a 30-second comedic clip, described plainly enough that the subject knows what they agreed to.
- Where it will appear and for how long, for example a private group chat for one week, not the open internet forever.
- Whether the use is commercial, and if so what the subject gets in return.
- How the source data is stored, who can access it, and when it will be deleted.
- A dated confirmation from the subject, kept somewhere you can produce it later.
Adapt that list to your project and reuse it. The point is not legal perfection. The point is that scope, duration, commercial intent, and data handling are pinned down in writing, so consent means a specific thing both people understood rather than a vague nod you remember differently a month later.
The everyday-person scenarios the law misses
Most deepfake statutes were written for two headline categories: sexual content and political content. That leaves an enormous middle ground untouched. A casual swap of a friend, a coworker pasted into a meme, a classmate dropped into an awkward scene: legally, in most places, nothing stops you. Ethically, plenty does.
This is where the harm test earns its place. "It was just a joke" is not a defence, because intent does not erase impact. A private subject can feel genuinely violated by content that looked harmless to the person who made it. They did not choose to be depicted, they cannot control where the clip travels, and the loss of control is itself the injury. Benign on your side does not mean benign on theirs.
A swap that fails no law can still fail a person. When the statute is silent, your ethics are the only guardrail the subject has.
Harms that make a deepfake off-limits
Some uses no purpose redeems. These are the bright lines, and the scale of the worst one is easy to underestimate. The dominant real-world harm is not political theater. It is non-consensual pornography.
Around 96% of existing deepfakes are pornographic, according to the Prindle Institute, and they overwhelmingly target women who never agreed to be depicted. The reach is not marginal: ORF reports that the top four deepfake pornographic websites alone have drawn over 134 million views. Any project that drifts toward this category is off-limits on its face, no consent test required, because consent is precisely what is absent.
Fraud and disinformation sit on the same side of the line. Political fakes erode trust in genuine video, and that erosion has a second-order cost named the liar's dividend: once anyone can fake anything, a bad actor can wave away real, inconvenient footage as just another deepfake. The harm is not only the lie you create. It is the doubt you lend to every truth.
Legitimate uses and the disclosure duty
Plenty of deepfakes deserve to exist. ORF notes real benefits across art, expression, accessibility, education, and business, and the medical edge is striking: PMC describes deepfake techniques being explored for psychotherapy, including grief counselling and treatment of trauma tied to sexual violence. A face that comforts a grieving person is a long way from a face weaponized to humiliate one.
What keeps legitimate use honest is disclosure. If viewers cannot tell your media is synthetic, you owe them the signal. Practical tools already exist: visible and invisible watermarking, and C2PA standards-based metadata labelling that travels with the file. Use them. And drop the instinct that labelling looks like a confession. Marking a clip as synthetic is not an admission of wrongdoing, it is part of doing the thing right, because the alternative is letting people be deceived by default.
Where the law draws lines (and where it doesn't yet)
Knowing the legal floor helps, as long as you remember it is a floor. The rules are narrow and uneven. California, per Carnegie Mellon's Tepperspectives, runs two targeted laws: AB 602 for sexual deepfakes and AB 730 for political ones, and nothing in between. Other jurisdictions have moved on specific categories too: South Korea, the UK, and several US states have banned non-consensual deepfake pornography or election fakes.
The wider map keeps shifting. In February 2024 the EU agreed a directive on combating violence against women that will outlaw sharing non-consensual deepfake pornography. Around it sit the EU AI Act, the US TAKE IT DOWN Act, the California AI Transparency Act, the UK Online Safety Act 2023, and China's 2023 rules on deep synthesis providers.
| Law or framework | What it targets |
|---|---|
| California AB 602 | Sexual deepfakes only |
| California AB 730 | Political deepfakes only |
| EU directive (Feb 2024) | Sharing non-consensual deepfake pornography |
| EU AI Act | Transparency duties for AI-generated content |
| TAKE IT DOWN Act | Removal of non-consensual intimate imagery |
| UK Online Safety Act 2023 | Harmful online content including intimate fakes |
| China deep synthesis rules (2023) | Obligations on synthetic-media providers |
See the pattern? Every line covers a slice, none covers the everyday swap of a private person, and they disagree across borders. So compliance answers one question only: will this get me sued or charged here. It does not answer the question that matters more. Legal is the floor. The consent, harm, and purpose test is the ceiling, and that is the one you set yourself.