Pornhub Owner Aylo Settles CSAM and Data Security Claims

Aylo settles for $5M after allegations of hosting CSAM and mishandling performer data

Aylo, the company behind Pornhub and formerly known as Mindgeek, has agreed to pay $5 million to the Federal Trade Commission and the state of Utah to resolve allegations that it profited from child sexual abuse material (CSAM) and nonconsensual material (NCM).

The settlement caps years of scrutiny that intensified after a 2020 New York Times exposé. Under pressure from payment processors, Aylo updated its verification policies in late 2020, requiring age verification and consent documentation for performers.

But regulators say those changes were not enough. The FTC and Utah allege Aylo continued to host illegal content and mishandled sensitive performer data obtained from a third-party vendor.

• Alleged data failures: Aylo is accused of retaining identity documents indefinitely, storing sensitive fields such as Social Security numbers and birthdates without encryption, and failing to limit access or isolate the records behind a firewall.
• Content moderation gaps: The FTC contends Aylo did not effectively ban users uploading CSAM, only preventing account re-creation under the same username or email, and that video fingerprinting was ineffective for years, allowing reuploads of flagged CSAM.

Aylo says the settlement reaffirms its efforts to combat CSAM and NCM and claims that the resolution mainly formalizes measures that were already in progress. Regulators, however, secured binding obligations and oversight.

• Key settlement terms include: verified consent and identity checks for anyone appearing in uploaded content.
• Technical and policy measures to block publication of CSAM and NCM and remove pre-existing illicit content.
• Ten years of independent third-party audits to confirm compliance with the settlement.

Beyond the headline dollar figure, this case highlights recurring risks for platforms that process user-supplied identity documents and host user-generated content: vendor data flows, retention policies, encryption and access controls, and whether automated moderation tools are actually effective in production.

For businesses and regulators, the Aylo settlement is a reminder that reputational and regulatory pressures can come not just from obvious wrongdoing but from operational gaps. Payment networks and advertisers can force swift change — but that often follows public exposure.

What should platforms do now? Practical steps include:

• Encrypt sensitive identity data at rest and in transit and adopt strict retention limits.
• Apply least-privilege access controls, logging, and network segmentation (don’t keep the keys in an unlocked drawer).
• Validate and monitor third-party vendors, and contractually require secure handling and timely deletion of data.
• Test content detection systems end-to-end and ensure bans and fingerprinting cover identifiers beyond username or email.

The Aylo case will likely be cited by regulators and plaintiffs as an example of how operational lapses magnify legal exposure. For leaders building or operating platforms that accept identity documentation and user uploads, the lessons are clear: build for auditability, enforceable vendor controls, and robust technical defenses before a crisis forces them.

QuarkyByte’s approach to cases like this is to pair technical validation with governance checks so organizations can demonstrate they fixed the root cause — not just added new language to a policy. That alignment reduces regulatory risk and restores trust with partners and users.