The question of whether AI companies can use your photographs to train generative models has moved from online debate to courtroom and legislature. Several jurisdictions now recognize photographers' rights to opt out of text-and-data mining (TDM) for AI training purposes. But exercising that right requires more than intention. You need proof that you created the work, and you need that proof in a form that machines can read.
This article covers the current legal framework across the EU and the United States, explains why traditional protection methods fall short in this context, and describes how C2PA content credentials can serve as both proof of authorship and a foundation for enforceable opt-out signals.
The Legal Landscape
Several overlapping legal frameworks now govern AI training and photographers' rights. The specifics differ by jurisdiction, but the direction is consistent: creators are gaining formal mechanisms to control how their work is used.
In the European Union, the AI Act's Article 53 requires providers of general-purpose AI models to respect copyright reservations expressed through machine-readable means. This builds on the EU Copyright Directive's text-and-data mining exception, which allows TDM for research purposes but permits rights holders to opt out of commercial TDM by expressing a reservation "in an appropriate manner." The question of what qualifies as "appropriate" has been the subject of litigation.
In December 2025, the Hanseatic Higher Regional Court in Hamburg (Kneschke v. LAION) ruled on the question of what constitutes an effective opt-out. The court found that a plain-text copyright reservation on a website, without a corresponding machine-readable signal, was insufficient to qualify as a rights reservation under Article 4(3) of the Copyright Directive. The photographer in the case lost his appeal because his opt-out was not expressed in a form that automated crawlers could detect. The court identified robots.txt directives, the TDM Reservation Protocol, and metadata tags as examples of acceptable machine-readable formats. For photographers, the practical takeaway is clear: if your opt-out is not machine-readable, it may not be legally effective.
In the United States, California's Generative AI Training Data Transparency Act (AB 2013) took effect on January 1, 2026, requiring AI developers to publicly disclose information about their training data, including whether copyrighted material was used. The law is a disclosure requirement, not an opt-out mechanism: it does not give rights holders the ability to request removal of their work from training datasets. But it increases transparency about what data is being used, which strengthens the evidentiary basis for future copyright claims. While the US does not yet have a federal equivalent to the EU's opt-out right, the legal landscape is shifting. The Anthropic settlement of $1.5 billion in September 2025 over unauthorized use of pirated books for AI training signaled that courts and companies take these claims seriously.
The practical implication for photographers is clear: if you want to assert control over how your images are used in AI training, you need two things. First, you need to be able to prove that you are the author of the work. Second, you need to express your opt-out preference in a machine-readable format that automated scrapers and training pipelines can detect.
Why Traditional Methods Are Not Enough
Photographers have long relied on a combination of watermarks, metadata, and copyright notices to assert ownership. These methods have real value for attribution and deterrence, but they have specific weaknesses in the context of AI training opt-outs.
Watermarks are visual deterrents, but they do not constitute proof of authorship. They can be added by anyone, and generative AI tools are increasingly capable of removing them. A watermark tells a human viewer "this image belongs to someone," but it does not provide machine-readable authorship data that an automated training pipeline can process.
EXIF metadata, including copyright fields, is routinely stripped during web distribution. Most social media platforms, content management systems, and image hosting services remove or overwrite EXIF data as part of their processing pipeline. By the time a scraper encounters your image on the web, the metadata you carefully embedded may no longer be present.
Robots.txt can signal a preference against scraping, and while it technically supports directives for individual file paths, in practice it is most commonly used at the directory level and offers no granular per-image rights management. It also relies on the scraper choosing to respect it. There is no enforcement mechanism built into the protocol.
Copyright registration provides legal standing for infringement claims, but it is retrospective. It proves you registered the work at a specific date. It does not embed authorship information into the image file itself, and it does not provide the machine-readable signal that the Hamburg court ruling and the EU AI Act contemplate.
Content Credentials as Proof of Authorship
C2PA content credentials address several of these gaps simultaneously. When you verify and sign an image with Lumethic, the resulting C2PA manifest contains a cryptographically signed record that includes the identity of the signer, a timestamp of when the signing occurred, cryptographic hashes of both the verified image and its source RAW file, and the results of forensic verification checks confirming the image is a genuine camera capture.
This manifest is embedded in the image file and travels with it. Unlike EXIF metadata, a C2PA manifest is cryptographically protected: any modification to the image or the manifest breaks the signature, making tampering detectable. Unlike a watermark, the manifest contains structured, machine-readable data that automated systems can parse.
The authorship claim in a C2PA manifest is backed by evidence, not just assertion. Because Lumethic's verification process confirms that the JPEG derives from a genuine camera RAW file through multi-factor forensic analysis, the resulting signature carries more weight than a self-declared metadata field. It says not only "this person claims authorship" but also "this image passed forensic verification against a camera source file signed by this person."
For AI training opt-out purposes, this is significant. A C2PA manifest provides exactly the kind of machine-readable authorship signal that regulations and courts are beginning to require. An AI company processing images for training data can check for C2PA manifests, identify the rights holder, and respect opt-out preferences expressed within the credential metadata.
Making Your Opt-Out Machine-Readable
The C2PA standard supports custom assertions, which means that rights management information can be embedded alongside provenance data. A content credential can carry information about licensing terms, usage restrictions, and training data preferences in a structured format.
The practical steps for photographers involve combining content credentials with existing opt-out mechanisms for the broadest coverage. Embed C2PA credentials in your images through Lumethic's verification process. Set appropriate copyright metadata in the C2PA manifest, clearly identifying yourself as the rights holder. Where your images are hosted on your own website, implement robots.txt directives and the emerging ai.txt protocol to signal TDM opt-out at the site level. For images distributed through stock platforms or agencies, confirm that the platform supports or preserves C2PA metadata.
This layered approach ensures that your opt-out signal is expressed in multiple forms: embedded in the image file via C2PA, declared at the website level via robots.txt, and documented through copyright registration where applicable. The redundancy matters because no single mechanism is universally respected, and having multiple signals strengthens your legal position.
A Practical Workflow
For photographers who shoot RAW and process in Lightroom, the workflow is straightforward.
After your normal editing process, use the Lumethic Lightroom plugin to verify your export. The plugin sends your JPEG and RAW to Lumethic's verification engine, which runs its eight forensic checks and, on successful verification, signs the JPEG with a C2PA manifest containing your authorship credentials and verification results. The signed JPEG is ready for delivery, upload, or publication with its content credentials intact.
For photographers working outside Lightroom, the Lumethic web platform provides the same verification and signing workflow through a browser interface. Upload your JPEG and RAW file, receive your verification report, and download the signed image. The RAW file is used only for verification and is never stored.
For mobile photographers, Lumethic Capture creates verified images at the point of capture on iOS. Each photograph captured through the app undergoes sensor verification and receives a C2PA manifest immediately, without requiring a separate RAW upload step.
Whichever path you use, the outcome is the same: your image carries a cryptographically signed, forensically backed record of authorship that machines can read and legal proceedings can reference.
What This Means for Enforcement
Content credentials do not prevent an AI company from scraping and using your images. No technical measure can do that unilaterally. What content credentials provide is evidence. They create a documented record of authorship that is difficult to dispute and that satisfies the "machine-readable" requirement courts and regulators are establishing.
If an AI company scrapes your C2PA-signed image, they have received a file that contains your identity, a timestamp, forensic verification results, and (where included) your rights management preferences. If they proceed to use that image in training data without your consent, the C2PA manifest serves as evidence that your authorship was clearly established and that your preferences were expressed in the format they were obligated to check.
The legal frameworks are still developing. Not every jurisdiction has the same requirements, and enforcement mechanisms are being tested in courts for the first time. But the direction is toward stronger rights for creators and stricter obligations for AI developers. Photographers who build a practice of signing their work with content credentials now are creating an archive of evidence that will be increasingly valuable as these frameworks mature.
Frequently Asked Questions
Does signing my images with C2PA prevent AI companies from using them? No technical measure can prevent scraping entirely. What C2PA provides is machine-readable proof of authorship and a framework for expressing opt-out preferences. This strengthens your legal position if your work is used without consent.
Do I need a C2PA-enabled camera? No. Lumethic verifies your JPEG against your RAW file regardless of what camera you use. Any camera that shoots RAW is compatible.
Is C2PA metadata preserved on social media? Currently, most social platforms strip embedded metadata including C2PA manifests. However, Google now reads C2PA data in its image search features, and industry pressure for metadata preservation is growing. For images you distribute through your own website or direct delivery, the credentials remain intact.
How does this relate to robots.txt? Robots.txt and C2PA serve complementary functions. Robots.txt signals at the website level that you do not consent to TDM scraping. C2PA signals at the individual image level who created the work and what rights are reserved. Both together provide the strongest opt-out position.
What about the Anthropic settlement? The September 2025 settlement (Bartz v. Anthropic, $1.5 billion) demonstrated that AI training data rights have significant financial consequences. That case specifically involved Anthropic's use of pirated books from shadow libraries, and the judge separately ruled that use of legally acquired books was protected as fair use. The specifics of each case differ, but the settlement reinforced that unauthorized use of creative work for AI training carries legal liability. Having documented proof of authorship via C2PA strengthens any future claim.