The label that falls off: where Content Credentials actually survive online
The compliance plan for AI content rests on metadata travelling with the file. An audit of 516 posts found it survives to the viewer about thirty percent of the time.
Both of our previous pieces leaned on the same caveat: Content Credentials — the C2PA metadata that marks an image as AI-generated — are easily stripped. That caveat deserves its own article, because the entire regulatory architecture arriving with the EU AI Act’s transparency rules assumes machine-readable marking that travels with the file. The question of whether it actually travels is empirical. It has been measured. The answer, as of the most recent independent testing, is: less than a third of the time.
The plan, on paper, is elegant
The design is a relay. The generator signs the file: OpenAI, Adobe, Google and others embed C2PA manifests or IPTC markers at creation. The platform reads the signal and labels the post: Meta announced in February 2024 that Facebook, Instagram and Threads read the "AI generated" information in the C2PA and IPTC standards, covering images from Google, OpenAI, Microsoft, Adobe, Midjourney and Shutterstock. TikTok became the first video platform to implement Content Credentials in May 2024. LinkedIn rolled out a “CR” icon the same month, showing origin, tool and issuer for signed media. YouTube went the other direction and added a “Captured with a camera” disclosure in October 2024 for videos with intact C2PA 2.1+ provenance and no edits.
A viewer sees a label; an advertiser inherits compliance from the pipeline. That is the theory.
Then someone measured it
In October 2025, the verification-tech publication Indicator ran the experiment: 516 posts of AI-generated images and videos carrying C2PA or IPTC provenance signals, uploaded over three weeks to Instagram, LinkedIn, Pinterest, TikTok and YouTube. Only 169 — just over 30% — received a correct AI label. The best performer, Pinterest, managed 55%.
The March 2026 follow-up, reported by the IPTC, showed real improvement with a revealing asymmetry: OpenAI content, which carries full C2PA signatures, was correctly labeled by LinkedIn, Pinterest and YouTube — but Meta AI’s own images, marked with the lighter IPTC tag in XMP metadata, went unrecognized by LinkedIn, TikTok and YouTube, and Pinterest missed Google Gemini content entirely. The IPTC’s verdict: “Tech platforms have the talent to implement C2PA tomorrow; they simply need the will to prioritize it.”
So the relay works — sometimes, for some signal formats, on some platforms. That is not a foundation a compliance obligation can stand on alone.
Where the label goes to die
The deeper problem is that the marking often never reaches the platform’s reader at all, because the infrastructure between creation and upload strips metadata as a matter of routine. Image CDNs and optimizers remove it by design: Cloudflare’s Polish strips metadata as part of optimization, Cloudinary discards embedded EXIF/IPTC/XMP on transformed images by default, and sharp — the library inside countless upload pipelines — outputs metadata-free images unless a developer explicitly asks otherwise. Every one of those defaults predates C2PA and treats provenance as dead weight to shave off.
The platforms themselves finish the job on the delivered copy. The IPTC’s Facebook investigation found all XMP metadata removed (with Facebook’s own tracking fields injected in its place); a 2025 hands-on test confirmed Instagram, Facebook and X still strip embedded metadata from the files they serve; community testing in April 2026 reported C2PA manifests stripped by Instagram, X, Facebook and Threads; and Mastodon strips them too — there is an open GitHub issue asking it to stop. A platform can read the signal at ingest and still hand every resharer a naked file, which is exactly what happens: the label, where it exists, lives in the platform’s database, not in the image. And a screenshot — the internet’s favorite redistribution format — carries nothing at all.
One more uncomfortable fact: the IPTC’s last comprehensive, multi-platform metadata survival test dates to Spring 2019. Much of what the industry “knows” about metadata survival rests on seven-year-old data, patched by piecemeal independent tests.
The standard knows, and is adapting
None of this is news to the C2PA. Its own specification explainer describes “durable” Content Credentials: soft bindings — invisible watermarks or content fingerprints — that let a stripped image be matched back to its manifest in a recovery database. A conformance program now certifies implementations at defined assurance levels, and the IPTC published a practitioner FAQ on Content Credentials in July 2026. The direction of travel is right. But durable credentials require adoption at both ends of the pipe, and the testing above measures the pipe as it exists today.
What this means if you publish AI creative
From 2 August 2026, the EU AI Act’s deployer duty makes you responsible for disclosure on realistic AI imagery you publish — and as we saw above, the metadata your generator dutifully embedded has roughly coin-flip-or-worse odds of surviving to the audience. Two practical conclusions follow.
First: visible disclosure cannot be delegated to metadata. Where the duty applies, the label needs to be part of the creative or its immediate presentation, not a file property you hope the platform reads. Second: verify the final file, at the last stop you control. Check whether the credentials your workflow assumes are actually still in the asset you are about to ship — Chekr reads Content Credentials on every uploaded creative and surfaces the declared generator precisely because the upstream pipeline cannot be trusted to preserve them. It takes one free scan to see what your own export pipeline does to provenance — many teams discover their DAM or CDN stripped it months ago.
What to do about it
- Treat embedded provenance as fragile: CDNs, optimizers and most social platforms strip it from delivered files by default.
- Where disclosure is legally required, put it in the visible creative or its immediate context — metadata alone will not reach the audience reliably.
- Verify the final exported asset before publishing, not the file the generator produced — a scan shows whether credentials survived your own pipeline.
- If your platform mix includes LinkedIn, Pinterest or YouTube, full C2PA signatures currently get read far more reliably than lighter IPTC tags.
- Watch “durable” Content Credentials (watermark + fingerprint recovery) — they are the standard’s answer to stripping, but adoption is early.
Sources
- Tech platforms fail to label AI content (516-post audit) — Indicator
- AI disclosure on social media “a work in progress” — IPTC
- Labeling AI-generated images on Facebook, Instagram and Threads — Meta
- Partnering with our industry to advance AI transparency and literacy — TikTok
- Content Credentials on LinkedIn — LinkedIn
- “Captured with a camera” disclosure on YouTube — YouTube / Google
- IPTC investigates: what does Facebook do with your photo metadata? — IPTC
- Social Media Sites Photo Metadata Test Results 2019 — IPTC
- Do social media sites strip EXIF data? (2025 test) — EXIFData.org
- AI image C2PA / watermark platform test — LPIC
- Do not strip C2PA manifests from uploaded photos (open issue) — Mastodon (GitHub)
- Cloudflare Polish documentation — Cloudflare
- Cloudinary image optimization documentation — Cloudinary
- sharp output options (metadata stripped by default) — sharp / pixelplumbing
- C2PA / Content Credentials Explainer 2.2 — C2PA
- Raising the bar for trust: the C2PA Conformance Program — Content Authenticity Initiative
- IPTC C2PA Content Credentials FAQs released — IPTC