10 July 2026 · 8 min read · Provenance · C2PA

The label that falls off: where Content Credentials actually survive online

The compliance plan for AI content rests on metadata travelling with the file. An audit of 516 posts found it survives to the viewer about thirty percent of the time.

Both of our previous pieces leaned on the same caveat: Content Credentials — the C2PA metadata that marks an image as AI-generated — are easily stripped. That caveat deserves its own article, because the entire regulatory architecture arriving with the EU AI Act’s transparency rules assumes machine-readable marking that travels with the file. The question of whether it actually travels is empirical. It has been measured. The answer, as of the most recent independent testing, is: less than a third of the time.

The plan, on paper, is elegant

The design is a relay. The generator signs the file: OpenAI, Adobe, Google and others embed C2PA manifests or IPTC markers at creation. The platform reads the signal and labels the post: Meta announced in February 2024 that Facebook, Instagram and Threads read the "AI generated" information in the C2PA and IPTC standards, covering images from Google, OpenAI, Microsoft, Adobe, Midjourney and Shutterstock. TikTok became the first video platform to implement Content Credentials in May 2024. LinkedIn rolled out a “CR” icon the same month, showing origin, tool and issuer for signed media. YouTube went the other direction and added a “Captured with a camera” disclosure in October 2024 for videos with intact C2PA 2.1+ provenance and no edits.

A viewer sees a label; an advertiser inherits compliance from the pipeline. That is the theory.

Then someone measured it

In October 2025, the verification-tech publication Indicator ran the experiment: 516 posts of AI-generated images and videos carrying C2PA or IPTC provenance signals, uploaded over three weeks to Instagram, LinkedIn, Pinterest, TikTok and YouTube. Only 169 — just over 30% — received a correct AI label. The best performer, Pinterest, managed 55%.

The March 2026 follow-up, reported by the IPTC, showed real improvement with a revealing asymmetry: OpenAI content, which carries full C2PA signatures, was correctly labeled by LinkedIn, Pinterest and YouTube — but Meta AI’s own images, marked with the lighter IPTC tag in XMP metadata, went unrecognized by LinkedIn, TikTok and YouTube, and Pinterest missed Google Gemini content entirely. The IPTC’s verdict: “Tech platforms have the talent to implement C2PA tomorrow; they simply need the will to prioritize it.”

So the relay works — sometimes, for some signal formats, on some platforms. That is not a foundation a compliance obligation can stand on alone.

Matrix from March 2026 testing: LinkedIn, Pinterest and YouTube labeled C2PA-signed OpenAI content; LinkedIn, TikTok and YouTube missed Meta AI content marked with IPTC tags in XMP; Pinterest missed Google Gemini content
March 2026 testing, as reported by the IPTC. Full C2PA signatures fare best; lighter metadata markers routinely go unread.

Where the label goes to die

The deeper problem is that the marking often never reaches the platform’s reader at all, because the infrastructure between creation and upload strips metadata as a matter of routine. Image CDNs and optimizers remove it by design: Cloudflare’s Polish strips metadata as part of optimization, Cloudinary discards embedded EXIF/IPTC/XMP on transformed images by default, and sharp — the library inside countless upload pipelines — outputs metadata-free images unless a developer explicitly asks otherwise. Every one of those defaults predates C2PA and treats provenance as dead weight to shave off.

The platforms themselves finish the job on the delivered copy. The IPTC’s Facebook investigation found all XMP metadata removed (with Facebook’s own tracking fields injected in its place); a 2025 hands-on test confirmed Instagram, Facebook and X still strip embedded metadata from the files they serve; community testing in April 2026 reported C2PA manifests stripped by Instagram, X, Facebook and Threads; and Mastodon strips them too — there is an open GitHub issue asking it to stop. A platform can read the signal at ingest and still hand every resharer a naked file, which is exactly what happens: the label, where it exists, lives in the platform’s database, not in the image. And a screenshot — the internet’s favorite redistribution format — carries nothing at all.

One more uncomfortable fact: the IPTC’s last comprehensive, multi-platform metadata survival test dates to Spring 2019. Much of what the industry “knows” about metadata survival rests on seven-year-old data, patched by piecemeal independent tests.

Pipeline diagram: generator embeds credentials, CDN and optimizer defaults strip them, platform re-encoding strips them from the delivered copy, screenshots carry nothing — the reliable checkpoint is right before publishing
Signing happens once at creation; stripping happens at every hop after it.

The standard knows, and is adapting

None of this is news to the C2PA. Its own specification explainer describes “durable” Content Credentials: soft bindings — invisible watermarks or content fingerprints — that let a stripped image be matched back to its manifest in a recovery database. A conformance program now certifies implementations at defined assurance levels, and the IPTC published a practitioner FAQ on Content Credentials in July 2026. The direction of travel is right. But durable credentials require adoption at both ends of the pipe, and the testing above measures the pipe as it exists today.

What this means if you publish AI creative

From 2 August 2026, the EU AI Act’s deployer duty makes you responsible for disclosure on realistic AI imagery you publish — and as we saw above, the metadata your generator dutifully embedded has roughly coin-flip-or-worse odds of surviving to the audience. Two practical conclusions follow.

First: visible disclosure cannot be delegated to metadata. Where the duty applies, the label needs to be part of the creative or its immediate presentation, not a file property you hope the platform reads. Second: verify the final file, at the last stop you control. Check whether the credentials your workflow assumes are actually still in the asset you are about to ship — Chekr reads Content Credentials on every uploaded creative and surfaces the declared generator precisely because the upstream pipeline cannot be trusted to preserve them. It takes one free scan to see what your own export pipeline does to provenance — many teams discover their DAM or CDN stripped it months ago.

What to do about it

  • Treat embedded provenance as fragile: CDNs, optimizers and most social platforms strip it from delivered files by default.
  • Where disclosure is legally required, put it in the visible creative or its immediate context — metadata alone will not reach the audience reliably.
  • Verify the final exported asset before publishing, not the file the generator produced — a scan shows whether credentials survived your own pipeline.
  • If your platform mix includes LinkedIn, Pinterest or YouTube, full C2PA signatures currently get read far more reliably than lighter IPTC tags.
  • Watch “durable” Content Credentials (watermark + fingerprint recovery) — they are the standard’s answer to stripping, but adoption is early.

Sources

  1. Tech platforms fail to label AI content (516-post audit) — Indicator
  2. AI disclosure on social media “a work in progress” — IPTC
  3. Labeling AI-generated images on Facebook, Instagram and Threads — Meta
  4. Partnering with our industry to advance AI transparency and literacy — TikTok
  5. Content Credentials on LinkedIn — LinkedIn
  6. “Captured with a camera” disclosure on YouTube — YouTube / Google
  7. IPTC investigates: what does Facebook do with your photo metadata? — IPTC
  8. Social Media Sites Photo Metadata Test Results 2019 — IPTC
  9. Do social media sites strip EXIF data? (2025 test) — EXIFData.org
  10. AI image C2PA / watermark platform test — LPIC
  11. Do not strip C2PA manifests from uploaded photos (open issue) — Mastodon (GitHub)
  12. Cloudflare Polish documentation — Cloudflare
  13. Cloudinary image optimization documentation — Cloudinary
  14. sharp output options (metadata stripped by default) — sharp / pixelplumbing
  15. C2PA / Content Credentials Explainer 2.2 — C2PA
  16. Raising the bar for trust: the C2PA Conformance Program — Content Authenticity Initiative
  17. IPTC C2PA Content Credentials FAQs released — IPTC