Italy Fines Character.AI Owner €158,000 Over GDPR and Child Protection Failures
- Regulatory action: Italy's Garante fined Character Technologies, the owner of Character.AI for data protection violations.
- Privacy concerns: The regulator cited insufficient user transparency, inadequate safeguards for minors, and ineffective age-verification measures.
- Compliance gaps: Character Technologies was also found to have delayed its Data Protection Impact Assessment (DPIA) and the appointment of an EU representative.
Italy's data privacy watchdog Garante has fined Character Technologies, the U.S.-based company behind Character.AI, €158,000 (roughly $180,500) within 30 days of notification for violating General Data Protection Regulation (GDPR). The decision, announced on Thursday, follows an investigation into how the generative AI platform processes users' personal data and protects minors who use the service.
Character.AI enables users to interact with AI-generated virtual characters, including role-playing and conversational assistants.
Garante Cites Privacy Transparency, Age Verification, and Child Safety Issues
The Italian authority said that Character Technologies did not provide users with sufficiently clear information about how their personal data is processed. The authority also found shortcomings in the safeguards designed to protect minors and concluded that the platform's age-verification measures were not effective enough.
The regulator said additional protections are required beyond those already implemented. In particular, Character Technologies will have to:
- ensure the correct functioning of the age verification systems,
- ensure the effectiveness of the mechanisms that prevent new registration attempts by blocked minors (the so-called "cooling off period"),
- set the profiles of minors to private mode by default.
Character Technologies Penalized for GDPR Compliance Delays
In addition to the privacy and child protection findings, the Garante said Character Technologies failed to complete a Data Protection Impact Assessment (DPIA) and appoint an EU representative within the required timeframe.
Both are key compliance requirements under the GDPR for organizations processing the personal data of individuals in the EU.
A Data Protection Impact Assessment (DPIA) is a GDPR requirement for processing activities that are likely to pose a high risk to individuals' rights and freedoms. It helps organizations identify and mitigate privacy risks before launching or significantly changing products that process personal data.
Character AI Case Highlights Continued AI Enforcement in Europe
The latest enforcement action signals that European regulators continue to closely examine how generative AI providers handle personal data, implement age assurance measures, and meet GDPR compliance obligations when offering AI services to users in the region.
The decision adds to the Garante's record of enforcing data protection rules against AI platforms. In 2023, the authority temporarily blocked OpenAI's ChatGPT over concerns related to data collection and age verification before the service resumed operations after changes were introduced.
Local authorities a few days announced the arrest of a Japanese teen using ChatGPT to gain unauthorized access to Bandai Channel systems, possibly exposing up to 1.3 million users.





