Italy Fines Character.AI Owner €158,000 Over GDPR and Child Protection Failures

Published
Written by:
Lore Apostol
Lore Apostol
Cybersecurity Writer
Key Takeaways
  • Regulatory action: Italy's Garante fined Character Technologies, the owner of Character.AI for data protection violations.
  • Privacy concerns: The regulator cited insufficient user transparency, inadequate safeguards for minors, and ineffective age-verification measures.
  • Compliance gaps: Character Technologies was also found to have delayed its Data Protection Impact Assessment (DPIA) and the appointment of an EU representative.

Italy's data privacy watchdog Garante has fined Character Technologies, the U.S.-based company behind Character.AI, €158,000 (roughly $180,500) within 30 days of notification for violating General Data Protection Regulation (GDPR). The decision, announced on Thursday, follows an investigation into how the generative AI platform processes users' personal data and protects minors who use the service.

Character.AI enables users to interact with AI-generated virtual characters, including role-playing and conversational assistants.

Garante Cites Privacy Transparency, Age Verification, and Child Safety Issues

The Italian authority said that Character Technologies did not provide users with sufficiently clear information about how their personal data is processed. The authority also found shortcomings in the safeguards designed to protect minors and concluded that the platform's age-verification measures were not effective enough.

The regulator said additional protections are required beyond those already implemented. In particular, Character Technologies will have to:

Character Technologies Penalized for GDPR Compliance Delays

In addition to the privacy and child protection findings, the Garante said Character Technologies failed to complete a Data Protection Impact Assessment (DPIA) and appoint an EU representative within the required timeframe. 

Both are key compliance requirements under the GDPR for organizations processing the personal data of individuals in the EU.

A Data Protection Impact Assessment (DPIA) is a GDPR requirement for processing activities that are likely to pose a high risk to individuals' rights and freedoms. It helps organizations identify and mitigate privacy risks before launching or significantly changing products that process personal data.

Character AI Case Highlights Continued AI Enforcement in Europe

The latest enforcement action signals that European regulators continue to closely examine how generative AI providers handle personal data, implement age assurance measures, and meet GDPR compliance obligations when offering AI services to users in the region.

The decision adds to the Garante's record of enforcing data protection rules against AI platforms. In 2023, the authority temporarily blocked OpenAI's ChatGPT over concerns related to data collection and age verification before the service resumed operations after changes were introduced.

Local authorities a few days announced the arrest of a Japanese teen using ChatGPT to gain unauthorized access to Bandai Channel systems, possibly exposing up to 1.3 million users. 


For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: