Key Points:
- Italy’s data protection authority fined U.S.-based Character Technologies €158,000 ($180,500) for breaching European privacy regulations.
- The regulator identified multiple violations, including deficient age-verification procedures for minors and inadequate data-processing disclosures.
- The company failed to perform a timely Data Protection Impact Assessment and delayed appointing an official European Union representative.
- The enforcement action builds on Italy’s history of proactive AI regulation, following previous interventions against ChatGPT and Replika.
Italy’s highly proactive data protection authority has delivered another significant regulatory warning to the generative artificial intelligence industry, penalizing one of the sector’s most popular digital companion platforms. The regulator, known locally as the Garante, recently fined Character Technologies Inc. €158,000 ($180,500) for multiple violations of European privacy and child safety standards. The U.S.-based developer operates the widely used virtual chat platform, which allows users to interact with customizable, personality-driven digital personas. This targeted enforcement action highlights the mounting global scrutiny facing consumer-focused AI platforms, especially regarding how they manage underage users and collect personal behavioral data.
The primary driver behind the regulatory penalty is a systemic failure to protect younger users from accessing mature content without parental guidance. While the company’s platform theoretically restricts minors and features specialized safety filters to block explicit interactions, the Italian authority found these internal safety nets to be highly deficient. Specifically, technical audits revealed that the platform’s initial age-verification procedures are incredibly weak, relying on easily bypassed self-declaration inputs that fail to prevent children from accessing complex chatbot algorithms. The watchdog emphasized that companies operating high-stakes conversational software must implement reliable, foolproof verification systems to ensure minors cannot circumvent safety protocols.
In addition to the minor safety failures, the regulatory investigation uncovered serious shortcomings in how the platform communicates its data-handling practices to the public. Under the European Union’s strict General Data Protection Regulation, software developers must provide users with clear, unambiguous, and easily accessible information regarding how their personal text inputs and behavioral histories are processed, stored, and utilized. The watchdog determined that the startup’s existing privacy policies were overly vague and failed to adequately inform citizens about how their conversational data trains subsequent generations of large language models, representing a major transparency violation.
The administrative penalty also targets a series of critical corporate governance and compliance delays on the part of the American startup. The regulatory authority revealed that the firm failed to conduct a timely Data Protection Impact Assessment, which is a mandatory, proactive risk analysis that tech companies must complete before deploying complex, high-risk data-processing systems to the public. Furthermore, the company was late in appointing an official, legally recognized European Union representative. Under GDPR rules, any foreign technology firm that monetizes the personal data of European citizens must maintain a physical representative in the region to coordinate with local privacy watchdogs.
This latest enforcement action cements the Italian watchdog’s reputation as the most aggressive and proactive data regulator in Europe when it comes to supervising artificial intelligence companies. The Garante previously triggered a massive global debate on digital safety in 2023 when it briefly banned OpenAI’s ChatGPT over similar age-check and data collection concerns. Although the Court of Rome recently annulled a separate €15 million fine against OpenAI in March 2026, the watchdog’s aggressive initial stance successfully forced the entire generative industry to implement more robust privacy protections and user verification interfaces.
The successful effort to protect children online builds directly on similar previous enforcement precedents set against other prominent conversational software developers. In 2025, the Italian authority imposed a massive €5 million ($5.64 million) administrative fine on Luka Inc., the developer behind the companion chatbot Replika, after an exhaustive investigation proved that the platform actively cultivated emotional dependency in fragile users and completely lacked age-gating infrastructure. By repeatedly targeting these relationship-focused chatbots, European regulators are sending a clear signal that software designed to simulate human emotional connections will face a far higher standard of safety and regulatory oversight than general-purpose productivity tools.
The regulatory headaches for the U.S.-based developer extend far beyond the borders of southern Europe. Earlier this spring, the Australian eSafety Commissioner published a major digital safety transparency report summarizing platform responses to formal compliance notices. The report concluded that the developer, along with alternative digital companion providers, failed to adequately protect minors from highly suggestive, sexually explicit material generated during roleplay scenarios. The Australian audit also noted that these platforms frequently failed to refer users expressing self-harm or suicidal thoughts to localized crisis hotlines, reinforcing demands for global safety legislation.
The administrative fine lands at a highly challenging operational juncture for the digital companion sector. Under intense pressure from both investors and regulators to clean up their platforms, many startup developers stripped their applications of mature, adult-oriented features earlier this year to make them more child-friendly. However, this abrupt policy shift triggered a massive consumer revolt, with long-time paid subscribers taking to online forums to complain that their customized virtual partners had suffered a digital lobotomy. Having to balance complex safety requirements with high computing costs has squeezed startup margins, forcing companies to consolidate their model architectures to survive.
Ultimately, the fine imposed on the digital companion platform highlights the end of the unregulated honeymoon phase for consumer-focused artificial intelligence. As regulatory bodies across Europe, North America, and the Asia-Pacific region coordinate their oversight efforts, technology firms must accept that building advanced algorithms is no longer enough to succeed. True market viability requires integrating privacy-by-design principles, robust age-gating procedures, and strict data compliance into the very foundation of their products. The coming months will reveal whether the developer can successfully update its systems to satisfy European regulators, but the era of the lawless digital wild west is officially over.





