Italy Fines Character.AI 158K Euro Over Minors | TLY

AI Regulation Tracker  /  Enforcement

Italy's Garante Fines Character.AI Owner 158,000 Euro and Orders Working Age Checks for Minors

Regulatory summary: Italy's data protection authority fined Character Technologies Inc. 158,000 euro for GDPR failures and ordered it to make age verification work, add a cooling-off period so blocked minors cannot re-register, and set minor profiles to private by default, with proof of compliance within 120 days.

Primary source

Italy's Garante Fines Character.AI Owner 158,000 Euro and Orders Working Age Checks for Minors regulation briefing
The Leveraged Years AI Regulation Tracker

Key takeaways

  • The Garante moved from investigation to a concrete penalty and binding remediation against a foreign AI companion operator. It fined Character Technologies 158,000 euro and ordered three specific product-level fixes for minors: functioning age verification, a cooling-off period to block instant re-registration by a rejected minor, and private-by-default profiles for minor accounts. The authority also faulted the company for inadequate privacy notices, a late DPIA, and late appointment of the EU representative required under Article 27 of the GDPR.
  • Operators of consumer-facing generative-AI, chatbot, and companion products reachable by users in the EU, especially any service a minor could access. Inside those companies, the order lands on product and trust-and-safety teams that own age assurance and account flows, and on privacy and legal teams that own DPIAs, privacy notices, and the EU representative appointment.
  • Status: Announced July 9, 2026 via the Garante press release.
  • Audit your minor-facing account flow end to end: test whether age verification can be beaten, whether a blocked minor can re-register immediately, and whether new minor profiles default to private. In parallel, confirm your DPIA is current, your privacy notices meet Articles 13 and 14, and your Article 27 EU representative is appointed and documented.
DateJurisdictionRuleAffected professionalsStatus or effective date
2026-07-09Italy / EUThe Garante moved from investigation to a concrete penalty and binding remediation against a foreign AI companion operator. It fined Character Technologies 158,000 euro and ordered three specific product-level fixes for minors: functioning age verification, a cooling-off period to block instant re-registration by a rejected minor, and private-by-default profiles for minor accounts. The authority also faulted the company for inadequate privacy notices, a late DPIA, and late appointment of the EU representative required under Article 27 of the GDPR.Operators of consumer-facing generative-AI, chatbot, and companion products reachable by users in the EU, especially any service a minor could access. Inside those companies, the order lands on product and trust-and-safety teams that own age assurance and account flows, and on privacy and legal teams that own DPIAs, privacy notices, and the EU representative appointment.Announced July 9, 2026 via the Garante press release. The underlying decision (provvedimento) is dated July 3, 2026. The penalty and corrective orders are in force; the compliance report is due within 120 days. Character Technologies may challenge the decision before the competent Italian court.

Frequently Asked Questions

How much is the fine and who has to pay it?

The fine is 158,000 euro, roughly 180,500 dollars, and it is imposed on Character Technologies Inc., the U.S. company that operates Character.AI.

Is this decision in force, or can it be appealed?

It is in force as an enforcement decision, effective on notification. Character Technologies can challenge it before the competent Italian court, and an appeal could suspend or change it, but until then the penalty and corrective orders apply.

What exactly must the company fix for minors?

Three things: age verification that actually works, a cooling-off period that stops a blocked minor from immediately re-registering, and minor user profiles set to private by default. It must report the measures adopted within 120 days.

Which GDPR duties did the Garante say were breached?

Inadequate privacy notices to users, a late data protection impact assessment, a late appointment of the EU representative required under Article 27, and deficient safeguards and age verification for minors.

Does this only matter for companies operating in Italy?

No. The decision applies GDPR duties that reach any controller offering an AI companion or chatbot service to people in the EU. It is a concrete precedent that any EU supervisory authority can draw on, so operators reachable by EU minors should treat the ordered controls as the emerging baseline.

Browse the full AI Regulation News tracker

Informational analysis for working professionals, not legal advice. Confirm how any rule applies to your situation with qualified counsel.