What changed
On 9 July 2026 (decision dated 3 July 2026, document reference 10269571), the Garante per la Protezione dei Dati Personali (Italian data protection authority) issued a decision fining Character.AI €158,000 for violations of the GDPR in connection with the processing of personal data of minor users of its conversational AI platform. The Garante found five distinct violations: first, inadequate age verification mechanisms, which allowed minors to access the platform without effective controls commensurate with the risk that the platform's content and interaction model poses to minors; second, the absence of a mandatory cooling-off period following the ban of a minor user, enabling immediate re-registration and circumventing protective account restrictions; third, failure to set minor user profiles to private by default, contrary to the data protection by design and by default obligations under GDPR Article 25; fourth, failure to conduct a Data Protection Impact Assessment (DPIA) under GDPR Article 35 within the required timeframe, with the assessment completed late; and fifth, failure to appoint an EU representative under GDPR Article 27, which is mandatory for non-EU controllers that process personal data of EU data subjects on a systematic basis. The Garante issued remedial orders alongside the fine, requiring Character.AI to implement effective age verification, introduce a cooling-off period for minor re-registration, set minor profiles to private by default, and bring its EU representation into compliance, all within 120 days of the decision.
The Character.AI fine follows a period of heightened Garante scrutiny of AI conversational platforms; the authority restricted ChatGPT in 2023 and has since investigated multiple generative AI services for compliance with GDPR transparency, data minimisation, and age verification obligations. The five violations reflect a comprehensive theory of GDPR liability for consumer-facing AI platforms: the Garante applied not only the data protection by design and by default requirement of Article 25, but also the Article 27 EU representative requirement, which has historically been under-enforced for smaller non-EU technology companies but is receiving increasing attention from EU supervisory authorities as consumer-facing AI applications scale across the EU. The requirement to maintain a cooling-off period for banned minor users addresses circumvention risk specific to the AI chatbot context; the decision provides useful precedent for how GDPR Article 25 obligations translate into specific technical requirements for age-gated conversational AI services. Controllers offering similar conversational AI services to users in EU member states, in particular services accessible to or used by minors, should treat this decision as a benchmark for the minimum technical and organisational measures the GDPR requires.
What it means for your business
If you operate a consumer-facing AI platform, chatbot, or similar digital service accessible to minors across EU member states: The Garante's Character.AI decision establishes a GDPR compliance benchmark for age-gated AI services. As a minimum, implement effective age verification proportionate to the risk to minors, set minor profiles to private by default (Article 25), introduce a cooling-off period preventing banned minor users from immediately re-registering, and complete a DPIA under GDPR Article 35. If you are a non-EU controller processing personal data of EU data subjects on a systematic basis: The Article 27 EU representative requirement was among the five violations in this decision. Appoint an EU representative in writing, designate them as the point of contact for supervisory authorities, and inform data subjects of the representative's identity in your privacy notice. If you process personal data of minors under GDPR: Article 8 (age of consent for information society services) and Article 25 (data protection by design and by default) are increasingly enforced jointly. Review your age verification approach, default settings for minor users, and DPIA documentation against this decision. Use Verdaio's GDPR Quick Check to map your GDPR obligations.