Back to Feed
GDPRJul 14, 2026

Garante per la protezione dei dati personali (Italy) - 487/2026

Italy's Garante fines Character Technologies €158,000 for GDPR violations.

Summary

Italy's Garante per la protezione dei dati personali has fined Character Technologies, Inc. €158,000 for GDPR violations related to its AI chatbot service, Character.AI. The company failed to adequately inform users about its data processing activities and lacked effective age verification for minors. The Garante also noted misleading statements regarding data processing for LLM post-training.

Full text

Help Garante per la protezione dei dati personali (Italy) - 487/2026: Difference between revisions From GDPRhub Jump to:navigation, search Newer edit →VisualWikitext Revision as of 08:23, 14 July 2026 view source Ap (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators735 edits Tag: submission [1.0]Newer edit → (No difference) Revision as of 08:23, 14 July 2026 Garante per la protezione dei dati personali - 487/2026 Authority: Garante per la protezione dei dati personali (Italy) Jurisdiction: Italy Relevant Law: Article 3(2) GDPR Article 5(2) GDPR Article 12(1) GDPR Article 13(1) GDPR Article 14(1) GDPR Article 14(2) GDPR Article 14(5)(b) GDPR Article 21(1) GDPR Article 21(4) GDPR Article 24(1) GDPR Article 25(2) GDPR Article 27(1) GDPR Article 27(2) GDPR Article 35 GDPR Type: Investigation Outcome: Violation Found Started: 04.11.2024 Decided: 03.07.2026 Published: Fine: 158,000 EUR Parties: Character Technologies, Inc National Case Number/Name: 487/2026 European Case Law Identifier: n/a Appeal: Unknown Original Language(s): Italian Original Source: GPDP (in IT) Initial Contributor: ap The DPA fined a company providing a virtual character chatbot €158,000 for failing to sufficiently inform data subjects of its processing activities through its privacy policy, and for failing to implement effective age verification measures for underage data subjects using the service. Contents 1 English Summary 1.1 Facts 1.2 Holding 2 Comment 3 Further Resources 4 English Machine Translation of the Decision English Summary Facts Character Technologies, Inc (the controller) is a company that operates the site Character.AI. Character.AI is a generative AI service that allows users to create and interact through chat with virtual characters that already exist or are created at the moment. The controller made this available to data subjects in Italian, and had a specific version for children. The DPA initiated an ex-officio investigation in 2024. The DPA requested information related to the LLM models used by the controller, the provision of the service, and data transfers. The controller provided a DPIA, and stated that it introduced an age verification system that required data subjects to register their date of birth. In 2025, the controller announced it would prevent underage data subjects from accessing open chat rooms, and would begin processing personal data of data subjects in the EEA to post-train its generative AI systems. Holding The DPA first clarified that the GDPR is applicable even if the controller was established outside of the EU, in accordance with Article 3(2) GDPR. The DPA took into account the fact that the service was available in Italy and in Italian, as well as the privacy policy also applying to EEA residents. Given that the controller did not have an establishment in the EU, the one-stop-shop mechanism did not apply and the DPA was competent. The DPA found a violation of Articles 12(1), 13(1) and (2), and 14(1) and (2) GDPR. The DPA considered that the controller had failed to meet its information obligations. In terms of the controller’s privacy policy, the DPA considered that the controller had not provided data subjects’ with clear information regarding its processing activities, data transfers, or data subjects’ right to object and opt out. In addition, the controller failed to designate a representative in the EU, and included misleading and inaccurate statements on the processing of personal data for purposes of post-training LLMs for the service. (FOOTNOTE 1). However, the DPA also took into consideration that the controller had updated its privacy policy to make its language clearer and to remove its multi-legal basis approach. In terms of its pre-training activities, the DPA stated that the controller had failed to provide adequate information and therefore violated Articles 14(1) and (2) GDPR. The DPA dismissed the controller’s argument that it did not have the obligation to provide this information due to the data being collected by third parties from open sources. The DPA stated that the controller had the obligation to verify whether personal data was present. In addition, the exemption under Article 14(5)(b) GDPR does not exempt the controller from having the obligation to implement appropriate measures to protect data subjects’ rights. However, the DPA did not find a violation of Articles 21(1) and (4). The DPA referred to the EDPB opinion on processing personal data in relation to AI systems (FOOTNOTE 2). The EDPB recommended controllers to adopt measures for data subjects to exercise their rights, including providing the option to provide data subjects with the option to object unconditionally before the processing takes place. The DPA considered that this opinion went beyond the literal wording of Articles 14 and 21 GDPR. This interpretation could not, in the DPA’s view, be interpreted retroactively to the controller’s processing activities. The DPA found a violation of Articles 24(1) and 25(2) GDPR. The DPA considered that the controller had failed to implement adequate technical and organisational measures to verify data subjects’ age. During its investigations, the DPA found that the controller’s age verification systems were not effective, as they allowed data subjects’ to access the service even after self declaring to be younger than the minimum age limit set by the controller. The DPA also found that the accounts were set to public by default. Therefore, the controller had failed to implement appropriate measures to protect underage data subjects, even if the GDPR does not set a harmonised and binding standard in relation to age verification. The DPA also found a violation of Articles 5(2) and 35 GDPR. Under Article 5(2) GDPR, the controller has the obligation to proactively demonstrate compliance with the GDPR. The DPA stated that a key tool to do this is through data protection impact assessments (DPIAs). Controllers are obliged to carry out a DPIA under Article 35 GDPR if the processing is likely to result in a high to the rights and freedoms of data subjects. The controller failed to do a DPIA in relation to providing the service to underage data subjects, as well as in relation to its processing activities for the purpose of pre-training its LLM [FOOTNOTE 3]. The DPA stated that the controller should have done this before launching the service in 2022, as the processing activities had a presumed high risk to freedoms and rights of data subjects (e.g. the use of large scale processing or processing data of vulnerable data subjects). However, the DPA acknowledged that the controller progressively improved its compliance by doing a (late) DPIA and updating it. Finally, the DPA found a violation of Article 27(1) GDPR, as the controller belatedly designated a representative in the EU. The DPA stated that the exemption under Article 27(2) GDPR did not apply. The DPA fined the controller €158,000. The DPA also ordered the controller to bring its privacy policy and storage of personal data for purposes of pre-training its LLM into compliance with the GDPR. The DPA also ordered the controller to implement effective age verification mechanisms. Comment Share your comments here! Further Resources Share blogs or news articles here! English Machine Translation of the Decision The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details. SEE ALSO Press Release of July 9, 2026 [web doc. no. 10269571] Measure of July 3, 2026 Register of Measures No. 487 of July 3, 2026 THE ITALIAN DATA PROTECTION AUTHORITY IN today's meeting, attended by Professor Pasquale Stanzione, President, Professor Ginevra Cerrina Feroni, Vice President, Dr. Agostino Ghiglia, Member, and Dr. Luigi Montuori, Secretary General; HAVING REGARD TO Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural

Entities

Character Technologies, Inc (vendor)Character.AI (product)generative AI (technology)LLM (technology)