Italian Privacy Watchdog Fines Character.AI and Imposes New Measures to Protect Minor Users
The Italian Data Protection Authority has decided to sanction Character Technologies Inc., a U.S. company that operates the generative artificial intelligence service Character.AI. The fine imposed by the Italian authority amounts to €158,000 and concerns several violations related to the processing of personal data of users.
Character.AI allows users to create and interact with virtual characters based on artificial intelligence, providing an experience that is also accessible to minor users. The presence of young people among the users prompted the regulator to examine the protection systems and procedures adopted by the platform with particular attention.
The investigation, initiated directly by the Authority, highlighted some issues related to compliance with privacy regulations. Among the contested aspects were the information provided to users, which was deemed insufficient, the delay in conducting the impact assessment on personal data protection, and the subsequent designation of the company's representative in the European Union.
The Italian Privacy Watchdog identified specific issues related to the protection of minors and the functioning of mechanisms used to verify the age of registered users. According to the authority, the use of generative artificial intelligence in an entertainment service frequented by young users poses risks that require adequate preventive measures.
During the proceedings, Character Technologies had already introduced some changes. The regulator acknowledged the interventions made by the company but still established additional obligations to increase the security level of the platform.
Among the main requests, the company must ensure that age verification systems work correctly, prevent already blocked minors from quickly creating new accounts through a mandatory waiting period, and automatically activate more restrictive privacy settings for the profiles of minor users. Character Technologies must report the measures adopted to the regulator within 120 days of receiving the order.