Italy Fines Replika AI Chatbot Developer €5 Million for GDPR Privacy Breaches
Image Credit: Francesco La Corte | Splash
Italy’s Data Protection Authority (Garante per la protezione dei dati personali) has fined Luka Inc., the U.S. developer behind the AI chatbot Replika, €5 million (approximately $5.4 million) for violations of the European Union’s General Data Protection Regulation (GDPR). The Garante issued its formal decision on April 10, 2025, and publicly announced the ruling on May 19, 2025. The authority found that Luka Inc. processed personal data without valid legal grounds and failed to effectively prevent access by minors, raising significant privacy concerns in AI services.
Background of the Investigation
The Garante initiated an independent investigation into Luka Inc. to evaluate Replika’s compliance with GDPR requirements. Replika is promoted as an AI-powered “virtual friend” that engages users in conversational interactions. In February 2023, the Garante had already ordered Luka Inc. to suspend data processing for Italian users due to unresolved risks to minors—a concern that has persisted, culminating in the latest penalty.
Key Violations Identified
According to the Garante, Luka Inc. committed two principal breaches of GDPR:
Lack of a Lawful Basis: Luka Inc. collected and processed personal data from user conversations with Replika without identifying a lawful basis for processing, such as explicit user consent or a contractual requirement, as mandated by GDPR.
Inadequate Age Verification: The company did not implement effective age verification measures, allowing minors to access and use the chatbot. This exposed young users to potentially inappropriate content and created additional data protection risks. Until at least February 2023, no technical controls were in place to block minors from using the service.
Additionally, the Garante has initiated a further inquiry into Luka Inc.’s use of user data for training the Replika AI model, signaling ongoing regulatory scrutiny.
Broader Impact on the AI Industry
The penalty highlights an increasing focus among European regulators on AI technologies that process large volumes of personal data. The Replika case underscores the importance for AI developers to prioritize robust data protection measures and to ensure strict compliance with GDPR—especially when vulnerable groups such as minors may be involved. Authorities across Europe are setting clear expectations for transparency, security, and accountability in AI-driven services.
Luka Inc.’s Response
Luka Inc., headquartered in San Francisco, has not issued a public statement regarding the fine. The company is required to address the Garante’s findings and may face further sanctions, including potential operational restrictions within Italy or other EU jurisdictions, if additional breaches are identified.
Implications for Users and Developers
This case serves as a reminder for users to review privacy policies and exercise caution when engaging with AI chatbots and other digital platforms. For AI developers, the decision reinforces the need to implement comprehensive privacy safeguards from the outset, including robust age verification and transparent data processing practices.
TheDayAfterAI News
We are a leading AI-focused digital news platform, combining AI-generated reporting with human editorial oversight. By aggregating and synthesizing the latest developments in AI — spanning innovation, technology, ethics, policy and business — we deliver timely, accurate and thought-provoking content.