Italy Italy Garante GDPR AI enforcement

Italy's €158,000 Character.AI Fine Is Modest by Design — And That's the Right Call

Garante fined Character Technologies over minor-safety and transparency gaps, but kept the penalty proportionate to the harm actually shown.

Italy's Two AI Fines, Compared People of Internet Research · Italy €158,000 Character.AI fine Garante order for minor-safety and… €15 million OpenAI fine, later annulled Original 2024 Garante penalty agai… 120 days Compliance reporting deadline Window for Character Technologies … March 18, 2026 Court ruling date on OpenAI Tribunale di Roma found the Garant… peopleofinternet.com
Italy's Two AI Fines, Compared People of Internet Research · Italy €158,000 Character.AI fine €15 million OpenAI fine, later annulled 120 days Compliance reporting deadli… March 18, 2026 Court ruling date on OpenAI peopleofinternet.com

Key Takeaways

Italy's data protection authority, the Garante per la protezione dei dati personali, fined Character Technologies Inc. €158,000 on July 9, 2026, for GDPR violations tied to its Character.AI chatbot platform. The Garante's press release cites deficient privacy notices, an inadequate age-verification system, a late Data Protection Impact Assessment, and the company's failure to designate an EU representative in time. Character Technologies must now fix its age-check system, build an effective "cooling-off period" that stops blocked minors from immediately re-registering, and set minors' profiles to private by default — reporting back to the regulator within 120 days.

The case for treating this seriously

The steelman here is straightforward: Character.AI lets users, including teenagers, hold open-ended conversations with AI-generated personas, and the platform has drawn well-documented controversy in the US over interactions with minors. A regulator that finds a company skipped its DPIA, never appointed the EU representative Article 27 of the GDPR requires for exactly this situation — a designated point of contact for supervisory authorities when a controller has no EU establishment — and shipped an age gate that doesn't actually gate, has identified real compliance failures, not hypothetical ones. Minors interacting unsupervised with a generative AI companion is a legitimate child-safety concern, and "set minor accounts to private by default" is a narrowly tailored, technically achievable fix, not a demand to redesign the product.

Why the number matters more than the headline

What's notable is what the Garante didn't do. €158,000 is a rounding error against Character Technologies' reported valuation, and it is a fraction of the €15 million the same regulator imposed on OpenAI in November 2024 over ChatGPT's data practices. That contrast is instructive on its own terms: the Garante distinguished a company with disclosure and process failures — late paperwork, a soft age gate — from the kind of large-scale, foundational data-processing violation it alleged against OpenAI. Proportionality is supposed to be a GDPR enforcement principle, not just a talking point, and this fine reads like the Garante applying it rather than reaching for a headline number.

That restraint looks wiser in light of what happened to the OpenAI fine. On March 18, 2026, the Tribunale di Roma annulled it entirely — not on the merits, but because the Garante had lost jurisdiction. Judge Damiana Colla found that once OpenAI's Irish subsidiary became its recognized EU main establishment on February 15, 2024, GDPR's one-stop-shop mechanism shifted lead-authority status to Ireland's Data Protection Commission months before Italy issued its November 2024 decision, per the court's reasoning as reported by ppc.land. The ruling leaned on EDPB Opinion 8/2019, which holds that supervisory competence must track where a company's main establishment actually sits — and that a change during pending proceedings shifts the lead authority before a final decision is adopted.

The jurisdictional fix embedded in the order

That history explains why the Character.AI order looks different in structure, not just size. Because Character Technologies had no EU establishment at all, the one-stop-shop mechanism that tripped up the OpenAI case never applies — there was no lead authority to hand off to, so Italy could act directly under GDPR's territorial-scope rules for non-EU controllers targeting EU users. The Garante's own remedy order treats the missing EU representative as a first-order violation, not an afterthought, which functionally forecloses the jurisdictional challenge that unwound its bigger case. That's a regulator that appears to have learned from its own courtroom loss four months earlier.

What the numbers still don't reach

Proportionate as this fine is, it also underlines a persistent enforcement-gap: a €158,000 penalty against a well-funded AI company is not a deterrent in any economic sense — it's a compliance nudge, banking on the 120-day remediation order rather than the fine itself to force product changes. That's arguably the correct tool. Structural remedies — fix the age gate, default minors to private, close the cooling-off loophole — change user exposure directly, in a way that a bigger fine wouldn't necessarily buy faster. Regulators reaching for eye-catching penalty figures to signal seriousness, only to see them vacated on jurisdictional technicalities as happened to the Garante itself, is a worse outcome for enforcement credibility than a modest fine paired with enforceable technical requirements.

The test now is compliance, not the number. If Character Technologies' age-verification and default-privacy fixes materialize within the 120-day window, this becomes a template: proportionate penalties, clear technical remedies, and jurisdiction anchored in a controller's actual EU footprint rather than a headline-grabbing sum a court later erases.

Sources & Citations

  1. Garante Privacy — official press release on Character.AI sanction
  2. EDPB Opinion 8/2019 on lead supervisory authority competence
  3. GDPR Article 27 — EU representative requirement
  4. ppc.land — Italian court annuls OpenAI's €15M fine
  5. ANSA — Garante sanctions Character.AI €158,000