A Narrow Fine, a Detailed Indictment
On July 9, 2026, Italy's data protection authority, the Garante per la protezione dei dati personali, fined Character Technologies Inc. — the U.S. company behind the companion-chatbot app Character.AI — €158,000 for a cluster of GDPR failures. According to the Garante's press release, the violations included deficiencies in the information given to users about how their data is processed, a delayed Data Protection Impact Assessment (DPIA), a late-appointed EU representative, and — the headline problem — ineffective age-verification procedures. The regulator also ordered the company to set minors' profiles to private by default, which only makes sense if the prior default was public.
The corrective package is specific and time-bound: Character Technologies must make its age checks actually work, add a "cooling-off period" so minors blocked from the platform cannot simply re-register under a new account, default minor profiles to private, and report back on all of it within 120 days.
Not Italy's First Rodeo
Garante has been the EU's most aggressive AI regulator by volume of action. It briefly banned ChatGPT in 2023 over similar age-verification and data-collection concerns, then followed up in December 2024 with a €15 million fine against OpenAI for training ChatGPT without an adequate legal basis and for lacking age controls — a penalty nearly 95 times larger than the one just levied against Character Technologies for comparable conduct.
The Character.AI fine also lands inside a newly built domestic framework. Italy became the first EU member state to pass a dedicated national AI statute, Legge 132/2025, which took effect October 10, 2025 and requires parental consent before children under 14 can access AI systems or have their data processed in that context, with a lighter-touch consent standard for 14-to-17-year-olds. That law does not replace Garante's GDPR enforcement powers — it runs alongside them. Italy is now regulating AI-and-minors through two tracks at once: a data-protection authority applying existing GDPR tools case by case, and a bespoke statute setting consent floors in advance.
The Case for Taking This Seriously
The strongest argument for Garante's action isn't really about the fine amount — it's about what the underlying failures represent. A DPIA and an EU representative aren't bureaucratic ornaments; they're baseline GDPR obligations a company processing EU minors' data at scale should have satisfied well before Character.AI reached the tens of millions of users it now claims. Companion-chatbot products are also a genuinely different risk category from static content: they sustain personalized, emotionally engaged conversation over time, which is precisely why Character.AI faces multiple U.S. wrongful-death and product-liability suits, including the case brought over 14-year-old Sewell Setzer III's 2024 suicide. Default-to-public minor profiles and an age gate porous enough to draw regulatory censure are not abstract compliance gaps; they're the concrete mechanism by which a vulnerable user ends up exposed. On that reading, Garante is doing exactly what a data protection authority should: turning "privacy by design" from a slogan into an enforceable default.
Where the Enforcement Logic Breaks Down
But the timeline undercuts the fine's practical force. By July 2026, Character.AI had already announced — in October 2025 — that it would eliminate open-ended chat for all users under 18 entirely, with the change fully in effect by November 25, 2025, backed by a new in-house age-assurance model and third-party verification tools. That is a far more sweeping remedy than anything Garante's order requires: not better age gates, but no minor access to open-ended chat at all. The company's own account attributes the shift to litigation exposure, regulatory questions, and safety-expert feedback — market and legal pressure that moved faster than the Italian administrative process which produced this week's fine.
Garante's order effectively catches up to conduct the company had already superseded eight months earlier.
That sequencing matters for how much credit GDPR enforcement can claim for the actual safety improvement. A fine calibrated to punish 2025-era gaps, arriving after a 2026 fine, risks becoming a compliance-paperwork exercise — DPIAs filed, EU representatives appointed, private-by-default toggles flipped — that trails behind the market discipline already doing the heavier lifting. €158,000 is immaterial to a company operating at Character.AI's scale, and Garante's own OpenAI precedent shows it is capable of levying penalties two orders of magnitude larger when it judges the underlying conduct warrants it. The modest figure here suggests the authority itself views this largely as a procedural rebuke rather than a proportionate response to child-safety risk.
The Right Instinct, the Wrong Pace
Garante's transparency — publishing specific technical findings and a concrete 120-day remediation clock — is a template worth other DPAs copying instead of headline-grabbing maximalist fines that invite years of appeal, as OpenAI is doing with its €15 million penalty. But a regulator that wants enforcement to matter, not just to exist, needs to move at the speed of the harm it's addressing. When a platform's own liability exposure forces a faster, more thorough fix than the regulator ultimately orders, the fine functions as a closing entry in the file rather than a driver of the outcome. Proportionate regulation should mean matching penalties to real-time risk — not settling accounts for a problem the market has already solved.