Italy's DPA reaffirms ban on Replika over AI and children's privacy concerns

Italy's data protection authority, the Garante, reaffirmed its ban on the generative artificial intelligence chatbot Replika, citing persistent violations of the EU General Data Protection Regulation and ongoing risks to minors and vulnerable users.

This latest enforcement action, detailed in the Garante's April 2025 decision, underscores the regulator's commitment to safeguarding children's privacy, fundamental GDPR principles, and concern for nascent generative AI technology deployment.

Background and initial enforcement

Replika, developed by San Francisco-based Luka Inc., is a large language model chatbot designed to serve as an AI "companion," offering users emotional support and conversational engagement. Replika describes itself as "The AI companion who cares" that is "always here to listen and talk."

In February 2023, the Garante issued an urgent measure, No. 39/2023, Reg. No. 18321/2023, restricting Replika's data processing activities in Italy pursuant to Article 58(2)(f) of the GDPR. The authority found Replika posed significant risks to minors, lacked effective age verification mechanisms — asking only for name, email address, and gender — and failed to comply with transparency obligations under Articles 5, 6, 8, 9 and 25.

The Garante highlighted that Replika's processing of personal data was unlawful, as it could not rely on contractual necessity as a legal basis when dealing with minors, who are legally incapable of entering into binding contracts under Italian law. The DPA also began a fact-finding investigation that ran parallel to Luka's attempts at remediation.