Italy: Data Protection Authority fined Replika chatbot provider Luka EUR 5 million for GDPR violations related to legal basis for data processing and age verification

On 10 April 2025, the Italian Data Protection Authority (DPA) announced that it had fined Luka, the provider of the artificial intelligence chatbot Replika, EUR 5 million for violating the General Data Protection Regulation (GDPR). The DPA identified three main violations. First, Luka failed to properly identify valid legal bases for its various data processing operations, including those related to developing its large language model Replika. The privacy policy contained only vague references to contractual necessity, consent, and legal authorization without specifying which applied to specific processing activities. Second, Luka's privacy policy was only available in English, lacked transparency, and contained multiple inaccuracies. It failed to clearly distinguish between "chatbot interaction" and "model development" processing purposes, did not specify data retention periods, provided misleading information about international data transfers, and incorrectly suggested the service used automated decision-making under GDPR. Third, despite claiming to exclude minors from the service, Luka implemented no effective age verification mechanisms. The company failed to assess the risks of processing minors' data and did not implement safeguards to protect vulnerable users. In February 2023, the DPA initially imposed a temporary ban on Replika's operations in Italy. Luka subsequently implemented various corrective measures, including age verification systems and improved privacy policies. However, technical investigations determined persistent deficiencies, such as users being able to change their birth date without verification after registration and the ability to bypass cooling-off periods through incognito browsing. The DPA also ordered Luka to further improve its privacy policy and strengthen its age verification system.