On February 2, 2023, the Italian Data Protection Authority (“Garante”) issued an urgent order blocking the AI-powered chatbot Replika from processing the personal data of Italian users because it poses risks to minors and vulnerable people and is not in compliance with Article 13 of Regulation 679/2016 (General Data Protection Regulation, or “GDPR”).
Replika is a “virtual friend”: through voice and text users can configure it to function and interact as a friend, romantic partner, or mentor. The AI-powered chatbot simulates human behavior and, through its algorithm, learns from users’ interactions to offer empathetic companionship, emotional support, comfort, and help with anxiety or socialization issues.
According to the Garante, although Replika is pitched as improving users’ wellbeing by helping them understand and manage their emotions, it also has impact on users’ state of mind, which means it could pose a risk for individuals still in the developmental stages or in emotionally fragile states.
The Garante noted that Replika lacks mechanisms sufficient to verify the ages of users creating accounts—the software merely requires users to indicate their names, email addresses, and genders. Furthermore, tests conducted showed that even when Replika was fed an explicit statement that a user was a minor, no blocking system was triggered to prevent further interaction between the user and the chatbot. As a result, a minor user could be provided inappropriate replies, including sex-related content that should not be made available to minors or to vulnerable individuals in general.
For these reasons, the Garante issued an urgent order limiting Replika’s processing of personal data of users in Italian territory. The U.S.-based controller now has 20 days to report on the measures adopted to comply with the Garante’s requests. The company may also challenge the decision before the appropriate court within 60 days, pursuant to Article 78 GDPR.
This is the second urgent order issued by the Garante in relation to the protection of minors in a digital environment. It again confirms that the Garante is paying extremely close attention to protecting vulnerable individuals online, in part by requiring effective age verification systems.
The full decision is available (in English and Italian) here.
 See Order No. 9524194 of January 2021 which immediately restricted processing performed by TikTok with regard to the data of users whose age could not be established with certainty, available here.