On February 2, 2023, Italy’s data protection authority, the Garante per la protezione dei dati personali, ordered Luka Inc., the US company behind the AI companion app Replika, to stop processing the personal data of Italian users. It was one of the first regulatory actions in the world taken specifically against an AI companion product.
The Garante’s measure cited several problems. As of February 2, 2023, the authority said, the company “had not individuated” any legal basis under the GDPR for the data processing carried out through the app, and its privacy policy was “inadequate under various profiles.” Most pointedly, the regulator found that Replika “did not provide any mechanism to verify users’ age,” either at sign-up or during use, even though the company claimed to exclude minors. The authority described the service as one that lets users “generate” a virtual companion acting as “a confidant, therapist, romantic partner, or mentor,” and warned that such a system could pose particular risks to children and to emotionally vulnerable people.
The case did not end with the 2023 block. In May 2025 the Garante imposed a 5 million euro fine on Luka over the same conduct and opened a further investigation into the entire lifecycle of the generative-AI model behind the service, including its training data and risk assessments.
Why business readers should care: the Replika action showed that companion AI sits squarely inside existing privacy law, and that “we exclude minors” is not a defense without an actual age-verification mechanism. The same grounds the Garante used against Replika - legal basis, transparency, and protection of minors - became recurring themes as regulators turned to consumer chatbots that build intimate relationships with their users.