Replika Italian DPA Ban February 2023: When a Chatbot's Romantic Feature Reset Met EU Data Protection Authority Enforcement

Incident summary

Replika is an AI companion chatbot product operated by Luka, Inc. The product had grown a substantial paying-subscriber base by 2022-2023 with companion features including conversational personalization, voice interactions, and (for paying users) intimate-conversation modes including 'erotic roleplay' features.

In late January / early February 2023, Replika reset the erotic-roleplay feature for paying users, restricting intimate conversation modes following external pressure. The change produced significant user backlash, with paying subscribers reporting feelings of loss and grief about the personality change in their AI companion. The user-revolt episode was extensively covered in Vice, the BBC, and Reddit communities organized around Replika.

On 3 February 2023 the Italian Data Protection Authority (Garante) issued an order under EU GDPR provisions requiring Replika to immediately stop processing personal data of Italian users. The Garante cited insufficient minor protection (no robust age verification, content available to minors), mental-health risk to vulnerable users (the Garante explicitly cited the companion-product context), and lack of a clear lawful basis for processing under GDPR Article 6. The Garante's decision sat at the intersection of AI-product governance and EU data-protection enforcement.

Failure technique

Two distinct failure patterns converged. The first is product-governance: shipping an AI companion product with intimate-conversation features without robust age verification, vulnerable-user safeguards, or mental-health risk consideration. The Garante's decision focused on these gaps.

The second is product-management: making a substantial personality-changing modification to a product whose value proposition is companionship without proportional change-management for the user base. The erotic-roleplay reset produced acute user distress documented across multiple external venues; the change-management was insufficient to the emotional weight users had placed in the product.

Per GDPR Article 6 (lawfulness of processing) and Article 8 (children's data), the Italian Garante's order was based on documented gaps in Replika's compliance posture. The case is one of the earliest major EU regulatory actions against an AI consumer product and predates the EU AI Act enforcement timeline by more than a year. It is being cited in subsequent EU AI Act guidance development.

Impact and consequences

Direct impact on Replika: the company suspended Italian-user data processing in compliance with the Garante order, then negotiated remediation with the Garante over subsequent months. A May 2023 Garante update acknowledged Replika's remediation steps. The user-base impact in Italy was acute during the transition period.

Reputational impact on AI-companion category: the Replika case is the canonical 2023 reference for AI-companion regulatory exposure. Subsequent AI-companion product launches have addressed age verification, mental-health risk, and GDPR lawful-basis documentation more explicitly than 2022-era products did.

Regulatory precedent: the Italian Garante order is one of the earliest major EU regulatory actions against an AI consumer product. The decision sits in the body of precedent being cited as EU AI Act enforcement guidance is developed. The Garante's later 2023 work on ChatGPT (March 2023 ban + April 2023 conditional re-allowance) built on the Replika case methodology.

Lessons for builders

AI companion products operating in the EU need robust age verification, explicit mental-health risk consideration, and documented GDPR lawful basis before launch. The Garante order made these requirements concrete at the regulatory-enforcement level. AI Product Manager and AI Strategy Lead own this gate.

Major personality-changing product modifications to companion AI products require proportional change-management. The Replika erotic-roleplay reset produced acute user distress because the change-management did not match the emotional weight users had placed in the product. Senior AI Product Manager owns the change-management cadence.

Engage with EU data protection authorities before launch when the product profile is high-risk. The Garante order would not have occurred had Replika been in active pre-launch dialogue with the authority; the case demonstrates that EU regulator-engagement is a baseline expectation for high-risk AI consumer products operating in the EU.

Document the lawful basis for processing under GDPR Article 6 specifically and explicitly. Generic terms-of-service consent is insufficient for the categories of processing AI-companion products perform; documented analysis of which Article 6 basis applies for which processing activity is what the Garante required.

Mitigations

What builders should put in place to address the failure pattern. Each mitigation maps to operational practice the relevant Applied AI roles own.

Related Applied AI roles

The Applied AI roles whose day-to-day work would have prevented, detected, or contained this incident.

• AI Product Manager: An AI Product Manager owns AI-powered product features and the roadmap that ships them.
• AI Strategy Lead: An AI Strategy Lead owns organizational AI strategy and prioritization at the company level.
• Senior AI Product Manager: A Senior AI Product Manager owns AI product strategy across multiple feature areas.
• AI Product Lead: An AI Product Lead owns cross-functional AI initiative direction and outcomes.

Related AI Decipher Files

• EU AI Act Implementation: First Horizontal AI Regulation Goes Operational
• Air Canada Chatbot Ruling: When a Tribunal Decided AI Output Is Still Your Output
• Apple Intelligence Notification Summary Suspension January 2025: When a Headline Summarizer Misattributed Statements to a News Publisher

Frequently asked questions