Luka Inc. – €5,000,000 Fine (Italy, 2025)

€5,000,000Garante per la protezione dei dati personali10 April 2025Italy
reduced
Fine

General GDPR enforcement action

This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.

Luka Inc. faced a massive €5,000,000 fine for failing to protect user data in its chatbot, Replika. The company did not get proper consent before collecting data and did not provide clear information about how it would be used. This ruling serves as a strong warning to tech companies about the importance of data protection, especially when it involves vulnerable users like children.

What happened

Luka Inc. failed to demonstrate a valid legal basis for processing personal data collected through its chatbot, Replika.

Who was affected

Users of the Replika chatbot, including children whose data was inadequately protected.

What the authority found

The Italian DPA found that Luka Inc. did not comply with GDPR requirements for data processing and consent.

Why this matters

This significant fine underscores the necessity for tech companies to ensure they have valid consent and protect user data, particularly for products aimed at younger audiences. It highlights a growing trend of strict enforcement of data protection laws.

GDPR Articles Cited

AI-verified

Art. 6(GDPR)
Art. 12(GDPR)
Art. 13(GDPR)
Art. 24(GDPR)
Art. 5(1)(a) GDPR
Art. 25(1) GDPR
View original scraped data
Art. 5(1) a) GDPR
c) GDPR
Art. 6(GDPR)
Art. 12(GDPR)
Art. 13(GDPR)
Art. 24(GDPR)
Art. 25(1) GDPR

Original data from scraper before AI verification against source document.

Source verified 10 March 2026
national law identified
Italy enforcementGarante per la protezione dei dati personali actionsAll Luka Inc. actions
Full Legal Summary
Detailed

The Italian DPA imposed a fine of EUR 5,000,000 on Luka Inc. The developer created a chatbot called Replika with a written and voice interface. It is based on a generative AI system, specifically an LLM model, that is constantly fed and improved by user interactions. Replika is intended to be a 'virtual companion' that improves users' moods and emotional well-being by helping them understand their own psyche. Replika can be set up as a friend, therapist, romantic partner, or mentor. The controller failed to demonstrate a valid legal basis for its data processing and failed to provide sufficient information on data processing in its privacy policy. Additionally, the controller failed to adopt appropriate measures to protect personal data collected from children and implement an age verification mechanism. The total sum of the fine can be reduced by 50% if paid within sixty days.

Violations (1)

Cookies Placed Before Consent
critical

Non-essential cookies (tracking, advertising) are placed on the user's device before obtaining valid consent.

Art. 6(1) GDPR

Related Enforcement Actions (1)

Other enforcement actions involving Luka Inc. in IT

Current
Apr 2025

Fine

€5.0M

Fine
May 2025· Garante per la protezione dei dati personali

US company Luka Inc. (the controller) made available Replika, a chatbot based on generative AI. Replika was meant to be a virtual companion that could...

€5.0M

Similar Cases

Enforcement actions with similar violations

Minister for Legal Protection

2022 · DPA RbOverijssel

Data Subject versus Telecommunications Company

2025 · DPA OLGKoblenz

Legal Person

2023 · Úřad pro ochranu osobních údajů

€4K

CNIL

2019 · Court of Justice of the European Union

Details

Fine Date

10 April 2025

Authority

Garante per la protezione dei dati personali

Fine Amount

€5,000,000

Enforcement Tracker ID

ETid-2611

Sources

About this data

Data: CMS GDPR Enforcement Tracker
Licensed under CC BY-NC-SA 4.0
AI-verified and classified

Cite as: Cookie Fines. Luka Inc. - Italy (2025). Retrieved from cookiefines.eu

Report Inaccuracy

Last updated: