The Italian DPA Garante has ordered owners of Replika, an AI-powered chatbot that creates a ‘virtual friend’ using text and video interfaces, to stop processing of personal data in Italy due to apps failure to meet compliance requirements under GDPR.
Garante found that Replika does not adhere to the GDPR’s transparency requirements and processes personal data in an unlawful manner. In particular, since children are not legally authorized to enter into a contract, invoking performance of a contract as legal basis is invalid.
The app poses risks to kids, given that they can be served replies that are completely unsuitable for their age. Moreover, Replika advertises itself as a tool to improve users’ emotional well-being, manage stress and establish social connections; all of which require interactions with an individual’s moods – which could increase harm to those who have yet to fully mature or are psychologically vulnerable.
Also, there is no age verification system preventing underage users from signing up for the app. During account creation, all Replika requires is your name, e-mail address and gender – meaning anyone can join. Furthermore, reviews across both App Stores include people warning others about inappropriate content.