SELINA.ai
Sign in

Companion Chatbot Laws Just Got Teeth: What California SB 243 and the Character.AI Fine Signal for Privacy and Consent Design

Two enforcement actions in the first half of 2026 turned companion-chatbot privacy regulation from hypothetical to operational. California's SB 243 took effect January 1, 2026, creating the first U.S. statute with a private right of action specific to AI companion chatbots. Six months later, Italy's Garante fined Character Technologies €158,000 (roughly $181,000) for GDPR breaches involving minors. If you build anything that remembers a user across sessions, responds in natural language, and cultivates an ongoing relationship, you now have two concrete enforcement patterns to design against, not just speculation.

Key Takeaways

What Does California SB 243 Actually Require?

SB 243 requires operators of "companion chatbots" to disclose clearly and conspicuously that the user is interacting with an AI, not a human, whenever a reasonable person could be misled. That is the headline obligation, but the statute's teeth are elsewhere.

The law establishes a private right of action for anyone who suffers "injury in fact." Statutory damages are the greater of actual damages or $1,000 per violation, plus attorneys' fees and costs. For a consumer-facing product with millions of users, the arithmetic is straightforward and unpleasant. This is not an FTC consent decree that takes years to negotiate. It is a cause of action available to any plaintiff's attorney in California.

Governor Newsom signed SB 243 on October 13, 2025, making California the first state to mandate specific safety safeguards for AI companion chatbots used by minors. Starting July 1, 2027, operators must also submit annual reports to California's Department of Public Health Office of Suicide Prevention, detailing chatbot-related crisis interactions while maintaining strict privacy and record-keeping practices. That reporting obligation converts crisis-handling from a product-support question into a regulatory compliance requirement with its own paper trail.

What Did the Garante Fine Character.AI For?

Italy's data protection authority fined Character Technologies for insufficient user transparency, inadequate safeguards for minors, and ineffective age-verification measures. The Garante also found that the company had delayed completing its Data Protection Impact Assessment and delayed appointing an EU representative, both structural obligations under GDPR that have nothing to do with the chatbot's output.

The €158,000 fine is small by big-tech standards. The remedial orders are not. The Garante ordered Character Technologies to set minors' profiles to private mode by default and report compliance within 120 days. That is a regulator dictating product defaults, not just imposing a penalty. If you think of a fine as the cost of doing business, you are missing the point. The order reshapes the product itself.

Italy has form here. The Garante briefly banned ChatGPT in 2023 over age-check and data-collection concerns, then let it return after remediation. The pattern is: temporary ban or fine, followed by a remedial order that sets a structural precedent other EU DPAs can reference. The Character.AI order is now that reference point for every companion chatbot operating in the EU.

How Do the Two Enforcement Models Differ?

They target different layers of the stack, and that matters for how you build.

California's SB 243 is disclosure-centric. The core obligation is telling users they are talking to an AI. The safety requirements for minors layer on top of that, but the compliance surface is largely about what you say to the user and when. A banner, a label, a notification. If you get the disclosure right and implement the mandated safety features, you have substantially reduced your California exposure.

The Garante's approach is data-minimization-centric. GDPR does not care much whether your chatbot has a label saying "I am AI." It cares whether you collected data lawfully, processed it with a valid legal basis, completed your DPIA before processing began (not after a regulator asked), minimized what you collected, and protected minors with appropriate technical and organizational measures. A disclosure banner satisfies California's letter. It does not satisfy a single GDPR obligation.

If you ship a companion chatbot to both markets, you need two compliance architectures. One is about consent presentation. The other is about data processing substance. Most "SB 243 compliance checklist" posts treat these as one problem. They are not.

Why Is Age Assurance a Privacy Paradox?

Because the methods strong enough to satisfy regulators often require collecting the exact categories of sensitive data that privacy law tells you to minimize.

Government-ID verification is the obvious approach. It is also the approach that creates a centralized repository of identity documents, introduces biometric processing if you use facial matching, and subjects every adult user to a verification regime originally intended to protect minors. This tension is already visible in the federal debate. The GUARD Act, which the Senate Judiciary Committee advanced unanimously on April 30, 2026, would require "reasonable age verification measures" for all user accounts on AI companion platforms and prohibit minor access entirely. Critics have noted that government-ID mandates burden the speech and associational rights of every adult, not just minors.

Character.AI's own response illustrates the product-level difficulty. Before both the SB 243 effective date and the Garante fine, the company announced it would remove the ability for under-18 users to engage in open-ended chats entirely, with a two-hour daily chat limit during the transition period. They built an in-house age assurance model and integrated third-party tools including Persona for identity verification. This is an expensive, operationally complex response. And it still presupposes collecting enough data to make the age determination.

The alternative path, the one we think matters, is privacy-preserving age assurance: on-device inference, zero-knowledge proofs of age without revealing identity, or federated verification that never centralizes documents. None of these are trivial to implement. But they are the only approaches that do not create a new privacy problem while solving the original one.

What Does a DPIA-as-Product-Spec Look Like?

A Data Protection Impact Assessment, done properly, produces a document that reads like a product requirements specification. The Garante's order against Character.AI gives you a concrete example of what "done properly" means in the companion-chatbot context.

The order mandated: minor profiles set to private by default. That is a default-settings requirement. A 120-day compliance window with a reporting obligation. That is a sprint deadline with an audit trail. The underlying DPIA findings that drove the fine included delayed assessment and delayed EU representative appointment. Both are structural requirements that should have been met before the product launched in the EU, not after a regulator came knocking.

If you are building a companion chatbot today, here is the exercise: take the Garante's remedial order and the SB 243 requirements, and write them as user stories. "As a minor user, my profile is private by default" is a product requirement, not a legal opinion. "As any user, I receive a clear notification that this is an AI before my first interaction" is a UX spec. "As the operator, I submit annual crisis-interaction reports to CDPH" is a data-pipeline requirement. The DPIA is not a PDF you file with legal. It is the source of truth for your default settings, your data retention policies, and your incident response architecture.

What Is the State Patchwork Shaping Up to Look Like?

California is not alone. New York's AI Companion Models statute took effect November 5, 2025. Washington state passed HB 2225 in March 2026, requiring AI companion apps to disclose non-human status to under-18 users. The Future of Privacy Forum's analysis suggests 2026 is shaping up as the year states actively experiment with chatbot-specific legislation, testing different approaches to transparency, safety, and youth protection.

At the federal level, the GUARD Act would go further than any state law by prohibiting AI companion access for minors entirely and authorizing penalties up to $250,000 per violation, with criminal liability for violations involving self-harm, violence, or sexual content exposure to minors. Whether it passes is uncertain. That it advanced unanimously out of committee is a signal about direction.

For founders, the practical implication is that you cannot optimize for one jurisdiction. You need a compliance architecture that can accommodate the strictest requirements across California's disclosure-plus-private-right-of-action model, the GDPR's data-minimization-and-DPIA model, and whatever the federal government eventually produces. The lowest-common-denominator approach, building to the strictest standard, is the only one that scales.

Why Did These Enforcement Actions Happen Now?

Because people got hurt, and the cases are documented. The regulatory push traces to specific harm. Megan Garcia testified to the U.S. Senate about her son Sewell Setzer III's suicide after what she described as manipulation and sexual grooming by chatbots designed to seem human, gain trust, and keep children endlessly engaged. An FTC inquiry launched in September 2025 targeted seven chatbot companies over child safety practices.

Regulators move on documented harm. The timeline from testimony to statute (SB 243 signed October 2025) to enforcement (Garante fine July 2026) is roughly nine months. That is fast for regulatory action. It reflects the severity of the underlying incidents and the political salience of child safety.

Consent design means the user's informed agreement is a structural property of the system, not a legal artifact layered on top of it.

Most chatbot operators treat consent as a click-through. A terms-of-service page. A cookie banner. Maybe an interstitial that says "this is an AI." SB 243 makes that interstitial legally mandatory, which is progress. But it is the floor, not the ceiling.

Real consent design answers a harder set of questions. Does the user understand what data is being retained and for how long? Can they actually delete it, and does deletion mean the data is gone? Can they export their conversation history? Do they know whether their conversations are used for model training? If they are a minor, do they understand (and do their parents understand) the nature of the interaction before it begins, not after?

The Garante's enforcement against Character.AI highlights a specific failure mode: the company's transparency to users was deemed insufficient. Not because they lied, but because what they disclosed did not meet the standard of "clear, specific, and easily accessible" that GDPR demands. The gap between "technically accurate" and "actually understood by the user" is where most consent design fails.

How We Think About This at Selina

We build a companion AI, so this legislation applies directly to us. Some specifics about how we handle the problems SB 243 and the Garante order highlight.

Memory is encrypted at rest. We should be clear about what that means and what it does not: memory is NOT end-to-end encrypted. A slice of each request reaches a frontier provider at inference time. We use a stack of frontier models, routed per task. Files and transfers via SelinaSEND are end-to-end encrypted, but memory is a different problem with different constraints, and we do not pretend otherwise.

Non-content operational metadata is retained for a short retention window. We do not claim zero retention. The account itself is protected. Content is encrypted. These are distinct properties and we describe them distinctly.

Delete means gone. Actually gone. Not soft-deleted, not archived, not "removed from the user-facing interface but retained for model improvement." When a user deletes a conversation, that data is removed.

We state these limits plainly because we think honesty about architecture is itself a form of consent design. If a user understands that their memory data passes through a frontier provider at inference, they can make an informed decision about what to share. If we obscured that, no amount of compliance checkboxes would make the consent real.

What Should Founders Do Right Now?

Five concrete steps, in rough priority order.

Audit your disclosure flow against SB 243's "reasonable person" standard. The statute requires notification that the chatbot is AI-generated whenever a reasonable person could be misled. That is a lower bar than "we have a terms-of-service page that mentions AI." If your chatbot uses a human name, a human avatar, or a conversational style designed to mimic human interaction (which, if you are building a companion chatbot, it almost certainly does), the disclosure needs to be prominent and early. Gunderson Dettmer's analysis is a good starting point for the specific compliance requirements.

Complete your DPIA before you need it. The Garante fined Character.AI partly for delaying this assessment. If you process data from EU users, the DPIA is not optional and it is not something you do after launch. Treat it as a pre-launch gate, like a security audit.

Implement private-by-default for minor accounts. This is now an explicit regulatory expectation in the EU, following the Garante's order. It is also good practice under SB 243's safety requirements for minors. If your product does not distinguish between minor and adult accounts, you have a prerequisite problem to solve first.

Design your age assurance to minimize data collection. Whatever method you choose, evaluate it against the privacy paradox. If your age-check system requires collecting government IDs or biometrics from all users, you have created a data-minimization problem to solve the age-assurance problem. Look at alternatives that keep sensitive data on-device or use zero-knowledge proofs of age.

Build the crisis-reporting pipeline now. SB 243's annual reporting requirement to CDPH takes effect July 1, 2027. That sounds distant. It is not, if you need to instrument your system to detect, log, and categorize crisis interactions while maintaining strict privacy protections on the reported data. This is a data-engineering project, not a legal one.

Where Is This Going?

The direction is clear even if the pace is uncertain. The combination of state-level private rights of action (California), EU data-protection enforcement (Italy), and advancing federal legislation (the GUARD Act) creates a ratchet. Each enforcement action or new statute becomes the baseline that the next regulator builds on.

For companion chatbot builders, the era of "move fast and hope regulators are slow" is over. The Garante's action against Character.AI took less than a year from the initial concerns to a fine and remedial order. SB 243's private right of action means any plaintiff's attorney in California can bring suit without waiting for a regulator to act. The enforcement gap that allowed companion chatbots to scale without meaningful oversight has closed.

The founders who treat this as a design constraint rather than a compliance burden will build better products. Not because regulation is inherently good, but because the specific requirements being imposed (clear disclosure, data minimization, private defaults for minors, crisis-handling infrastructure) are requirements that a well-designed companion AI should meet anyway. The law is catching up to where the engineering should already be.

If you want to see how we apply these principles in practice, start a free 7-day trial, no card required.

Frequently Asked Questions

What does California SB 243 require of companion chatbot operators?

SB 243 requires operators to clearly disclose that users are interacting with an AI, not a human, whenever a reasonable person could be misled, plus specific safety safeguards for minors. It also creates a private right of action letting individuals sue for statutory damages of the greater of actual damages or $1,000 per violation, plus attorneys' fees.

Why did Italy's Garante fine Character Technologies, and what did the fine actually change?

The Garante fined Character Technologies €158,000 for insufficient transparency, inadequate safeguards for minors, ineffective age verification, and delays in completing a DPIA and appointing an EU representative. More significant than the fine itself, the Garante ordered minors' profiles to be set to private by default and required compliance reporting within 120 days, directly reshaping product defaults.

How do the California and EU enforcement approaches differ for companion chatbots?

California's SB 243 is disclosure-centric, focused on telling users they're talking to an AI and adding minor-safety features, so a compliant banner and mandated features largely satisfy it. The GDPR/Garante approach is data-minimization-centric, concerned with lawful data collection, valid legal basis, timely DPIAs, and minor protections, meaning a disclosure banner does nothing to satisfy GDPR obligations.

What is the 'privacy paradox' of age assurance mentioned in the article?

Strong age-verification methods like government-ID or biometric checks require collecting more sensitive data, which increases the attack surface and contradicts the data-minimization principle the regulation is meant to enforce. The article suggests privacy-preserving alternatives like on-device inference or zero-knowledge age proofs as the only approaches that avoid creating a new privacy problem.

What practical step does the article recommend for founders building companion chatbots?

The article recommends treating the DPIA not as a legal checkbox but as a product requirements document, turning enforcement outcomes like the Garante's remedial order and SB 243's requirements into concrete user stories, such as private-by-default minor profiles and clear AI disclosure notifications, before regulators mandate them.

Sources & References

Michael C.

Michael C.

Founder & Principal Engineer, Selina Labs

Michael builds Selina, a privacy-first AI that remembers you across conversations. He ships security-sensitive AI in production — real attacks, real fixes, measured in minutes and dollars — and writes about privacy, security, and LLMs from that seat. Top Rated Plus and expert-verified on Upwork.

Learn more about Selina.ai