In September 2025, the Federal Trade Commission issued 6(b) orders to seven companies operating AI companion chatbots, including OpenAI, Meta, Alphabet, Character Technologies, Instagram, Snap, and X.AI (FTC, 2025). The unanimous 3-0 vote signaled something unusual: bipartisan consensus that AI companions deserve regulatory scrutiny. Since then, three U.S. states have passed laws specifically targeting companion chatbots, the EU AI Act’s transparency deadline is approaching fast, and enforcement actions keep stacking up. If you use an AI companion app or are considering one, here’s what the rules actually look like right now.
Key Takeaways
- Three U.S. states (New York, California, Washington) have enacted laws specifically regulating AI companion chatbots, with penalties up to $15,000 per day.
- The EU AI Act requires all chatbots to disclose they are AI by August 2, 2026, with fines reaching EUR 35 million or 7% of global revenue.
- The FTC issued investigation orders to seven major companies in September 2025, focusing on child safety and data practices.
- 20 of 27 apps in the CompanionWise catalog earn F or D safety ratings, suggesting most of the industry isn’t ready for stricter regulation.
- COPPA already applies to any AI companion app collecting data from children under 13, and proposed updates would raise the age threshold to 17.
What Laws Currently Regulate AI Companion Apps?
Three U.S. states now have laws on the books that specifically target AI companion chatbots, according to a March 2026 analysis by Outside GC. These aren’t broad AI regulations repurposed for chatbots. They define “AI companion” as a legal category and impose obligations that didn’t exist two years ago.
New York’s AI Companion Models Law took effect November 5, 2025. It requires any AI system that presents itself as a friend, partner, coach, or emotional support tool to disclose that it’s AI at the start of every conversation. Providers must also send reminders every three hours of continued use. When the system detects references to suicide or self-harm, it must follow a crisis-response protocol and direct users to human help. Penalties reach up to $15,000 per day for ongoing violations, enforced by the New York Attorney General.
California SB 243 went into effect January 1, 2026. It shares New York’s transparency requirements but adds a sharper focus on minors. Operators must maintain published protocols for handling suicide and self-harm content. Starting in 2027, they’ll need to report annually to California’s Office of Suicide Prevention. The law also restricts companion chatbots from presenting themselves as licensed healthcare professionals to minors. Civil penalties can reach $2,500 per violation under California’s Unfair Competition Law, assessed on a per-user or per-day basis.
Washington state enacted its companion chatbot law in April 2026, according to Hunton Andrews Kurth. What makes Washington’s law distinctive is its private right of action. Users harmed by non-compliant companion chatbots can sue the provider directly, rather than waiting for the attorney general to act.
As of April 2026, three states have enacted laws that specifically define and regulate AI companion chatbots. New York’s AI Companion Models Law, effective November 5, 2025, imposes penalties up to $15,000 per day for providers that fail to disclose AI status, send periodic reminders, or follow crisis-response protocols when users reference suicide or self-harm. California’s SB 243, effective January 1, 2026, adds youth-specific safeguards including mandatory self-harm protocols and annual reporting to the state Office of Suicide Prevention starting in 2027. Washington’s April 2026 law goes further by granting users a private right of action to sue non-compliant providers directly. Together, these laws establish a regulatory baseline that companion app developers operating in any of these states must now meet.
How Does the EU AI Act Affect Companion Apps?
The EU AI Act (Regulation 2024/1689) sets an August 2, 2026 compliance deadline for chatbot transparency requirements, according to GuruSup’s compliance analysis. That means every AI companion app available to users in the European Union must clearly disclose that the user is interacting with an AI system. No exceptions.
Most companion apps will likely fall under the “limited risk” category, which requires transparency obligations but not the extensive conformity assessments demanded of high-risk systems. The core rule is straightforward: tell users they’re talking to a machine. But the practical requirements have teeth. Apps must provide clear, timely disclosure before or at the start of the interaction. The disclosure can’t be buried in terms of service that nobody reads.
Where things get complicated is when companion apps are marketed to or used by minors. The EU AI Act’s recitals and the European Commission’s guidance suggest that AI systems interacting with vulnerable populations, including children, could be reclassified as “high risk.” That would trigger a full set of requirements: risk management systems, data governance, human oversight, and transparency documentation.
The penalties make U.S. state-level fines look modest. Non-compliance can result in fines up to EUR 35 million or 7% of global annual turnover, whichever is higher (Vucense, 2026). For context, that 7% figure would exceed what most companion app companies generate in total revenue.
The EU AI Act’s extraterritorial reach means U.S.-based companion apps with European users can’t ignore this. If your app is accessible in the EU, the regulation applies to you regardless of where your servers sit. Apps like Replika, Character.AI, and Candy AI all have large European user bases and will need to comply.
Under the EU AI Act (Regulation 2024/1689), every chatbot deployed in the European Union must disclose to users that they are interacting with an artificial intelligence system by the August 2, 2026 compliance deadline. Companion apps will generally fall under “limited risk” classification requiring transparency measures, though apps used by minors could face reclassification as “high risk” with far more extensive obligations. Non-compliance carries fines of up to EUR 35 million or 7% of global annual turnover, whichever is higher. The regulation applies extraterritorially, meaning any U.S.-based AI companion app accessible to EU users must comply regardless of where the company is headquartered or where its servers are located. No other regulatory framework carries this level of financial risk for companion app developers.
What Is the FTC Doing About AI Companion Apps?
The FTC launched a formal inquiry into AI companion chatbots on September 11, 2025, issuing 6(b) orders to seven companies in a unanimous 3-0 vote (FTC, 2025). The named companies included Alphabet, Character Technologies, Instagram, Meta Platforms, OpenAI, Snap, and X.AI Corp.
FTC Chairman Andrew N. Ferguson framed it as both a child safety issue and an innovation question. The investigation seeks to understand how these companies monetize user engagement, measure and monitor negative impacts before and after deployment, handle data from conversations, and enforce their own community guidelines and age restrictions.
The timing wasn’t accidental. By September 2025, multiple lawsuits had already been filed against Character.AI over teen mental health harms. Families in different states alleged that the platform’s chatbots contributed to emotional dependency, self-harm, and other serious harms among minors. Our Character.AI lawsuit explainer walks through the case timeline. In January 2026, Character.AI and Google settled the teen suicide and self-harm suits, though the settlement terms weren’t made public (The Verge, 2026).
The FTC inquiry matters because of its scope. The 6(b) authority allows the Commission to conduct wide-ranging studies without a specific law enforcement purpose. It’s an information-gathering exercise, but the data collected could fuel future enforcement actions, rulemaking, or legislative recommendations. Given the bipartisan support shown by the 3-0 vote, this issue isn’t going away with the next election cycle.
On September 11, 2025, the Federal Trade Commission issued 6(b) orders to seven companies that operate consumer-facing AI companion chatbots: Alphabet, Character Technologies, Instagram, Meta Platforms, OpenAI, Snap, and X.AI Corp. The Commission voted 3-0 to launch the inquiry, making it a rare example of bipartisan consensus on AI regulation. The investigation focuses on how these companies monetize user engagement, measure and monitor negative impacts on children and teens, handle personal information from conversations, and enforce age restrictions. FTC Chairman Andrew N. Ferguson stated that “protecting kids online is a top priority” while also emphasizing the importance of maintaining U.S. leadership in AI development. The inquiry’s 6(b) authority allows broad information gathering that could support future enforcement or legislative action.
How Do COPPA and KOSA Protect Minors Using AI Companions?
The Children’s Online Privacy Protection Act already applies to any AI companion app that collects personal information from children under 13, according to the FTC’s COPPA compliance guide. That includes chat logs, voice recordings, and any data the app gathers during conversations. Apps that know or should know they have users under 13 must obtain verifiable parental consent before collecting data.
COPPA compliance is a real problem for the companion app industry. Many apps rely on self-reported age during signup with minimal verification. A user who claims to be 18 can start chatting immediately, even if they’re actually 12. Our CompanionWise Safety Index evaluates age verification as one of 23 safety dimensions, and the results aren’t encouraging. Most apps in our catalog use nothing more than a date-of-birth field or a simple checkbox.
The Kids Online Safety Act (KOSA) would add a duty of care for platforms that minors use. Rather than just regulating data collection, KOSA would require platforms to prevent and mitigate specific harms to minors, including promotion of self-harm, bullying, and sexual exploitation. It passed the U.S. Senate in 2024 but hasn’t completed its legislative journey.
Proposed updates to COPPA (often called “COPPA 2.0”) would raise the protection threshold from age 13 to 17, covering teenagers who make up a significant portion of companion app users. If passed, apps like Character.AI (F/22) and Candy AI (D/32) would face much broader compliance obligations for their teen user base.
The Children’s Online Privacy Protection Act requires AI companion apps to obtain verifiable parental consent before collecting personal information from children under 13, including conversation data, voice recordings, and behavioral patterns gathered during chats. COPPA compliance is a real problem for the industry because most companion apps rely on self-reported age during registration with minimal verification beyond a date-of-birth field. The proposed COPPA 2.0 would extend protections to users under 17, which would vastly expand the number of companion app users covered by federal privacy requirements. The Kids Online Safety Act adds a duty-of-care framework requiring platforms to actively prevent and mitigate harms to minors, moving beyond data collection rules to address the content and behavioral impacts of AI companion interactions on young users.
What Does GDPR Mean for AI Companion App Users?
The General Data Protection Regulation gives EU users specific rights over their conversation data that most companion apps handle poorly. Under GDPR, users can request deletion of all their chat logs, object to automated profiling, and demand to know what data the app has collected about them. The regulation also requires a lawful basis for processing, and “emotional profiling” through extended companion conversations raises questions about whether standard consent mechanisms are sufficient.
Italy set the precedent in 2023 when the Garante (data protection authority) temporarily banned Replika, citing failures in age verification and the lack of a legal basis for processing emotional data. The ban was lifted after the company implemented changes, but it showed that European regulators take companion app data practices seriously. As noted in a March 2026 Financier Worldwide analysis, GDPR enforcement is increasingly being used to shape AI governance across the continent.
For users, this matters in practical ways. If you use an AI companion app and live in the EU, you have the right to request a copy of everything the app knows about you. You can ask for deletion of your conversation history. And if the app uses your emotional patterns to serve you targeted content or adjust its behavior, it may need your explicit consent for that specific purpose.
The challenge is that many companion apps don’t make these rights easy to exercise. Our safety scoring evaluates data handling practices across all 27 apps in the CompanionWise catalog, and the results show widespread gaps. Apps like Replika (C/43) have improved their GDPR compliance since the Italian ban, while others like CrushOn AI and Muah AI score poorly on transparency and data deletion.
Under the General Data Protection Regulation, European Union users have enforceable rights over personal data collected during AI companion conversations, including the right to access, rectification, erasure, and objection to automated profiling. Italy’s Garante set a clear precedent in 2023 by temporarily banning Replika over inadequate age verification and lack of legal basis for processing emotional data collected through companion interactions. The ban’s resolution required the company to implement substantive changes, showing that EU regulators will use GDPR to hold companion app developers accountable for their data handling practices. Apps that collect emotional patterns, behavioral data, and intimate conversation content must establish a lawful basis for processing under GDPR Article 6, which standard clickthrough consent may not satisfy for sensitive data categories.
Which AI Companion Apps Are Most Affected by New Regulations?
Apps that target minors, operate across multiple regulated jurisdictions, or collect extensive emotional data face the greatest regulatory pressure. Of the 27 apps in the CompanionWise Safety Index, 20 earn F or D safety ratings. That’s a compliance gap the industry can’t ignore as enforcement ramps up.
Here’s how some of the most popular companion apps stack up against key regulatory requirements:
| App | Safety Rating | AI Disclosure | Crisis Protocol | Age Verification | Data Deletion |
|---|---|---|---|---|---|
| Pi | B / 55 | Yes | Yes | Moderate | Available |
| ElliQ | B- / 53 | Yes | Yes | N/A (elderly) | Available |
| Replika | C / 43 | Yes | Partial | Basic | Available |
| Candy AI | D / 32 | Minimal | No | Basic | Unclear |
| Character.AI | F / 22 | Partial | Added post-lawsuits | Basic | Limited |
| CrushOn AI | F / 8 | No | No | None | Unclear |
The pattern is clear. Apps that score higher on the CompanionWise Safety Index tend to already meet some of the requirements that new regulations demand. Pi (B/55) and ElliQ (B-/53) have AI disclosure, crisis protocols, and data deletion pathways in place. At the other end, apps like CrushOn AI (F/8) and Muah AI (F/8) would need to rebuild from the ground up to meet even the basic requirements of New York’s law.
What does this mean for you as a user? Apps that invest in safety infrastructure now are the ones most likely to survive a tighter regulatory environment. Apps that don’t may face fines, lawsuits, or simply disappear from app stores in regulated markets. Our safest AI companion apps guide highlights which apps are ahead of the curve.
CompanionWise Safety Index data reveals that 20 of 27 reviewed AI companion apps earn F or D safety ratings, indicating most of the industry falls short of requirements established by new state and international regulations. Apps scoring in the B range or higher, such as Pi (B/55) and ElliQ (B-/53), already implement many mandated features including clear AI disclosure, crisis response protocols, and accessible data deletion pathways. Apps earning F ratings like CrushOn AI (F/8) and Muah AI (F/8) lack even basic transparency disclosures and would need to be rebuilt from scratch to comply with New York, California, or EU regulatory frameworks. The gap between the industry’s best and worst performers suggests that regulatory enforcement will disproportionately affect smaller, lower-quality apps while established players with existing safety infrastructure adapt more readily to compliance demands.
What Regulations Are Coming Next?
More state action is already underway. In January 2026, Kentucky Attorney General Russell Coleman filed an enforcement action directly against Character Technologies and its co-founders, Noam Shazeer and Daniel De Freitas Adiwardana (JD Supra, 2026). The complaint cited harms to minors from the platform’s AI companions. This was the first attorney general enforcement action specifically targeting an AI companion company.
Several other states have introduced companion-specific bills in their 2026 legislative sessions. The trajectory is clear: companion chatbot regulation is moving from a niche concern to a standard feature of state consumer protection frameworks. Do you live in a state that hasn’t passed a companion bot law yet? That may change before the end of 2026.
At the federal level, the FTC’s 6(b) inquiry results could fuel rulemaking or support new legislation. The Kids Online Safety Act remains active in Congress. And COPPA 2.0 proposals to extend protections to users under 17 would force companion apps to completely rethink how they verify and segment their user base.
In Europe, the EU AI Act’s full enforcement begins August 2, 2026. After that date, any AI companion available to EU users must meet transparency requirements or face potential fines. The European AI Office, established under the Act, will coordinate enforcement across member states.
The regulatory direction isn’t ambiguous. It’s toward more disclosure, stronger child safety protections, and real consequences for non-compliance. Our safety scoring methodology already evaluates many of the same dimensions these laws target. As the legal framework catches up to the technology, the gap between what regulators demand and what most apps deliver will become harder to ignore.
Frequently Asked Questions
Are AI companion apps legal?
Yes, AI companion apps are legal in all U.S. states and the EU. However, three states now impose specific requirements on companion chatbots. According to Outside GC’s analysis, New York, California, and Washington have enacted laws requiring AI disclosure, crisis protocols, and youth protections. More states have bills in progress.
Can an AI companion app be fined for not disclosing it’s AI?
Yes. New York’s law allows penalties up to $15,000 per day for failing to disclose AI status, according to the Outside GC analysis. California’s SB 243 carries $2,500 per violation. The EU AI Act adds fines up to EUR 35 million or 7% of global revenue for transparency failures.
Does COPPA apply to AI companion chatbots?
Yes, COPPA applies to any online service that collects personal information from children under 13, including AI companion apps. According to the FTC’s COPPA FAQ, this includes chat logs and conversation data. Proposed COPPA 2.0 updates would extend coverage to users under 17.
What happens to my chat data under GDPR?
EU users can request a full copy of their conversation data and demand its deletion under GDPR Articles 15 and 17. Italy’s Garante temporarily banned Replika in 2023 for GDPR violations related to age verification and emotional data processing, setting a precedent for enforcement against companion apps.
Is Character.AI being investigated by regulators?
Yes. Character.AI received an FTC 6(b) order in September 2025 (FTC). Kentucky’s attorney general filed an enforcement action in January 2026. The company also settled teen suicide and self-harm lawsuits with undisclosed terms in January 2026, according to The Verge.
Which AI companion apps have the best safety records?
Pi (B/55), ElliQ (B-/53), and Replika (C/43) lead the CompanionWise Safety Index among the 27 apps we’ve evaluated. These apps score higher on transparency, crisis response, and data handling. See our full safest AI companion apps ranking for detailed comparisons.
Will AI companion apps be banned?
No outright bans have been proposed in the U.S. or EU. The regulatory approach focuses on disclosure requirements, child safety protections, and accountability rather than prohibition. However, apps that can’t meet basic compliance requirements may be effectively removed from app stores in regulated markets through enforcement pressure.
The rules around AI companion apps are changing fast. Three U.S. states have passed companion-specific laws, the EU AI Act deadline is months away, the FTC has seven companies under investigation, and attorney general enforcement actions are now a reality. For users, the practical takeaway is straightforward: check what protections your app provides before sharing personal information with it.
We evaluate every companion app across 23 safety dimensions, including many of the same areas these regulations target. Browse the CompanionWise Safety Index to see how your app scores, read our parent safety guide if you have children using these apps, or take the Companion Matchmaker Quiz to find an app that matches your priorities on both experience and safety.