Kentucky Attorney General Sues AI Chatbot Over Data Privacy Violations
On January 8, the Kentucky Attorney General announced the first lawsuit under the Kentucky Consumer Data Protection Act (KCDPA) against a company operating AI-based chatbots. The complaint alleges that the defendant violated the KCDPA through deceptive, unfair, and misleading acts and practices, as well as unfair collection and exploitation of children’s data.
Background
The company in question designed, built, marketed, and distributed an AI chatbot promoted as an interactive entertainment product. The complaint notes the company has over 20 million monthly active users and more than 180 million monthly website visitors. Users can create, customize, and interact with millions of chatbots, which may include popular children’s story characters.
Allegations
The complaint states that the platform’s features are dangerous for children due to the ease of account creation and the lack of effective age verification. The chatbots are designed to emulate humans, and the absence of safety measures causes significant harm. Additionally, ineffective chat filters expose users to harmful content, including sexually explicit conversations, promotion of suicidal or self-harming thoughts, and encouragement of drug and alcohol use.
Much of the complaint focuses on violations of Kentucky’s consumer protection laws. The Attorney General alleges the defendant engaged in deceptive and unfair practices and inadequately collected and exploited children’s data. The company failed to implement age verification, parental consent mechanisms, or identity verification to prevent children under 13 from accessing the platform.
Regarding consumer data privacy, the complaint accuses the defendant of failing to obtain verifiable parental consent before collecting and processing personal data of children. The KCDPA, effective January 1, requires companies to secure verifiable parental consent before processing known children’s personal data. The Attorney General states the company neither provides adequate notice nor obtains parental consent in compliance with these requirements.
Remedies
It is important to note the Attorney General seeks only injunctive relief, not monetary damages, under the KCDPA complaint. Before initiating KCDPA enforcement, the Attorney General must provide 30 days’ written notice specifying the violated provisions, giving the company 30 days to remedy the alleged violations.
The Attorney General declared: “The United States must be a leader in AI development, but it cannot come at the expense of our children’s lives.” The timing of this lawsuit indicates readiness to enforce the KCDPA.
