On May 1, 2026, OpenAI updated its Privacy Policy to explicitly authorize sharing your personal data with third-party marketing partners. This is not a routine language cleanup. The previous version of the policy limited data sharing to service providers acting under OpenAI's instructions. The updated version creates an entirely new category of data recipients - marketing partners - who can use your data to promote OpenAI products on external websites and apps. If you use ChatGPT, DALL-E, or any OpenAI product, this change affects how your personal information is distributed to outside companies.

ConductAtlas captured the full update within hours and generated a verified change record with version-level diff evidence. Here is what changed, why it matters, and exactly what you can do about it.

What the policy now says

The May 1, 2026 update introduces three material changes to how OpenAI handles your personal data. Each one expands the scope of data sharing beyond what the previous policy permitted.

Marketing partners are now data recipients. The previous policy stated that your data was shared with third parties who process it only in the course of performing their duties to OpenAI. That language implied a limited, controlled relationship - vendors doing work for OpenAI under OpenAI's direction. The updated policy adds a new section for Marketing Partners. These are third-party advertising companies that receive your personal data to promote OpenAI products on other websites and platforms. Unlike service providers, marketing partners are not bound by the same restriction to act solely on OpenAI's instructions. This is a structural change in how your data flows to outside companies.

Direct marketing is now a stated purpose. The updated policy adds direct marketing and advertising effectiveness measurement as explicit lawful purposes for processing your personal data. This means OpenAI can now use data it collects - including browsing behavior, cookies, and activity on its websites - to target you with advertising across the internet. The previous version did not list direct marketing as a purpose for data processing. This is not about what happens inside ChatGPT. It is about what happens when you visit OpenAI's websites, use their products, or interact with their infrastructure in ways that generate trackable data.

Cookie data flows to ad partners. The policy now explicitly states that data collected through cookies and similar tracking technologies can be shared with marketing partners. When you browse OpenAI's websites, cookies capture information about your activity. That data can now be sent to advertising companies who use it to target OpenAI ads to you on other sites. OpenAI's email to users stated that they will now use cookies to promote OpenAI products and services on other websites.

One important clarification: OpenAI explicitly states that your ChatGPT conversations are private and are not shared with advertisers. The data sharing applies to browsing activity, cookie data, and interaction metadata - not the content of your prompts or responses.

How does this compare to other AI platforms

OpenAI is not the first AI company to expand data sharing for advertising purposes. ConductAtlas tracks privacy policies across 200+ platforms, including every major AI provider. Among the AI companies we monitor, this move positions OpenAI alongside companies like Google, which has always used data for advertising across its ecosystem, rather than companies like Anthropic, whose current policy does not include advertising data sharing. The distinction matters because many users chose OpenAI partly based on how it previously handled their data. A policy that used to restrict sharing to service providers now permits sharing with advertising partners, and that shift changes the privacy calculus for anyone evaluating AI tools.

You can compare privacy provisions across platforms to see how different companies handle advertising data sharing, third-party access, and user opt-out rights.

Why this matters

This is not just a corporate disclosure update. The change has direct regulatory implications and creates new obligations for organizations using OpenAI's services.

GDPR exposure is significant. Under GDPR Article 13(1)(e), OpenAI must identify marketing partners as data recipients at the point of collection. Article 13(2)(b) requires disclosure of the direct marketing purpose. Article 6(1)(f) permits processing based on legitimate interests, but Recital 47 requires a balancing test - OpenAI must demonstrate that its advertising interests do not override your fundamental rights. Most critically, Article 21(2) gives you an unconditional right to object to direct marketing. If OpenAI serves users in the EU and does not provide a frictionless opt-out mechanism, it faces enforcement risk from every EU data protection authority.

CCPA and CPRA create opt-out obligations. Under CCPA/CPRA (California Civil Code 1798.120 and 1798.135), sharing personal information with marketing partners for cross-context behavioral advertising likely constitutes sharing under CPRA. This triggers a mandatory Do Not Sell or Share My Personal Information link and requires OpenAI to honor opt-out signals including Global Privacy Control. If OpenAI does not treat this data flow as sharing under CPRA, it risks enforcement action from the California Privacy Protection Agency.

FTC precedent applies. If OpenAI's previous privacy representations led users to believe their data would only be shared with service providers, this expansion could constitute a deceptive practice under Section 5 of the FTC Act. The FTC's 2023 Commercial Surveillance ANPRM and its ongoing scrutiny of AI companies make this a live enforcement risk, not a theoretical one.

EU cookie law requires prior consent. Under the ePrivacy Directive, Article 5(3), data collected via cookies and shared with marketing partners requires prior, informed consent in the EU and UK. Implied consent or pre-checked boxes do not satisfy this standard. CNIL and other EU DPAs have a track record of enforcing this aggressively - past actions against Meta and Google on behavioral advertising data flows set direct precedent.

For a complete list of regulatory frameworks that apply to OpenAI, see the OpenAI platform page on ConductAtlas.

What organizations should do

If your organization uses OpenAI's APIs, ChatGPT Enterprise, or any OpenAI service where employee or customer data flows through OpenAI's infrastructure, this policy change may affect you directly.

Review your Data Processing Agreement. Check whether your existing DPA with OpenAI still accurately reflects how OpenAI processes data. The new marketing partner category may not be covered under your current agreement. If your DPA references the old service-providers-only language, it may need updating.

Update your own privacy notices. If your users' data flows through OpenAI's consumer-facing services, you may need to disclose this downstream sharing in your own privacy policy. Under GDPR and CCPA, you cannot outsource disclosure obligations - if you know your processor shares data with marketing partners, you must inform your users.

Reassess vendor risk classification. If your internal vendor risk assessment for OpenAI was based on the previous data sharing scope, update it. The addition of marketing partners as data recipients changes the risk profile from controlled processor to processor with independent advertising data flows.

What you can do right now

If you are an individual ChatGPT user, three concrete steps reduce your exposure to this expanded data sharing.

Step 1: Opt out of marketing data sharing. Open ChatGPT on the web. Go to Settings, then Data Controls, then Marketing Privacy. Disable marketing cookies and third-party data sharing. This is the single most important action. OpenAI's own email directs you here. Do this today - every day you wait is a day your data flows to marketing partners.

Step 2: Review all data controls. While you are in Settings, check every option under Data Controls. OpenAI adds new settings with each policy update and does not always highlight them. Confirm your preferences for conversation history, model training opt-out, and any other controls available in your region.

Step 3: Use ChatGPT logged out when possible. If you do not need conversation history or saved preferences, using ChatGPT without a logged-in session limits cookie-based tracking. This reduces the data available for sharing with marketing partners. It is not a complete solution - OpenAI can still collect some data from anonymous sessions - but it narrows the scope.

For EU residents specifically: you have an unconditional right to object to direct marketing under GDPR Article 21(2). If OpenAI's opt-out mechanism does not fully satisfy this right, you can file a complaint with your national data protection authority. The relevant DPA contact information is available through the ConductAtlas regulations index.

How we know this changed

ConductAtlas monitors OpenAI's Privacy Policy every day using automated document capture. When the May 1, 2026 version was published, our system captured the full text, computed a cryptographic hash for verification, and generated a sentence-level diff against the previous version. The change was flagged as high severity based on the addition of new data sharing categories and new stated processing purposes. Our obligation intelligence system identified 2 new obligations added and 2 existing obligations expanded. The full verified change record, including diff evidence and regulatory exposure mapping, is available at the OpenAI Privacy Policy change record.

We track every version of every document we monitor. Nothing is editorialized. Every claim in this analysis is traceable to a specific sentence in a specific version of a specific document, archived with a timestamp and cryptographic verification.