On May 1, 2026, OpenAI updated its Privacy Policy to explicitly authorize sharing your personal data with third-party marketing partners. This represents a substantive change to OpenAI's data sharing framework. The previous version of the policy limited data sharing to service providers acting under OpenAI's instructions. The updated version introduces a new category of data recipients: marketing partners, authorized to use personal data to promote OpenAI products on external websites and apps. If you use ChatGPT, DALL-E, or any OpenAI product, the updated terms expand who may receive your personal information.
ConductAtlas captured the full update within hours and generated a verified change record with version-level diff evidence. Here is what changed, why it matters, and exactly what you can do about it.
What the policy now says
The May 1, 2026 update introduces three material changes to how OpenAI handles your personal data. Each one expands the scope of authorized data sharing under the agreement.
Marketing partners are now data recipients. The previous policy stated that your data was shared with third parties who process it only in the course of performing their duties to OpenAI. That language implied a limited, controlled relationship - vendors doing work for OpenAI under OpenAI's direction. The updated policy adds a new section for Marketing Partners. These are third-party advertising companies that receive your personal data to promote OpenAI products on other websites and platforms. Unlike service providers, marketing partners are not bound by the same restriction to act solely on OpenAI's instructions.
Direct marketing is now a stated purpose. The updated policy adds direct marketing and advertising effectiveness measurement as explicit lawful purposes for processing your personal data. This means OpenAI can now use data it collects - including browsing behavior, cookies, and activity on its websites - to target you with advertising across the internet. The previous version did not list direct marketing as a purpose for data processing.
Cookie data flows to ad partners. The policy now explicitly states that data collected through cookies and similar tracking technologies can be shared with marketing partners. When you browse OpenAI's websites, cookies capture information about your activity. That data can now be sent to advertising companies who use it to target OpenAI ads to you on other sites.
One important clarification: OpenAI explicitly states that your ChatGPT conversations are private and are not shared with advertisers. The data sharing applies to browsing activity, cookie data, and how you interact with their sites - not the content of your prompts or responses.
What this means for you
If you use ChatGPT, here is how this affects you.
The updated terms authorize browsing data sharing with ad networks. When you visit OpenAI's websites, data collected through cookies can now be shared with marketing partners for ad targeting. You may see OpenAI ads on other websites based on your activity on OpenAI's sites. Your activity profile now extends beyond OpenAI's own platforms.
Third-party data sharing terms have broadened. The previous policy stated that all third parties process data only in the course of performing their duties to OpenAI. That blanket restriction now applies only to service providers, not marketing partners. Marketing partners operate with more independence in how they use the data they receive from OpenAI.
An opt-out exists, but you have to find it. OpenAI added a new marketing privacy setting. You can access it at Settings, then Data Controls, then Marketing Privacy. This allows you to disable marketing cookies and limit third-party data sharing. This opt-out may work differently depending on where you live.
What you can do right now
You can limit this right now. Here is how.
Step 1: Opt out of marketing data sharing today. Open ChatGPT on the web. Go to Settings, then Data Controls, then Marketing Privacy. Disable marketing cookies and third-party data sharing. This is the most direct action available under the current settings.
Step 2: Review all your data controls. While you are in Settings, check every option under Data Controls. OpenAI adds new settings with each policy update and does not always highlight them. Confirm your preferences for conversation history, model training opt-out, and any other controls available in your region.
Step 3: Use ChatGPT logged out when possible. If you do not need conversation history or saved preferences, using ChatGPT without a logged-in session limits cookie-based tracking. This reduces the data available for sharing with marketing partners.
For EU residents specifically: you have an unconditional right to object to direct marketing under GDPR Article 21(2). If OpenAI's opt-out mechanism does not fully satisfy this right, you can file a complaint with your national data protection authority.
Regulatory context
Organizations using OpenAI services may need to evaluate whether the updated terms affect their own compliance obligations.
GDPR considerations. Under GDPR Article 13(1)(e), OpenAI must identify marketing partners as data recipients at the point of collection. Article 6(1)(f) permits processing based on legitimate interests, but Recital 47 requires a balancing test. If OpenAI serves users in the EU without a frictionless opt-out for direct marketing, it may face scrutiny from EU data protection authorities.
CCPA and CPRA create opt-out obligations. Under California Civil Code 1798.120 and 1798.135, sharing personal information with marketing partners for cross-context behavioral advertising likely constitutes sharing under CPRA. This triggers a mandatory Do Not Sell or Share link and requires OpenAI to honor Global Privacy Control signals.
FTC precedent applies. If OpenAI's previous privacy representations led users to believe their data would only be shared with service providers, this expansion may raise questions under Section 5 of the FTC Act.
EU cookie law requires prior consent. Under the ePrivacy Directive, Article 5(3), data collected via cookies and shared with marketing partners requires prior, informed consent in the EU and UK.
What organizations should do
If your organization uses OpenAI's APIs, ChatGPT Enterprise, or any OpenAI service where employee or customer data flows through OpenAI's infrastructure, here is what to do.
Review your Data Processing Agreement. Check whether your existing DPA with OpenAI still accurately reflects how OpenAI processes data. The new marketing partner category may not be covered under your current agreement.
Update your own privacy notices. If your users' data flows through OpenAI's consumer-facing services, you may need to disclose this downstream sharing in your own privacy policy. Under GDPR and CCPA, downstream data sharing may trigger disclosure obligations for your organization.
Reassess vendor risk classification. The addition of marketing partners as data recipients changes OpenAI's risk profile from controlled processor to processor with independent advertising data flows. Internal vendor risk assessments should be updated accordingly.
How does this compare to other AI platforms
OpenAI is not the first AI company to expand data sharing for advertising purposes. ConductAtlas tracks privacy policies across 200+ platforms, including every major AI provider. This move positions OpenAI alongside companies like Google, which has always used data for advertising across its ecosystem, rather than companies like Anthropic, whose current policy does not include advertising data sharing.
The distinction matters because many users chose OpenAI partly based on how it previously handled their data. A policy that used to restrict sharing to service providers now permits sharing with advertising partners. You can compare privacy provisions across platforms to see how different companies handle advertising data sharing.
How we know this changed
ConductAtlas monitors OpenAI's Privacy Policy every day using automated document capture. When the May 1, 2026 version was published, our system captured the full text, computed a cryptographic hash for verification, and generated a sentence-level diff against the previous version. The change was flagged as high severity based on the addition of new data sharing categories and new stated processing purposes. Our obligation intelligence system identified 2 new obligations added and 2 existing obligations expanded.
We track every version of every document we monitor. Nothing is editorialized. Every claim in this analysis is traceable to a specific sentence in a specific version of a specific document, archived with a timestamp and cryptographic verification.