OpenAI updated its Privacy Policy on May 1, 2026 to explicitly allow sharing your personal data with third-party marketing partners — not just service providers — to promote OpenAI products on external websites and platforms. The policy now also lists direct marketing as a stated purpose for using your data. This matters because your data may now be shared more broadly with outside advertising partners, though OpenAI says you can opt out.
OpenAI's updated policy now explicitly allows your personal data — including data collected via cookies — to be shared with third-party marketing partners to advertise OpenAI products on external websites and platforms, which was not disclosed as a purpose before. Previously, data sharing with outside parties was framed around service providers bound by OpenAI's instructions; now a broader category of 'marketing partners' can receive your data with fewer restrictions. You can visit the opt-out link referenced in OpenAI's updated policy to control how your information is used for third-party advertising.
OpenAI can now use your data to advertise to you on other websites and apps, which it wasn't allowed to do before under the old policy.
Outside advertising companies can now receive your data from OpenAI — these companies operate independently and aren't bound by the same rules as OpenAI's own vendors.
+ 2 more obligation changes. Full breakdown available with Watcher.
Unlock — $9.99/mo →This change means OpenAI can now share your personal data with outside advertising companies to target you across the web, which goes beyond what the previous policy allowed. Users who do not want their data used for external advertising should use the newly added opt-out mechanism immediately.
OpenAI now shares personal data with third-party marketing partners who are not bound by service provider restrictions, enabling data use for external advertising.
Direct marketing and advertising effectiveness measurement have been added as explicit lawful purposes for processing personal data.
The previous blanket restriction that all third parties process data 'only in the course of performing their duties' now applies only to Service Providers, not marketing partners.
ConductAtlas Policy Archive Entity: OpenAI | Document: OpenAI Privacy Policy | Record: CA-C-000742 Captured: 2026-05-01 06:00:38 UTC URL: https://conductatlas.com/change/2026-05-01-openai-openai-privacy-policy-742/ Accessed: May 2, 2026
Unlock the full analysis
14-day free trial available.
OpenAI has materially expanded its data sharing practices by adding a new category of third-party 'marketing partners' who are not service providers and are not bound by OpenAI's processing instructions. The policy now expressly lists direct marketing and advertising effectiveness measurement as data use purposes. This touches GDPR Art. 13(2)(b) (purpose disclosure), Art. 6(1)(f) (legitimate interests for marketing), CCPA §1798.100 (right to know), and §1798.120 (opt-out of sale/sharing). The change also weakens the previously absolute constraint that third parties process data 'only in the course of performing their duties to us.' Action is required: review vendor classification, update data processing agreements, and assess whether existing user consent or opt-out mechanisms satisfy applicable law.
1. GDPR Art. 13(1)(e) and Art. 13(2)(b): New marketing partners must be identified as recipients; purpose of direct marketing and third-party ad placement must be disclosed at collection. Art. 6(1)(a) or 6(1)(f) legal basis for marketing data sharing must be documented. Art. 21(2): Users must be given unconditional right to object to direct marketing. Recital 47 notes direct marketing can be a legitimate interest but requires balancing test.
Compliance intelligence locked
Obligation analysis, escalation trigger, board language, and recommended action.
Watcher: regulatory citations + obligations. Professional: full compliance memo.
ConductAtlas provides verified policy intelligence sourced directly from platform documents. All analysis is intended to support, not replace, legal and compliance review. Record CA-C-000742.
This addition reveals new third-party tracking infrastructure and cross-site behavioral monitoring not previously disclosed, representing material expansion of data collection methods.
This new provision explicitly acknowledges collection of sensitive health and financial data, which creates heightened privacy obligations and represents a significant expansion of permissible data categories.
This addition explicitly details third-party sharing categories and law enforcement disclosure procedures, replacing the previous vague reference and providing transparency on data flow to external parties.
This new provision adds explicit CPRA compliance language including sensitive data limitation rights, representing alignment with 2023 California privacy law amendments not present in previous version.
While replaced by more detailed disclosure provisions, the previous high-severity framing of affiliate sharing has been deprioritized in the current version.
Removal of explicit cross-border transfer provision eliminates transparency on international data movement mechanisms (e.g., standard contractual clauses, adequacy decisions).
Absence of dedicated GDPR provision in current version potentially indicates either consolidation into general user rights or reduced emphasis on EU-specific compliance.
Previous version had no excerpt data, but current version now explicitly states opt-out mechanism is available in account settings rather than implicit or unstated.
Previous version had no excerpt, current version now consolidates deletion, export, and portability rights into single provision with explicit reference to Privacy Portal URL.
Previous version had no excerpt data, current version now adds explicit requirement for parental consent for users aged 13-18 and provides contact mechanism for child data concerns.
Previous version had no excerpt, current version now explicitly details deletion/anonymization commitment and expanded retention purpose scope.
Cross-platform context
See how other platforms handle similar provisions across the ConductAtlas archive.
See the full side-by-side comparison of every sentence added, removed, and modified.
🔒 Unlock full diff — Watcher $9.99/moWe monitor 200+ platforms and archive every change — verified and timestamped.