CA-C-002250
OpenAI — OpenAI Enterprise Privacy
Entity
Date detected
May 22, 2026
Effective date
May 22, 2026
Severity
Low
Direction
Neutral
Affected users
enterprise customers education institutions chatgpt business users
Changes
3 sentences modified
Share 𝕏 Share in Share 🔒 PDF
Watch OpenAI Get alerts when this policy changes.
Watch — Free

Event Summary

OpenAI updated formatting in its Enterprise Privacy document on May 22, 2026 by modifying spacing around hyperlinks in three sentences. The changes involve adjusting whitespace before the opening parentheses in links to the DPA form, Student Data Privacy Agreement, and ChatGPT Business information pages. These are editorial formatting adjustments with no operational change to the substantive terms, obligations, or disclosures.

LOW

Consumer Impact

This change involves only formatting adjustments to hyperlinks in the Enterprise Privacy document and does not modify any substantive privacy terms, data handling procedures, or DPA requirements. The underlying policies regarding data processing, Student Data Privacy Agreements, and ChatGPT Business terms remain unchanged. No consumer action is required.

Governance Analysis

This change involves only formatting adjustments to hyperlink spacing in the Enterprise Privacy document. The substantive privacy terms, DPA execution requirements, and data handling procedures remain identical, so this update has no operational or regulatory significance.

Key Clauses Affected

DPA form link

Formatting adjusted; link remains unchanged.

Student Data Privacy Agreement reference

Formatting adjusted; agreement reference and link remain unchanged.

ChatGPT Business link

Formatting adjusted; link remains unchanged.

Full clause-by-clause analysis available with Compliance.
These clauses may change again. Get alerted when they do. Watch OpenAI — Free

This change record describes what was added, removed, or modified in the document. Analysis reflects what the updated agreement states or permits. It does not constitute a legal determination about enforceability. Applicability may vary by jurisdiction. Methodology

Evidence Verification

✓ Verified
Previous Version
ba45337e7fcc3abd88b4858dcd487c26530174a15b5682c3af38f0151c279837
May 19, 2026 00:03 UTC
✓ Verified
Current Version
694a813c3880cd986d5603525b163c07256efa613212c14bfd28669773650667
May 22, 2026 00:08 UTC
✓ Verified
Change Detected
May 22, 2026 00:08 UTC
Analysis Methodology
✓ Verified
Source Document
https://openai.com/enterprise-privacy/
Citation Record
Entity: OpenAI
Document: OpenAI Enterprise Privacy
Record ID: CA-C-002250
Captured: 2026-05-22 00:08:01 UTC
URL: https://conductatlas.com/change/2026-05-22-openai-openai-enterprise-privacy-2250/
Accessed: July 8, 2026
Permanent archival reference. Stable identifier suitable for legal filings, compliance documentation, and research citation.
For legal and compliance teams

Institutional Analysis

Assessment

OpenAI updated link formatting in its Enterprise Privacy document on May 22, 2026. The change affects only whitespace placement around three external hyperlinks—to the DPA form, Student Data Privacy Agreement, and ChatGPT Business information—with no modification to substantive privacy obligations, data processing authorizations, or DPA execution requirements. This is a formatting clarification with no compliance, regulatory, or operational implication.

Full compliance analysis

Obligation analysis, escalation trigger, board language, and recommended action.

Monitor $19/mo Compliance $249/mo

Monitor: regulatory citations + obligations. Compliance: full compliance memo.

ConductAtlas provides verified policy intelligence sourced directly from platform documents. All analysis is intended to support, not replace, legal and compliance review. Record CA-C-002250.

Clause-Level Changes

New Provisions Added
CCPA Service Provider Designation
Medium

This addition explicitly establishes OpenAI's legal status under California privacy law and provides assurance that customer data is not used for behavioral advertising.

Full clause text available with Compliance. See Compliance →
Data Retention and Conversation Storage Practices
Medium

This provision adds clarity on the different retention policies between API and Enterprise products and introduces the concept of administrative control over conversation data deletion.

Full clause text available with Compliance. See Compliance →
Sub-Processor Disclosure and Third-Party Data Sharing
Medium

This addition provides transparency about third-party data processors and establishes a notification mechanism for changes, which is critical for compliance with data protection regulations like GDPR.

Full clause text available with Compliance. See Compliance →
Provisions Removed
API Data Retention and 30-Day Deletion
Medium

This provision's specific mention of zero-data-retention option was removed, though the 30-day default is preserved in the new consolidated data retention provision.

Removed clause text available with Compliance. See Compliance →
Enterprise Customer Ownership of Inputs and Outputs
Medium

Removal of this explicit ownership provision may weaken customer claims to intellectual property rights over their inputs and model outputs.

Removed clause text available with Compliance. See Compliance →
Tiered Product Data Governance
Medium

Removal of this clarity statement eliminates the explicit boundary between enterprise and consumer products, potentially creating ambiguity about which provisions apply to which tiers.

Removed clause text available with Compliance. See Compliance →
Provisions Modified
No Model Training on Enterprise and API Data by Default
Medium

Removed explicit mention of ChatGPT Team product and removed redundant 'by default' from the second sentence.

Before/after clause text available with Compliance. See Compliance →
GDPR Data Processing Agreement and Standard Contractual Clauses
High

Changed 'DPA' terminology from 'Addendum' to 'Agreement', added explicit customer scope (API and ChatGPT Enterprise), and clarified SCCs are EC-approved for international transfers rather than just for GDPR compliance.

Before/after clause text available with Compliance. See Compliance →
HIPAA Business Associate Agreement for API Deployments
High

Narrowed scope from general 'customers' to specifically 'API customers' and removed mention of 'HIPAA-eligible services' in favor of direct BAA signing capability.

Before/after clause text available with Compliance. See Compliance →
SOC 2 Type 2 Certification Disclosure
Low

Changed from 'maintain' to 'achieved', added specificity about regular audits and security control maintenance, and clarified the purpose as data protection.

Before/after clause text available with Compliance. See Compliance →

Cross-platform context

See how other platforms handle similar provisions across the ConductAtlas archive.

Compare across platforms → Browse regulations →

Full Changes

See the full side-by-side comparison of every sentence added, removed, and modified.

🔒 Full diff — Monitor

Document Context

Version history → Policy drift analysis → Document page →
Document
OpenAI Enterprise Privacy
Entity
OpenAI
Captured
May 22, 2026
Source URL
https://openai.com/enterprise-privacy/
Other changes to OpenAI Enterprise Privacy
Previous change May 19, 2026
OpenAI updated a hyperlink in its Enterprise Privacy document on May 19, 2026. The previous link text 'Learn more about …
Low Neutral
Next change May 28, 2026
OpenAI updated their OpenAI Enterprise Privacy on May 28, 2026. Change detected: 4 sentence(s) modified. Document contained 107 sentences after …
View full version history →
More from OpenAI
Jul 7, 2026 Unknown
OpenAI Service Terms
Jul 6, 2026 Low
OpenAI Frontier Governance Framework

OpenAI updated its Frontier Governance Framework on July 6, 2026, making two minor modifications to the document's presentation. The title …

Jul 2, 2026 Unknown
OpenAI Business Terms
Related Analysis
Platform Analysis · June 12, 2026
OpenAI Changed Its Privacy Policy 4 Times in One Week. Here Is What Actually Changed.

Ad personalization controls removed. Contact scanning added. Advertiser data partnerships quietly dropped. A timeline of every change.

Regulatory Analysis · June 28, 2026
The Great American AI Act, Explained: What the First Federal AI Law Would Require

The bill does not regulate most AI startups directly. But it changes the companies they depend on. Here is what the first federal AI law wo…

Dependency Governance · June 11, 2026
AI Dependency Governance: How API Terms Govern Every App Built on OpenAI, Anthropic, and Google

872 provisions across 8 AI platforms. The terms your AI provider sets become the terms your product operates under.

Track OpenAI policy changes

Get alerted when this policy changes again — including what changed and why it matters.

Prefer a weekly summary instead?

Get the biggest policy changes across 352+ platforms every Sunday.