OpenAI commits that it will not sell personal data submitted by API business customers and will only use it to provide the contracted service, as required for CCPA service provider status.
This analysis describes what OpenAI's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
This provision establishes OpenAI as a service provider rather than a third party under CCPA/CPRA, which is a legally significant distinction that affects how the business customer can characterize its data sharing in its own privacy disclosures and whether it incurs CCPA liability for data flows to OpenAI.
Individuals whose personal data is processed through an operator's OpenAI-powered product benefit from OpenAI's contractual commitment not to sell or share that data or use it for purposes beyond the contracted service. However, this protection depends on the operator properly configuring its use of the API and the DPA being in place.
How other platforms handle this
If you are a California resident, you have the right to know what personal information we collect, use, and disclose about you; the right to request deletion of your personal information; the right to opt out of the sale or sharing of your personal information; the right to correct inaccurate person...
If we collect health information from these integrations (such as heart rate), we will not sell or use it for advertising or other similar purposes; we do not disclose it to third parties without your prior consent; and we will only use it for the specific purposes described in this Policy.
At Ledger, earning and maintaining our users' trust is a top priority. That's why we are deeply committed not only to protecting your privacy and securing your personal data, but also to being fully transparent about how we handle it.
Monitoring
OpenAI has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"OpenAI will not sell or share Customer Personal Data. OpenAI will not retain, use, or disclose Customer Personal Data for any purpose other than for the specific business purpose of performing the Services, or as otherwise permitted under the CCPA. OpenAI certifies that it understands and will comply with the restrictions of this section.— Excerpt from OpenAI's OpenAI Data Processing Addendum
REGULATORY LANDSCAPE: This provision is structured to satisfy CCPA Section 1798.140(ag) and CPRA requirements for service provider contracts, including the prohibition on selling or sharing personal information and the restriction to specified business purposes. The California Privacy Protection Agency and California Attorney General are the primary enforcement authorities. Operators who fail to have this DPA in place before submitting California consumer personal data to OpenAI may not be able to characterize the disclosure as a service provider relationship, potentially triggering disclosure or opt-out obligations. GOVERNANCE EXPOSURE: Medium. The provision directly addresses CCPA service provider requirements. Operators must ensure they have accepted this DPA before processing California consumer personal data through the API. Operators also bear responsibility for ensuring they are not themselves using OpenAI outputs in ways that would constitute a sale or sharing of personal information. JURISDICTION FLAGS: California operators and any operator processing personal data about California residents face direct exposure. Other US states with similar service provider contract requirements (Virginia CDPA, Colorado CPA, Connecticut CTDPA) may require equivalent contractual provisions, though the DPA primarily addresses CCPA/CPRA by name. CONTRACT AND VENDOR IMPLICATIONS: The service provider certification in this provision is a standard CCPA procurement requirement. Procurement teams should confirm this DPA is executed prior to any California personal data flowing to the API, and that the permitted business purpose is specifically defined in the agreement to match the operator's actual use case. Overly broad purpose definitions may undermine the service provider characterization. COMPLIANCE CONSIDERATIONS: Operators should update their CCPA privacy notices to reflect OpenAI as a service provider rather than a third party, ensure consumer-facing disclosures accurately describe the use of AI service providers, and verify that any data submitted to OpenAI is limited to what is necessary for the stated business purpose.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
Ad personalization controls removed. Contact scanning added. Advertiser data partnerships quietly dropped. A timeline of every change.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
This provision establishes OpenAI as a service provider rather than a third party under CCPA/CPRA, which is a legally significant distinction that affects how the business customer can characterize its data sharing in its own privacy disclosures and whether it incurs CCPA liability for data flows to OpenAI.
Individuals whose personal data is processed through an operator's OpenAI-powered product benefit from OpenAI's contractual commitment not to sell or share that data or use it for purposes beyond the contracted service. However, this protection depends on the operator properly configuring its use of the API and the DPA being in place.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by OpenAI.