OpenAI commits that it will not sell personal data submitted by API business customers and will only use it to provide the contracted service, as required for CCPA service provider status.
This analysis describes what OpenAI's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
This provision establishes OpenAI as a service provider rather than a third party under CCPA/CPRA, which is a legally significant distinction that affects how the business customer can characterize its data sharing in its own privacy disclosures and whether it incurs CCPA liability for data flows to OpenAI.
Individuals whose personal data is processed through an operator's OpenAI-powered product benefit from OpenAI's contractual commitment not to sell or share that data or use it for purposes beyond the contracted service. However, this protection depends on the operator properly configuring its use of the API and the DPA being in place.
Cross-platform context
See how other platforms handle CCPA No-Sale and Service Provider Commitment and similar clauses.
Compare across platforms →Monitoring
OpenAI has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.
"OpenAI will not sell or share Customer Personal Data. OpenAI will not retain, use, or disclose Customer Personal Data for any purpose other than for the specific business purpose of performing the Services, or as otherwise permitted under the CCPA. OpenAI certifies that it understands and will comply with the restrictions of this section.— Excerpt from OpenAI's OpenAI Data Processing Addendum
REGULATORY LANDSCAPE: This provision is structured to satisfy CCPA Section 1798.140(ag) and CPRA requirements for service provider contracts, including the prohibition on selling or sharing personal information and the restriction to specified business purposes. The California Privacy Protection Agency and California Attorney General are the primary enforcement authorities. Operators who fail to have this DPA in place before submitting California consumer personal data to OpenAI may not be able to characterize the disclosure as a service provider relationship, potentially triggering disclosure or opt-out obligations. GOVERNANCE EXPOSURE: Medium. The provision directly addresses CCPA service provider requirements. Operators must ensure they have accepted this DPA before processing California consumer personal data through the API. Operators also bear responsibility for ensuring they are not themselves using OpenAI outputs in ways that would constitute a sale or sharing of personal information. JURISDICTION FLAGS: California operators and any operator processing personal data about California residents face direct exposure. Other US states with similar service provider contract requirements (Virginia CDPA, Colorado CPA, Connecticut CTDPA) may require equivalent contractual provisions, though the DPA primarily addresses CCPA/CPRA by name. CONTRACT AND VENDOR IMPLICATIONS: The service provider certification in this provision is a standard CCPA procurement requirement. Procurement teams should confirm this DPA is executed prior to any California personal data flowing to the API, and that the permitted business purpose is specifically defined in the agreement to match the operator's actual use case. Overly broad purpose definitions may undermine the service provider characterization. COMPLIANCE CONSIDERATIONS: Operators should update their CCPA privacy notices to reflect OpenAI as a service provider rather than a third party, ensure consumer-facing disclosures accurately describe the use of AI service providers, and verify that any data submitted to OpenAI is limited to what is necessary for the stated business purpose.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Watcher: 10 platforms + same-day alerts. No credit card required.
Professional Governance Intelligence
Need to monitor specific governance provisions?
Professional includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
This provision establishes OpenAI as a service provider rather than a third party under CCPA/CPRA, which is a legally significant distinction that affects how the business customer can characterize its data sharing in its own privacy disclosures and whether it incurs CCPA liability for data flows to OpenAI.
Individuals whose personal data is processed through an operator's OpenAI-powered product benefit from OpenAI's contractual commitment not to sell or share that data or use it for purposes beyond the contracted service. However, this protection depends on the operator properly configuring its use of the API and the DPA being in place.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by OpenAI.