What are the institutional and regulatory implications of this document?

REGULATORY LANDSCAPE: This policy engages the California Consumer Privacy Act and its CPRA amendments, enforced by the California Privacy Protection Agency and the California AG, granting California residents rights to access, delete, correct, and opt out of the sale or sharing of personal data. The policy also references compliance with Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), and Texas (TDPPA) state privacy laws. The FTC has authority over unfair or deceptive data practices unde…

How does OpenAI's OpenAI Privacy Policy affect users?

The policy authorizes OpenAI to collect and use personal data including conversation content, uploaded files, device identifiers, IP addresses, and usage activity for AI model training, product improvement, and marketing purposes. Users may disable model training use of conversations through the Data Controls setting. The policy permits data sharing with service providers, advertising and analytics partners, and affiliated entities, and discloses deployment of third-party tracking pixels from F…

How often is OpenAI's OpenAI Privacy Policy updated?

ConductAtlas monitors this document daily and captures every version with cryptographic hashing and timestamp verification. Update frequency varies — see the change timeline on this page for complete version history.

Can I get alerted when OpenAI updates this document?

Yes. Watcher subscribers ($9.99/month) can add OpenAI to their watchlist and receive same-day email alerts whenever this document or any other OpenAI document changes.

CA-D-000010

OpenAI Privacy Policy

OpenAI

Last change detected May 19, 2026 Privacy policy

SHA-256: f6e00f7793672c35c64… 10 versions captured 9 changes documented

Create free account

Track 1 platform and get the weekly governance digest. No credit card required.

View original document at OpenAI ↗

This page describes what the document states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability may vary by jurisdiction. Methodology

8 Total

1 High severity

5 Medium severity

2 Low severity

Summary

This document establishes OpenAI's privacy practices for users of its products including ChatGPT, the API, and DALL-E. The policy authorizes collection of conversation content, uploaded files, device identifiers, IP addresses, and usage activity, with provisions permitting use of this data for model training except where users disable the model training toggle in Data Controls settings. The policy establishes procedures for users to submit requests for access, deletion, or correction of personal data through OpenAI's Privacy Request Form.

Technical / Legal Breakdown

This document is OpenAI's US Privacy Policy, governing how OpenAI collects, uses, shares, and retains personal data from users of its consumer and API products, including ChatGPT, DALL-E, and related services, with stated legal bases including consent, contractual necessity, and legitimate interests. The policy states that OpenAI collects name, contact information, payment details, conversation content, files and images uploaded by users, device identifiers, IP addresses, browsing activity, location data, and usage logs, and the terms authorize use of this data for service delivery, safety monitoring, model training (where users have not opted out), and marketing communications. The policy discloses that conversation content submitted through non-API consumer products may be used to train AI models unless the user disables the training toggle in settings, which is an operationally significant disclosure given the nature of inputs users submit; the terms also authorize sharing personal data with affiliated entities, service providers, advertising and analytics partners, and in connection with corporate transactions such as mergers or acquisitions. The policy engages the California Consumer Privacy Act (CCPA/CPRA), which grants California residents rights to access, delete, correct, and opt out of certain data uses, and the policy provides a dedicated Privacy Request Form for these purposes; it also references compliance with US state privacy laws more broadly, including those in Virginia, Colorado, Connecticut, and Texas. Material compliance considerations include the adequacy of the model-training opt-out mechanism under emerging US AI and privacy regulations, the classification of third-party advertising pixel data flows under CCPA's sale and sharing definitions, and the policy's assertion that it does not knowingly collect data from users under 13, which engages COPPA enforcement by the FTC.

Institutional Analysis

Institutional analysis available with Professional

Regulatory exposure by statute, material risk assessment, vendor due diligence action items, and enforcement precedent. Available on Professional.

Start Professional free trial

9 important changes detected

10 versions captured · Last updated: May 2026

May 19, 2026

low

What changed OpenAI modified two sentences in its US Privacy Policy on May 19, 2026. The document timestamp was updated from April 30, 2026 to May 18, 2026. More substantially, the opt-out mechanism for users who are not logged in was expanded: users can now opt out either through a new 'Settings > Data Controls' option within ChatGPT or through the existing 'Your Privacy Choices' link on the website.

Why this matters The updated policy establishes an additional pathway for users who are not logged in to opt out of data practices. Previously, the only stated opt-out mechanism for logged-out users was the 'Your Privacy Choices' link on the website. The revised language now permits logged-out users to access opt-out controls through 'Settings > Data Controls' within ChatGPT itself, in addition to the website link. You can use either method to manage your privacy preferences.

View full change record →

May 14, 2026

medium

What changed OpenAI updated its privacy request procedures on May 14, 2026. Previously, the policy stated users could exercise privacy rights by submitting requests through privacy.openai.com or dsar@openai.com. The updated language now describes the four substantive privacy rights themselves—access, deletion, correction, and freedom from retaliation—rather than the submission mechanism. This shifts the policy from procedural instruction to rights enumeration, establishing explicit recognition of these privacy protections.

Why this matters The updated policy now explicitly states four privacy rights that apply depending on your location and subject to applicable exceptions: the right to know about and access your personal data in portable format, the right to request deletion, the right to correct inaccurate data, and the right to be free from retaliation for exercising these rights. Previously, the policy referenced these rights only through procedural language about how to submit requests. The explicit enumeration establishes clearer notice of what protections the policy recognizes. You can exercise these rights by submitting a request through privacy.openai.com or dsar@openai.com.

View full change record →

May 11, 2026 medium

OpenAI updated its privacy policy on May 11, 2026 to explicitly authorize the collection and use of advertiser data from partners and to create a new ad personalization purpose for …

View change record →

May 9, 2026 low

OpenAI's Privacy Policy was updated on May 9, 2026 with a single language modification in the document header. The change added Persian (فارسی) to the list of available language options …

View change record →

May 5, 2026 medium

OpenAI removed language describing advertiser data partnerships and ad personalization controls for free users, while also removing the specific statement that free and go users could control ad personalization through …

View change record →

May 2, 2026 low

OpenAI added a new statement clarifying that sensitive data is not processed to infer characteristics about users. The policy also changed how users who are not logged in can exercise …

View change record →

May 1, 2026 medium

OpenAI updated its Privacy Policy on May 1, 2026 to add explicit language about direct marketing to users and disclosure of data sharing with marketing partners. The policy now states …

View change record →

April 22, 2026 medium

OpenAI removed language describing a separate category of marketing partners and the cookie-based data sharing practices used with those partners. The updated policy now consolidates all third-party recipients under a …

View change record →

March 6, 2026 low

OpenAI's privacy policy was updated on March 6, 2026, with changes to how it describes data uses and disclosures. The updated policy removed explicit language about receiving data from advertisers …

View change record →

High — 1 provision

AI Model Training Use of Conversation Content Compare →

OpenAI states that content you submit through consumer products like ChatGPT may be used to train its AI models by default, but you can turn this off in your account's Data Controls settings.

Added May 12, 2026 Common Seen across 104 platforms

Medium — 5 provisions

Third-Party Advertising and Analytics Data Sharing Compare →

OpenAI states it shares personal information with advertising, analytics, and marketing partners, in addition to cloud and operational service providers.

Added May 12, 2026 Standard Seen across 246 platforms
Corporate Transaction Data Transfer Compare →

If OpenAI is sold, merged, or acquires another company, your personal data may be transferred to the new entity as part of that transaction, including during the negotiation phase before any deal closes.

Added May 12, 2026 Standard Seen across 246 platforms
Data Categories Collected

OpenAI collects a broad range of personal data including your name, email, payment details, everything you type or upload into its products, your device identifiers, IP address, and general location.

Added May 12, 2026 Rare
California and Multi-State Privacy Rights Compare →

Depending on your US state, you may have the right to access, delete, correct your data, or opt out of data sharing, and you can exercise these rights by submitting a form at OpenAI's privacy portal.

Added May 12, 2026 Standard Seen across 262 platforms
Children Under 13 Exclusion Compare →

OpenAI states that its services are not for children under 13 and that it does not intentionally collect data from them; if it discovers a child's data has been collected, it states it will delete it.

Added May 12, 2026 Standard Seen across 262 platforms

Low — 2 provisions

Data Retention Compare →

OpenAI states it keeps your personal data for as long as needed to run its services and meet legal requirements, after which it will delete or anonymize it.

Added April 10, 2026 Standard Seen across 223 platforms
Aggregate and De-Identified Data Use Compare →

OpenAI states it may convert your personal data into anonymized or aggregated form and then use or share that data for any purpose without restriction.

Added May 12, 2026 Standard Seen across 189 platforms