What are the institutional and regulatory implications of this document?

REGULATORY LANDSCAPE: This policy engages the California Consumer Privacy Act and its CPRA amendments, enforced by the California Privacy Protection Agency and the California AG, granting California residents rights to access, delete, correct, and opt out of the sale or sharing of personal data. The policy also references compliance with Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), and Texas (TDPPA) state privacy laws. The FTC has authority over unfair or deceptive data practices unde…

How does OpenAI's OpenAI Privacy Policy affect users?

The policy states that personal data including conversation content, uploaded files, device identifiers, IP addresses, and usage activity is collected and may be used for AI model training, product improvement, and marketing. The terms authorize sharing this data with service providers, advertising and analytics partners, and affiliated entities, and disclose that OpenAI loads third-party tracking pixels from Facebook, LinkedIn, Reddit, and Bing on its web properties. You can disable model trai…

How often is OpenAI's OpenAI Privacy Policy updated?

ConductAtlas monitors this document daily and captures every version with cryptographic hashing and timestamp verification. Update frequency varies — see the change timeline on this page for complete version history.

Can I get alerted when OpenAI updates this document?

Yes. Watcher subscribers ($9.99/month) can add OpenAI to their watchlist and receive same-day email alerts whenever this document or any other OpenAI document changes.

CA-D-000010

OpenAI Privacy Policy

OpenAI

Last change detected May 11, 2026 Privacy policy

SHA-256: 40861e6992f0f3861f3… 8 versions captured 6 changes documented

Create free account

Track 1 platform and get the weekly governance digest. No credit card required.

View original document at OpenAI ↗

This page describes what the document states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability may vary by jurisdiction. Methodology

8 Total

1 High severity

5 Medium severity

2 Low severity

Summary

This is OpenAI's US privacy policy, covering how the company handles your personal data when you use products like ChatGPT, the API, and DALL-E. The policy states that content you type into ChatGPT, files you upload, your device identifiers, IP address, and usage activity may be used to train OpenAI's AI models unless you turn off the model training toggle in your account settings under Data Controls. You can submit a request to access, delete, or correct your personal data using OpenAI's Privacy Request Form at privacy.openai.com.

Technical / Legal Breakdown

This document is OpenAI's US Privacy Policy, governing how OpenAI collects, uses, shares, and retains personal data from users of its consumer and API products, including ChatGPT, DALL-E, and related services, with stated legal bases including consent, contractual necessity, and legitimate interests. The policy states that OpenAI collects name, contact information, payment details, conversation content, files and images uploaded by users, device identifiers, IP addresses, browsing activity, location data, and usage logs, and the terms authorize use of this data for service delivery, safety monitoring, model training (where users have not opted out), and marketing communications. The policy discloses that conversation content submitted through non-API consumer products may be used to train AI models unless the user disables the training toggle in settings, which is an operationally significant disclosure given the nature of inputs users submit; the terms also authorize sharing personal data with affiliated entities, service providers, advertising and analytics partners, and in connection with corporate transactions such as mergers or acquisitions. The policy engages the California Consumer Privacy Act (CCPA/CPRA), which grants California residents rights to access, delete, correct, and opt out of certain data uses, and the policy provides a dedicated Privacy Request Form for these purposes; it also references compliance with US state privacy laws more broadly, including those in Virginia, Colorado, Connecticut, and Texas. Material compliance considerations include the adequacy of the model-training opt-out mechanism under emerging US AI and privacy regulations, the classification of third-party advertising pixel data flows under CCPA's sale and sharing definitions, and the policy's assertion that it does not knowingly collect data from users under 13, which engages COPPA enforcement by the FTC.

Institutional Analysis

Institutional analysis available with Professional

Regulatory exposure by statute, material risk assessment, vendor due diligence action items, and enforcement precedent. Available on Professional.

Start Professional free trial

6 important changes detected

8 versions captured · Last updated: May 2026

May 9, 2026

low

What changed OpenAI's Privacy Policy was updated on May 9, 2026 with a single language modification in the document header. The change added Persian (فارسی) to the list of available language options for the policy. This is a formatting and localization update with no material change to the substantive privacy protections, data practices, or user rights outlined in the policy.

Why this matters This change adds Persian as a language option for accessing OpenAI's Privacy Policy. No substantive privacy terms, data practices, or consumer rights have been modified. The privacy protections and obligations previously stated in the policy remain unchanged.

View full change record →

May 5, 2026

medium

What changed OpenAI removed language describing advertiser data partnerships and ad personalization controls for free users, while also removing the specific statement that free and go users could control ad personalization through account settings. The policy now presents a more general framework for direct marketing and promotional efforts. Additionally, OpenAI added a reference to a Korea Addendum for users in the Republic of Korea and changed the document title from 'US privacy policy' to 'Privacy policy'.

Why this matters The updated policy no longer explicitly states that OpenAI receives information from advertisers and other data partners for ad measurement and improvement, nor does it mention that users can control what data is used to personalize ads shown on the service. The revised terms now establish a broader direct marketing authority, stating the company may promote products and services to users through direct marketing and on third-party properties to assess effectiveness, subject to user choices and controls. The policy adds a reference to a Korea Addendum for Korean users. You can review the linked resources to understand what choices and controls remain available.

View full change record →

May 2, 2026 low

OpenAI added a new statement clarifying that sensitive data is not processed to infer characteristics about users. The policy also changed how users who are not logged in can exercise …

View change record →

May 1, 2026 medium

OpenAI updated its Privacy Policy on May 1, 2026 to add explicit language about direct marketing to users and disclosure of data sharing with marketing partners. The policy now states …

View change record →

April 22, 2026 medium

OpenAI removed language describing a separate category of marketing partners and the cookie-based data sharing practices used with those partners. The updated policy now consolidates all third-party recipients under a …

View change record →

March 6, 2026 low

OpenAI's privacy policy was updated on March 6, 2026, with changes to how it describes data uses and disclosures. The updated policy removed explicit language about receiving data from advertisers …

View change record →

High — 1 provision

AI Model Training Use of Conversation Content Compare →

OpenAI states that content you submit through consumer products like ChatGPT may be used to train its AI models by default, but you can turn this off in your account's Data Controls settings.

Added May 12, 2026 Common Seen across 104 platforms

Medium — 5 provisions

Third-Party Advertising and Analytics Data Sharing Compare →

OpenAI states it shares personal information with advertising, analytics, and marketing partners, in addition to cloud and operational service providers.

Added May 12, 2026 Standard Seen across 246 platforms
Corporate Transaction Data Transfer Compare →

If OpenAI is sold, merged, or acquires another company, your personal data may be transferred to the new entity as part of that transaction, including during the negotiation phase before any deal closes.

Added May 12, 2026 Standard Seen across 246 platforms
Data Categories Collected

OpenAI collects a broad range of personal data including your name, email, payment details, everything you type or upload into its products, your device identifiers, IP address, and general location.

Added May 12, 2026 Rare
California and Multi-State Privacy Rights Compare →

Depending on your US state, you may have the right to access, delete, correct your data, or opt out of data sharing, and you can exercise these rights by submitting a form at OpenAI's privacy portal.

Added May 12, 2026 Standard Seen across 262 platforms
Children Under 13 Exclusion Compare →

OpenAI states that its services are not for children under 13 and that it does not intentionally collect data from them; if it discovers a child's data has been collected, it states it will delete it.

Added May 12, 2026 Standard Seen across 262 platforms

Low — 2 provisions

Data Retention Compare →

OpenAI states it keeps your personal data for as long as needed to run its services and meet legal requirements, after which it will delete or anonymize it.

Added April 10, 2026 Standard Seen across 223 platforms
Aggregate and De-Identified Data Use Compare →

OpenAI states it may convert your personal data into anonymized or aggregated form and then use or share that data for any purpose without restriction.

Added May 12, 2026 Standard Seen across 189 platforms