Depending on your US state, you may have the right to access, delete, correct your data, or opt out of data sharing, and you can exercise these rights by submitting a form at OpenAI's privacy portal.
This analysis describes what OpenAI's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
This provision identifies the specific state-law rights available to users in California, Virginia, Colorado, Connecticut, and Texas, and directs users to a single privacy request portal to exercise them, which is operationally significant for users wishing to control how their data is used.
The updated policy no longer explicitly states that OpenAI receives information from advertisers and other data partners for ad measurement and improvement, nor does it mention that users can control…
The updated policy now explicitly authorizes OpenAI to promote products and services to users through direct marketing on third-party properties and to share limited information with select marketing…
The updated policy removes explicit language describing how OpenAI shares personal data with marketing partners through cookies and similar technologies. The policy previously stated that 'some of th…
The policy states that California, Virginia, Colorado, Connecticut, and Texas residents can submit requests to access, delete, correct, or opt out of sale or sharing of their personal data through privacy.openai.com; non-discrimination protections are also stated, meaning OpenAI commits not to deny service for exercising these rights.
How other platforms handle this
If you are a California resident, you may have certain rights under the California Consumer Privacy Act (CCPA). These rights may include: the right to know about personal information collected, disclosed, or sold; the right to delete personal information collected from you; the right to opt-out of t...
California law gives residents the right to know what personal information we collect, use, share or sell; to delete personal information under certain circumstances; to opt-out of the sale or sharing of their personal information; to correct inaccurate personal information; to limit the use and dis...
If you are a California resident, you have the right to know what personal information we collect, use, disclose, and sell about you. You have the right to request deletion of your personal information, subject to certain exceptions. You have the right to opt out of the sale or sharing of your perso...
Monitoring
OpenAI has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.
"Depending on where you live, you may have certain rights regarding your personal information, including: the right to know what personal information we have collected about you; the right to delete personal information we have collected from you; the right to correct inaccurate personal information; the right to opt out of the sale or sharing of your personal information; the right to limit use of sensitive personal information; and the right to non-discrimination for exercising your privacy rights. California, Virginia, Colorado, Connecticut, and Texas residents may exercise these rights by submitting a request through our Privacy Request Form.— Excerpt from OpenAI's OpenAI Privacy Policy
REGULATORY LANDSCAPE: This provision directly engages CCPA and CPRA (California), VCDPA (Virginia), CPA (Colorado), CTDPA (Connecticut), and TDPPA (Texas). Each law imposes specific response timelines, verification requirements, and scope limitations on the rights enumerated. The California Privacy Protection Agency and the respective state attorneys general are the primary enforcement authorities. CCPA requires response to access and deletion requests within 45 days, with a possible 45-day extension. GOVERNANCE EXPOSURE: Medium. The policy enumerates the correct categories of rights for the named states but does not specify response timelines, verification procedures, or appeal mechanisms in this summary section, which are required disclosures under some state laws. Compliance teams should confirm that the operational procedures behind the privacy request portal meet the specific requirements of each named state law. JURISDICTION FLAGS: California creates the highest exposure given the CPRA's requirement to also honor opt-out preference signals such as Global Privacy Control (GPC). The policy does not explicitly address GPC compliance in this provision, which California regulations require. Colorado also mandates GPC recognition. Virginia, Texas, and Connecticut impose appeal rights that must be described to consumers. CONTRACT AND VENDOR IMPLICATIONS: B2B customers acting as controllers of data submitted through OpenAI products should assess whether their vendor agreements with OpenAI provide adequate data subject rights pass-through obligations, or whether OpenAI functions as a processor obligated to forward data subject requests. COMPLIANCE CONSIDERATIONS: Compliance teams should verify that the privacy.openai.com portal is functional, that response timelines meet each state's statutory requirement, and that appeal mechanisms are available for denied requests as required by Virginia, Colorado, Connecticut, and Texas laws. GPC signal recognition should be audited for California and Colorado compliance. The policy should be reviewed to confirm that the sensitive personal information limitation right described for California is operationally implemented.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Watcher: 10 platforms + same-day alerts. No credit card required.
Professional Governance Intelligence
Need to monitor specific governance provisions?
Professional includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
This provision identifies the specific state-law rights available to users in California, Virginia, Colorado, Connecticut, and Texas, and directs users to a single privacy request portal to exercise them, which is operationally significant for users wishing to control how their data is used.
The policy states that California, Virginia, Colorado, Connecticut, and Texas residents can submit requests to access, delete, correct, or opt out of sale or sharing of their personal data through privacy.openai.com; non-discrimination protections are also stated, meaning OpenAI commits not to deny service for exercising these rights.
ConductAtlas has identified this type of provision across 1 platforms. See the full comparison.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by OpenAI.