California residents have legal rights under the CCPA to know what data OpenAI holds about them, request its deletion, and opt out of any data sales, though OpenAI states it does not sell personal data as defined by CCPA.
This analysis describes what OpenAI's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
The clause operationalizes California's statutory privacy framework by specifying the mechanism for exercising CCPA rights and clarifying OpenAI's position on data sales practices. This establishes the procedural framework through which residents can assert their legal entitlements under state law.
The updated policy removes language describing how OpenAI uses advertiser and data partner information to personalize ads and measure ad effectiveness. The policy also removes the specific mechanism Free and Go users previously had to control ad personalization through account settings. In exchange, the policy adds explicit authorization for OpenAI to identify which of a user's contacts use OpenAI services and to monitor all content submitted on the platform for fraud and misuse detection. The authorization to monitor content and identify contacts now appears in the main policy purposes section rather than in supplementary documentation. You can review the Korea Addendum if you are located in South Korea to understand region-specific privacy rules.
View change record →The updated policy removes language that previously described ad personalization controls available to Free and Go users through account settings, though the policy continues to authorize OpenAI to personalize ads and measure their effectiveness for these user tiers. Previously, the policy explicitly stated that 'For Free and Go users, you can use the advertising controls in your account settings to control what data we use to personalize the ads we show you on our Services.' This language is no longer present in the updated version. The policy still lists ad personalization as an authorized use of personal data for Free and Go users, but no longer explicitly describes how users can access controls to manage this practice. You should verify whether advertising controls remain functional in your OpenAI account settings, as the policy no longer explicitly references them.
View change record →The updated policy removes specific language stating that OpenAI receives advertiser data to personalize ads shown to Free and Go users. It also removes reference to account-level advertising controls previously described in account settings. These removals are replaced with broader language authorizing OpenAI to promote products through direct marketing and third-party properties, subject to choices and controls, but the terms no longer explicitly describe what advertiser data is collected, from whom, or how to manage it at the account level. The policy now requires users to follow a 'learn more' link to understand ad personalization controls, rather than documenting those controls directly in the privacy policy.
View change record →California residents can submit data access or deletion requests at privacy.openai.com or by emailing privacy@openai.com, and are protected from service denial or price discrimination for exercising these rights.
How other platforms handle this
We may also collect your personal data from other people or companies.
If you are a California resident, you may have the right to: Know what personal information we collect, use, disclose, sell, or share. Correct inaccurate personal information. Delete your personal information. Opt out of the sale or sharing of your personal information. Limit the use and disclosure ...
If you are a California resident, you have the right to know what personal information we collect, use, and disclose about you; the right to request deletion of your personal information; the right to opt out of the sale or sharing of your personal information; the right to correct inaccurate person...
Monitoring
OpenAI has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"If you are a California resident, you have the right to: Know what personal information we collect, use, disclose, and sell. Delete your personal information. Opt out of the sale of your personal information. Non-discrimination for exercising your privacy rights. We do not sell your personal information as defined under the CCPA. You may submit a request to exercise your rights by contacting us at privacy@openai.com or by submitting a request through our Privacy Portal.— Excerpt from OpenAI's OpenAI Privacy Policy
(1) REGULATORY LANDSCAPE: This provision reflects obligations under the California Consumer Privacy Act (CCPA) as amended by CPRA, enforced by the California Privacy Protection Agency (CPPA) and the California Attorney General. The assertion that OpenAI does not 'sell' personal data should be evaluated against CCPA's expansive definition of 'sale,' which includes sharing for cross-context behavioral advertising. CPRA introduced the concept of 'sharing' as a separately regulated activity. (2) GOVERNANCE EXPOSURE: Medium. The assertion of non-sale status is a legal characterization that compliance teams should independently evaluate, particularly regarding data flows to advertising or analytics vendors. CPRA's 'sensitive personal information' category, which includes precise geolocation and inferences about consumers, may require additional disclosures or opt-out rights beyond what is described. (3) JURISDICTION FLAGS: Applies specifically to California residents. Other states with comprehensive privacy laws (Virginia, Colorado, Connecticut, Texas) have analogous frameworks; the policy's CCPA disclosure may not fully address all state-specific requirements. (4) CONTRACT AND VENDOR IMPLICATIONS: Businesses using OpenAI in California-facing contexts should confirm their service agreements characterize OpenAI appropriately as a service provider rather than a third party under CCPA, which has material implications for downstream data use limitations. (5) COMPLIANCE CONSIDERATIONS: Review whether OpenAI's CCPA data request response process meets the 45-day statutory response window; assess whether the non-sale assertion is adequately documented; and confirm whether any data sharing with advertising or analytics partners could constitute 'sharing' under CPRA.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
Ad personalization controls removed. Contact scanning added. Advertiser data partnerships quietly dropped. A timeline of every change.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
The clause operationalizes California's statutory privacy framework by specifying the mechanism for exercising CCPA rights and clarifying OpenAI's position on data sales practices. This establishes the procedural framework through which residents can assert their legal entitlements under state law.
California residents can submit data access or deletion requests at privacy.openai.com or by emailing privacy@openai.com, and are protected from service denial or price discrimination for exercising these rights.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by OpenAI.