OpenAI automatically collects technical data about your device and how you use its services, including your IP address, browser type, search queries, and feature usage patterns.
This analysis describes what OpenAI's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
The clause establishes the operational scope of data collection that occurs passively during service use, defining the categories of technical and behavioral information the entity may process as part of service delivery and system administration.
The updated policy now explicitly states four privacy rights that apply depending on your location and subject to applicable exceptions: the right to know about and access your personal data in portable format, the right to request deletion, the right to correct inaccurate data, and the right to be free from retaliation for exercising these rights. Previously, the policy referenced these rights only through procedural language about how to submit requests. The explicit enumeration establishes clearer notice of what protections the policy recognizes. You can exercise these rights by submitting a request through privacy.openai.com or dsar@openai.com.
View change record →The updated policy now explicitly discloses that OpenAI receives information from advertisers and data partners, including details about purchases you make, and uses this data to personalize ads shown to Free and Go users. Previously, the policy referenced ad effectiveness measurement without disclosing the specific source (advertiser data) or the personalization component. Under the revised terms, Free and Go users can use advertising controls in account settings to control what data OpenAI uses to personalize ads. You can access these controls through your OpenAI account settings to adjust ad personalization.
View change record →The updated policy no longer explicitly states that OpenAI receives information from advertisers and other data partners for ad measurement and improvement, nor does it mention that users can control what data is used to personalize ads shown on the service. The revised terms now establish a broader direct marketing authority, stating the company may promote products and services to users through direct marketing and on third-party properties to assess effectiveness, subject to user choices and controls. The policy adds a reference to a Korea Addendum for Korean users. You can review the linked resources to understand what choices and controls remain available.
View change record →Every session with OpenAI services generates device and behavioral data that OpenAI collects automatically; this includes your IP address and usage patterns, which can be used to infer location and behavior even without account registration.
Cross-platform context
See how other platforms handle Collection of Usage and Device Data and similar clauses.
Compare across platforms →Monitoring
OpenAI has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.
"Usage Data. When you use our Services, we automatically collect certain technical information about your device and how you interact with our Services, such as your IP address, browser type, operating system, referring URLs, device identifiers, and cookie data, as well as information about how you use and interact with our Services, such as the date and time of your visit, the features you use, searches you conduct, and other usage information.— Excerpt from OpenAI's OpenAI Privacy Policy
(1) REGULATORY LANDSCAPE: Automated collection of IP addresses and device identifiers constitutes processing of personal data under GDPR, requiring a disclosed legal basis. Cookie data collection may additionally require compliance with ePrivacy Directive requirements in the EU, including consent for non-essential cookies. The FTC Act and CCPA apply to US users regarding disclosure and limitation of automated data collection. (2) GOVERNANCE EXPOSURE: Low to Medium. Automated collection of usage and device data is standard industry practice, but the breadth of categories collected (IP, device identifiers, browsing behavior, feature usage) creates a detailed behavioral profile that may engage data minimization obligations. Cookie consent mechanisms should be verified for ePrivacy compliance in the EU. (3) JURISDICTION FLAGS: EU ePrivacy Directive and national cookie laws apply to EEA users and may require granular consent for non-essential cookies. California users have CCPA rights regarding the categories of data collected. Illinois BIPA would apply only if biometric identifiers were collected, which is not indicated by this provision. (4) CONTRACT AND VENDOR IMPLICATIONS: Enterprise customers deploying OpenAI in workplace contexts should assess whether employee device and usage data is collected and whether employee privacy notices accurately disclose this. (5) COMPLIANCE CONSIDERATIONS: Review cookie consent banners for ePrivacy compliance; assess whether device identifier collection aligns with data minimization principles; confirm that usage data is included in DSAR responses when users request their personal data.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Watcher: 10 platforms + same-day alerts. No credit card required.
Professional Governance Intelligence
Need to monitor specific governance provisions?
Professional includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
The clause establishes the operational scope of data collection that occurs passively during service use, defining the categories of technical and behavioral information the entity may process as part of service delivery and system administration.
Every session with OpenAI services generates device and behavioral data that OpenAI collects automatically; this includes your IP address and usage patterns, which can be used to infer location and behavior even without account registration.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by OpenAI.