OpenAI · OpenAI Privacy Policy · View original document ↗

GDPR Regional Rights (EU Users)

Medium severity Unique · 0 of 343 platforms
Share 𝕏 Share in Share 🔒 PDF
Recent governance activity OpenAI recorded 16 documented changes in the last 30 days.
Start monitoring updates
Monitor governance changes for OpenAI Create a free account to receive the weekly governance digest and monitor one platform for governance changes.
Create free account No credit card required.
Document Record

What it is

Users in the European Union have additional rights under GDPR including the right to object to processing, restrict processing, and lodge complaints with a supervisory authority.

This analysis describes what OpenAI's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology

ConductAtlas Analysis

Why it matters (compliance & governance perspective)

The provision creates an operational framework for OpenAI to comply with GDPR obligations applicable to EU residents. This establishes formal procedures and institutional responsibilities for data subject access requests and related regulatory requirements.

Recent Activity

This document changed recently

Medium Jun 12, 2026

The updated policy removes language describing how OpenAI uses advertiser and data partner information to personalize ads and measure ad effectiveness. The policy also removes the specific mechanism Free and Go users previously had to control ad personalization through account settings. In exchange, the policy adds explicit authorization for OpenAI to identify which of a user's contacts use OpenAI services and to monitor all content submitted on the platform for fraud and misuse detection. The authorization to monitor content and identify contacts now appears in the main policy purposes section rather than in supplementary documentation. You can review the Korea Addendum if you are located in South Korea to understand region-specific privacy rules.

View change record →
Medium Jun 9, 2026

The updated policy removes language that previously described ad personalization controls available to Free and Go users through account settings, though the policy continues to authorize OpenAI to personalize ads and measure their effectiveness for these user tiers. Previously, the policy explicitly stated that 'For Free and Go users, you can use the advertising controls in your account settings to control what data we use to personalize the ads we show you on our Services.' This language is no longer present in the updated version. The policy still lists ad personalization as an authorized use of personal data for Free and Go users, but no longer explicitly describes how users can access controls to manage this practice. You should verify whether advertising controls remain functional in your OpenAI account settings, as the policy no longer explicitly references them.

View change record →
Medium May 27, 2026

The updated policy removes specific language stating that OpenAI receives advertiser data to personalize ads shown to Free and Go users. It also removes reference to account-level advertising controls previously described in account settings. These removals are replaced with broader language authorizing OpenAI to promote products through direct marketing and third-party properties, subject to choices and controls, but the terms no longer explicitly describe what advertiser data is collected, from whom, or how to manage it at the account level. The policy now requires users to follow a 'learn more' link to understand ad personalization controls, rather than documenting those controls directly in the privacy policy.

View change record →

Clause Stability Stable

0
Changes
3
Months Monitored
Apr 3, 2026
First Seen
Apr 10, 2026
Last Seen
This clause type exists across 3350 other provisions on other platforms.

Consumer impact (what this means for users)

If you are in the EU, you can object to certain data processing activities, request restriction of processing, and file a formal complaint with your country's data protection authority if you believe your rights have been violated.

How other platforms handle this

Garmin Medium

If you are located in the European Economic Area, Switzerland, or the United Kingdom, you have the right to access, correct, or erase your personal data; the right to restrict or object to our processing of your personal data; the right to data portability; and, where our processing is based on your...

Grindr Medium

Depending on where you are located, you may have certain rights regarding your personal information, including the right to access, correct, delete, or restrict processing of your personal information, the right to data portability, and the right to object to or withdraw consent for certain processi...

Strava Medium

For individuals in the United States, please also refer to our Notice For Individuals Residing In Certain US States below and the Consumer Health Data Policy.

See all platforms with this clause type →

Monitoring

OpenAI has changed this document before.

Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.

Start Monitor free trial Or create a free account →
ConductAtlas Analysis

Institutional analysis (Compliance & governance intelligence)

The EU privacy addendum engages GDPR Articles 15-22 (data subject rights), Article 6 (lawful bases), and Article 77 (supervisory authority complaints); legal teams must ensure data subject request processes meet GDPR's 30-day response requirement.

Full compliance analysis

Regulatory citations, enforcement risk, and due diligence action items.

Track 1 platform — free Try Monitor free for 14 days

Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.

Applicable agencies

  • State Attorney General
    State AGs in California, New York, Texas, and other states can investigate violations of state consumer protection and privacy laws, including CCPA (California), SHIELD Act (New York), and equivalents.
    Who can file: Residents of states with comprehensive privacy laws — primarily California, Virginia, Colorado, Connecticut, and Utah
    What you need: Evidence of the violation, explanation of how your state rights were affected, and your account or contact information with the company
    What to expect: Outcomes vary by state. May result in investigation, enforcement action, or requirement for the company to change practices. No direct individual compensation in most cases.

    Search "[your state] attorney general consumer complaint" to find your state's direct complaint form

Applicable regulations

EU AI Act
European Union
BIPA
Illinois, USA
CCPA/CPRA
California, USA
Colorado AI Act
US-CO
Connecticut Data Privacy Act Amendments
US-CT
CAN-SPAM
United States Federal
EU AI Act - High Risk Provisions
EU
FTC Act Section 5
United States Federal
GDPR
European Union
Indiana Consumer Data Protection Act
US-IN
Kentucky Consumer Data Protection Act
US-KY
UK GDPR
United Kingdom
Universal Opt-Out Mechanism Expansion 2026
US

Provision details

Document information
Document
OpenAI Privacy Policy
Entity
OpenAI
Document last updated
May 5, 2026
Tracking information
First tracked
March 10, 2026
Last verified
March 10, 2026
Record ID
CA-P-000087
Document ID
CA-D-00010
Evidence Provenance
Source URL
Wayback Machine
Content hash (SHA-256)
2fbe11109feaf5b40033ad817b9480e0b1331745ab8bb7c3c35c4c1a6b84f387
Analysis generated
March 10, 2026 03:26 UTC
Methodology
Evidence
✓ Snapshot stored   ✓ Hash verified
Citation Record
Entity: OpenAI
Document: OpenAI Privacy Policy
Record ID: CA-P-000087
Captured: 2026-03-10 03:26:08 UTC
SHA-256: 2fbe11109feaf5b4…
URL: https://conductatlas.com/platform/openai/openai-privacy-policy/gdpr-regional-rights-eu-users/
Accessed: July 4, 2026
Permanent archival reference. Stable identifier suitable for legal filings, compliance documentation, and research citation.
Classification
Severity
Medium
Categories

Other risks in this policy

Related Analysis

Compliance Governance Intelligence

Need to monitor specific governance provisions?

Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.

Arbitration clauses AI governance Data rights Indemnification Retention policies
Start Compliance free trial

Or start with Monitor →

Built from archived source documents, structured governance mappings, and historical version tracking.

Frequently Asked Questions

What does OpenAI's GDPR Regional Rights (EU Users) clause do?

The provision creates an operational framework for OpenAI to comply with GDPR obligations applicable to EU residents. This establishes formal procedures and institutional responsibilities for data subject access requests and related regulatory requirements.

How does this clause affect you?

If you are in the EU, you can object to certain data processing activities, request restriction of processing, and file a formal complaint with your country's data protection authority if you believe your rights have been violated.

Is ConductAtlas affiliated with OpenAI?

No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by OpenAI.