What are the institutional and regulatory implications of this document?

(1) REGULATORY EXPOSURE: This policy directly engages CCPA/CPRA (Cal. Civ. Code §§1798.100–1798.199.100) enforced by the California Privacy Protection Agency and California AG; Virginia VCDPA (Va. Code §59.1-575 et seq.); Colorado CPA (C.R.S. §6-1-1301 et seq.); Connecticut CTDPA (Conn. Gen. Stat. §42-515 et seq.); Texas TDPSA (Tex. Bus. & Com. Code §541); FTC Act Section 5 (15 U.S.C. §45) for unfair or deceptive practices; COPPA (15 U.S.C. §6501) given OpenAI's stated minimum age requirements;…

How does OpenAI's OpenAI Privacy Policy affect users?

OpenAI collects extensive personal data including your chat conversations, device information, location data, and usage patterns across ChatGPT and its API products, and uses this data by default to train its AI models. Third-party advertising trackers from Meta, Google, LinkedIn, Reddit, and Bing are also present, meaning your browsing behavior on OpenAI's sites may be shared with those companies for advertising purposes. You can opt out of having your conversations used for AI model training …

How often is OpenAI's OpenAI Privacy Policy updated?

ConductAtlas monitors this document daily and captures every version with cryptographic hashing and timestamp verification. Update frequency varies — see the change timeline on this page for complete version history.

Can I get alerted when OpenAI updates this document?

Yes. Watcher subscribers ($9.99/month) can add OpenAI to their watchlist and receive same-day email alerts whenever this document or any other OpenAI document changes.

OpenAI Privacy Policy — OpenAI

8 Total

4 High severity

4 Medium severity

0 Low severity

Summary

This is OpenAI's US privacy policy explaining how it collects and uses your data when you use ChatGPT and other OpenAI products. The most important thing to know is that by default, your conversations with ChatGPT — including everything you type and every response generated — may be used to train OpenAI's AI models. You can turn off this training use of your data by going to ChatGPT Settings > Data Controls and disabling 'Improve the model for everyone.'

Technical Summary

OpenAI's US Privacy Policy governs the collection, use, and disclosure of personal information by OpenAI, L.L.C. in connection with its services including ChatGPT, the API, and related products, relying on legal bases including consent, contractual necessity, legitimate interests, and compliance with legal obligations under applicable US state privacy laws. The policy creates significant obligations including granting users rights to access, correct, delete, and opt out of certain data processing, while obligating OpenAI to disclose categories of personal data collected, purposes of collection, and categories of third-party recipients. A notable deviation from standard practice is OpenAI's explicit acknowledgment that it collects conversation content — including user prompts and AI-generated outputs — and may use this content to train its AI models, with opt-out available only through a settings toggle rather than being opt-in by default, creating asymmetric consent architecture. The policy engages CCPA/CPRA (Cal. Civ. Code §1798.100 et seq.), various US state privacy laws including Virginia VCDPA, Colorado CPA, Connecticut CTDPA, and Texas TDPSA, with enforcement by the California Attorney General, state AGs, and the FTC under Section 5 of the FTC Act. Material compliance considerations include the breadth of sensitive data categories collected (including health-related information, location data, and biometric-adjacent voice and image data), the use of conversation data for AI model training, and the engagement of numerous third-party advertising and analytics vendors including Meta, Google, LinkedIn, Reddit, and Bing whose tracking scripts are embedded in the policy page itself.

Evidence Provenance

Captured May 2, 2026 06:02 UTC

Document ID CA-D-000010

Version ID CA-V-001160

Source URL https://openai.com/policies/privacy-policy

Wayback Machine View archived versions →

SHA-256 6b353c1589a72be1536014a6333192a72a329bfe07d9e879dd16e0b7b3a60cbd

✓ Snapshot stored ✓ Text extracted ✓ Change verified ✓ Cryptographically signed

Institutional Analysis

🔒 Institutional analysis locked

Regulatory exposure by statute, material risk assessment, vendor due diligence action items, and enforcement precedent. Available on Professional.

Upgrade to Professional — $149/mo

Change Timeline

May 2, 2026 — Document updated unknown

OpenAI updated their OpenAI Privacy Policy on May 02, 2026. Change detected: 1 sentence(s) added, 1 sentence(s) modified. Document contained 155 sentences after update.

1 added · 1 modified
View diff → View full record →
6b353c15…
May 1, 2026 — Document updated high

OpenAI updated its Privacy Policy on May 1, 2026 to explicitly allow sharing your personal data with third-party marketing partners — not just service providers — to promote OpenAI products on external websites and platforms. The policy now also lists direct marketing as a stated purpose for using your data. This matters because your data may now be shared more broadly with outside advertising partners, though OpenAI says you can opt out.

9 added · 12 modified
View diff → View full record →
f622170a…
March 6, 2026 — Initial capture

Initial snapshot — monitoring begins

3b160fe9…

View full version history (0 captures) →

Analyzed Changes

2 changes analyzed since monitoring began.

Updated May 2, 2026

unknown

What changed OpenAI updated their OpenAI Privacy Policy on May 02, 2026. Change detected: 1 sentence(s) added, 1 sentence(s) modified. Document contained 155 sentences after update.

Updated May 1, 2026

high

What changed OpenAI updated their OpenAI Privacy Policy on May 01, 2026. Change detected: 9 sentence(s) added, 12 sentence(s) modified. Document contained 154 sentences after update.

Consumer impact OpenAI's updated policy now explicitly allows your personal data — including data collected via cookies — to be shared with third-party marketing partners to advertise OpenAI products on external websites and platforms, which was not disclosed as a purpose before. Previously, data sharing with outside parties was framed around service providers bound by OpenAI's instructions; now a broader category of 'marketing partners' can receive your data with fewer restrictions. You can visit the opt-out link referenced in OpenAI's updated policy to control how your information is used for third-party advertising.

Why it matters This change means OpenAI can now share your personal data with outside advertising companies to target you across the web, which goes beyond what the previous policy allowed. Users who do not want their data used for external advertising should use the newly added opt-out mechanism immediately.

Recent Clause-Level Changes May 1, 2026

Added (4)

Third-Party Advertising Tracker Embedding High

This addition reveals new third-party tracking infrastructure and cross-site behavioral monitoring not previously disclosed, representing material expansion of data collection methods.

Sensitive Personal Information Collection High

This new provision explicitly acknowledges collection of sensitive health and financial data, which creates heightened privacy obligations and represents a significant expansion of permissible data categories.

Disclosure to Third Parties and Service Providers Medium

This addition explicitly details third-party sharing categories and law enforcement disclosure procedures, replacing the previous vague reference and providing transparency on data flow to external parties.

California-Specific Privacy Rights (CCPA/CPRA) Medium

This new provision adds explicit CPRA compliance language including sensitive data limitation rights, representing alignment with 2023 California privacy law amendments not present in previous version.

Removed (3)

Third-Party and Affiliate Data Sharing

While replaced by more detailed disclosure provisions, the previous high-severity framing of affiliate sharing has been deprioritized in the current version.

Cross-Border Data Transfers

Removal of explicit cross-border transfer provision eliminates transparency on international data movement mechanisms (e.g., standard contractual clauses, adequacy decisions).

GDPR Regional Rights (EU Users)

Absence of dedicated GDPR provision in current version potentially indicates either consolidation into general user rights or reduced emphasis on EU-specific compliance.

Modified (4)

AI Model Training on Conversation Data (Default Opt-In)

Previous version had no excerpt data, but current version now explicitly states opt-out mechanism is available in account settings rather than implicit or unstated.

User Rights: Access, Correction, Deletion, and Portability

Previous version had no excerpt, current version now consolidates deletion, export, and portability rights into single provision with explicit reference to Privacy Portal URL.

Children's Privacy and Age Restriction

Previous version had no excerpt data, current version now adds explicit requirement for parental consent for users aged 13-18 and provides contact mechanism for child data concerns.

Data Retention

Previous version had no excerpt, current version now explicitly details deletion/anonymization commitment and expanded retention purpose scope.

View full change record →

High Severity — 4 provisions

AI Model Training on Conversation Data (Default Opt-In)

OpenAI uses your chat conversations to train its AI by default. You have to actively go into your settings and turn this off yourself.

Added April 27, 2026
Third-Party Advertising Tracker Embedding

OpenAI allows advertising companies including Meta, Google, LinkedIn, Reddit, and Bing to place tracking code on its website, which can follow your activity and report it back to those companies for advertising purposes.

Added April 27, 2026
Sensitive Personal Information Collection

OpenAI may collect sensitive personal information including health details, financial information, and other sensitive content that you type into ChatGPT conversations.

Added April 27, 2026
Children's Privacy and Age Restriction

OpenAI prohibits children under 13 from using its services and requires parental consent for users aged 13-17, but relies on users self-reporting their age rather than technical age verification.

Added April 27, 2026

Medium Severity — 4 provisions

User Rights: Access, Correction, Deletion, and Portability

You have the right to see what personal data OpenAI has about you, ask for corrections, request deletion, or get a copy of your data — and you can do this through OpenAI's privacy portal.

Added April 27, 2026
Data Retention

OpenAI keeps your personal data for as long as it decides is 'necessary,' which is broadly defined and gives OpenAI significant discretion to retain data including for legal and fraud purposes.

Added April 27, 2026
Disclosure to Third Parties and Service Providers

OpenAI shares your personal data with a wide range of outside companies for services like payments and marketing, and will hand over your data to government authorities when legally required.

Added April 27, 2026
California-Specific Privacy Rights (CCPA/CPRA)

If you live in California, you have special legal rights to control your data at OpenAI, including the right to stop your data from being sold or used for advertising and to limit use of sensitive personal information.

Added April 27, 2026