Canadian privacy regulators find parts of ChatGPT data practices non-compliant
Privacy authorities in Canada concluded that aspects of OpenAI’s handling of personal information for ChatGPT training and operation did not comply with private-sector privacy laws.
Canadian privacy regulators have concluded that parts of OpenAI’s data collection and use practices for ChatGPT breached applicable privacy requirements.
The joint investigation involved the federal privacy commissioner and regulators from Québec, British Columbia, and Alberta. The review focused on GPT-3.5 and GPT-4 models used in ChatGPT.
The investigation examined how OpenAI collected and used personal information from publicly accessible websites, licensed datasets, and user conversations. Regulators assessed issues including consent, transparency, retention, accountability, and disclosure of personal data.
A central finding concerns model training on public internet data. Regulators accepted that developing AI systems is a legitimate activity, but concluded that the scale and scope of data collection were too broad. According to the report, individuals would not reasonably expect information posted online to be scraped and used for AI model training in this manner.
The authorities also found that implied consent was insufficient in this context, particularly because training datasets could include sensitive personal information. In several areas, regulators said express consent should have been obtained instead.
The findings also cover user interactions with ChatGPT. Regulators accepted that some conversational data could be used for model improvement, but stated that users were not clearly informed that their prompts and exchanges might be reviewed or reused for training purposes.
Another issue involved ChatGPT outputs themselves. The report states that OpenAI should have applied stronger safeguards to prevent disclosure of sensitive personal information generated through responses.
The decision is notable because it moves beyond general concerns about AI and focuses on how existing privacy laws apply to large-scale AI training practices. The findings suggest that regulators are increasingly examining not only how AI systems generate content, but also how training data is collected and whether users meaningfully understand how their information is being reused.
