Canadian privacy regulators say OpenAI violated federal and provincial laws in AI training practices
Regulators find OpenAI fell short on consent and data safeguards
Canadian privacy regulators say OpenAI’s training practices violated federal and provincial privacy laws, concluding the company was not compliant with rules governing the collection and use of personal information.
Philippe Dufresne, the Privacy Commissioner of Canada, said the findings came after a joint investigation with counterparts in Alberta, Quebec and British Columbia. The commissioners said OpenAI’s approach to data collection and consent ran afoul of Canada’s Personal Information Protection and Electronic Documents Act, or PIPEDA, which governs how companies handle personal information in the normal course of business.
According to the investigation summary, regulators identified several concerns. They said OpenAI gathered vast amounts of personal information without adequate safeguards to stop that data from being used to train its models, and failed to obtain consent before collecting and using personal information. They also raised concerns about the lack of user access to data, noting that ChatGPT users cannot access, correct or delete third-party personal information that may have been included in training datasets.
The commissioners also pointed to OpenAI’s handling of inaccurate responses from ChatGPT, saying the company’s efforts to acknowledge and address errors were insufficient.
OpenAI agrees to changes
Canada’s Privacy Commissioner said OpenAI was open and responsive during the investigation and has already committed to changes intended to bring ChatGPT into compliance with Canadian privacy law.
The company has retired earlier models that violated Canadian privacy regulation and now uses a filtering tool to detect and mask personal information such as names and phone numbers in publicly accessible internet data and licensed datasets used to train its models, the commissioner said.
OpenAI has also agreed to add a new notice to the signed-out version of ChatGPT within three months, warning that chats can be used for training and that sensitive information should not be shared.
Within six months, the company must make its data export tools easier to understand and use, better explain how users can challenge ChatGPT’s accuracy, confirm stronger protections for retired datasets so they cannot be used for active development, and test safeguards for minor relatives of public figures so the models deny requests for details such as names or dates of birth.
The investigation into OpenAI’s privacy policies began in 2023. The company has also faced more recent scrutiny from regulators over its connection to the mass shooting in Tumbler Ridge in February 2026.
Sources:
Doppler VPN: 6 server locations, VLESS protocol, zero tracking. Get started free.