OpenAI faces privacy suit, Canadian finding

OpenAI entered the middle of May facing pressure on three fronts at once: a new U.S. privacy lawsuit, a Canadian regulatory finding and a product push deeper into users’ financial lives. A proposed class action filed in California accuses the company of routing ChatGPT web activity to Meta and Google tracking tools without consent. Canadian privacy regulators, in a separate matter, said OpenAI’s initial development and deployment of ChatGPT did not comply with federal and provincial privacy laws. Days later, OpenAI rolled out personal-finance features for ChatGPT Pro users in the United States through Plaid. ### What does the U.S. lawsuit actually allege? A complaint filed on May 14 in the U.S. District Court for the Southern District of California alleges OpenAI embedded Meta’s Facebook Pixel and Google Analytics on ChatGPT’s web interface and transmitted users’ chat topics, identifiers and contact details to those companies without consent. The suit, as described in reports on the filing, seeks to represent U.S. users who entered queries into ChatGPT.com and cites the federal Electronic Communications Privacy Act and California privacy law. The complaint says ChatGPT users often discuss finances, health and legal matters and had a reasonable expectation those exchanges would stay with OpenAI. It alleges Meta-linked requests could include content-derived context and cookies tied to Facebook accounts, while Google tags could capture hashed email addresses and device identifiers. Those claims are allegations in a civil suit and had not been tested in court as of May 19. (cybersecuritynews.com) ### What did Canadian regulators find? Canada’s Privacy Commissioner and privacy regulators in Quebec, British Columbia and Alberta said on May 6 that OpenAI’s initial training of ChatGPT was not compliant with their respective privacy laws. The joint investigation examined OpenAI’s collection, use and disclosure of personal information in developing ChatGPT and found several privacy concerns. (cybersecuritynews.com) The regulators listed overcollection of personal information, lack of valid consent and transparency, factual inaccuracies involving personal information, problems with access, correction and deletion rights, and a lack of accountability for personal information under OpenAI’s control. The federal commissioner said OpenAI had since implemented measures and committed to further steps in coming months, leading him to find the complaint well-founded and conditionally resolved under Canada’s federal private-sector law. (priv.gc.ca) Alberta Information and Privacy Commissioner Diane McLeod said the investigation found OpenAI “did not appear to turn its mind adequately to privacy compliance” in developing and deploying ChatGPT. The investigation was triggered by a complaint filed in April 2023 and announced in May 2023, according to the Alberta regulator. ### Why is the Plaid launch drawing attention now? OpenAI launched the personal-finance tool in preview on May 15 for ChatGPT Pro subscribers in the United States, according to TechCrunch. (priv.gc.ca) The feature lets users connect accounts through Plaid and ask ChatGPT questions about spending, investing and future planning. OpenAI said users can connect to more than 12,000 financial institutions, including Schwab, Fidelity, Chase, Robinhood, American Express and Capital One. (oipc.ab.ca) The product is designed as a read-only tool rather than a transaction service. Reports on the launch said users can view balances, subscriptions, spending patterns and upcoming payments, while full account numbers are not exposed and transactions are not enabled. TechCrunch also reported that users can remove connected services in settings and that synced data is removed from ChatGPT within 30 days after disconnection. (techcrunch.com) ### Are these separate issues or part of the same scrutiny cycle? May 2026 reporting has tied OpenAI’s privacy questions to a wider compliance debate across AI companies. Brownstone Worldwide and VentureBeat reported that four supply-chain incidents affecting OpenAI, Anthropic and Meta over a 50-day period exposed weaknesses in release pipelines, dependency controls and packaging processes rather than model behavior itself. (techcrunch.com) Those incidents are separate from the U.S. lawsuit and the Canadian investigation, but they add to a growing focus on how AI companies handle data, software controls and deployment processes. In Canada, regulators said they will monitor OpenAI’s promised privacy measures. In the United States, the proposed class action will move next through federal court, where the allegations against OpenAI’s tracking practices will be contested. (priv.gc.ca) (venturebeat.com)