Canada finds OpenAI broke privacy law

Canada’s privacy regulators just did something important to OpenAI — and to the whole AI industry. They said the company’s original training and rollout of ChatGPT did not comply with Canadian privacy law. That sounds narrow, but it isn’t. Basically, Canada is treating a frontier AI model less like a mystical new technology problem and more like a regular company that still has to follow ordinary rules about consent, accuracy, deletion, and accountability. ### What actually happened? On May 6, Canada’s federal privacy commissioner and the privacy regulators in Quebec, British Columbia, and Alberta released the results of a joint investigation into OpenAI. The probe started after a 2023 complaint and looked at how ChatGPT collected, used, and disclosed Canadians’ personal information. Their bottom-line view was blunt: the way OpenAI initially trained ChatGPT was not compliant with the privacy laws those offices enforce. ### Which versions were under the microscope? This was not some vague complaint about “AI” in general. The investigation looked at the models that were live when the case began in 2023 — GPT-3.5 and GPT-4. That matters because it ties the legal finding to the actual systems that made ChatGPT explode into public use, not to some hypothetical future model. ### What did regulators say OpenAI got wrong? The list is long, but the core problem is simple: OpenAI hoovered up huge amounts of personal information and did not build enough privacy protection around that process. Regulators said the company overcollected data, failed to get valid consent, was not transparent enough about where data came from, did not give people effective ways to access, correct, or delete their information, and lacked proper retention and disposal rules. They also said ChatGPT could generate inaccurate or fabricated personal information about people — the classic hallucination problem, but framed as a privacy-law issue. ### Why is consent such a big deal here? Because large language models are trained on massive datasets, and some of that material can include personal information scraped from public websites, forums, and social platforms. OpenAI’s defense, in effect, has been that public information can be used this way at scale. Canada’s regulators are saying not so fast — public availability does not erase privacy obligations, especially when sensitive information, children’s data, health details, or political views can get pulled into training. That is a much stricter view of “public data” than the AI industry has often preferred. ### Did Canada order OpenAI to shut anything down? No. The federal outcome is more nuanced than that. The Privacy Commissioner said the complaint was “well-founded and conditionally resolved” because OpenAI has already made changes and committed to more. Regulators said OpenAI has significantly limited the personal and sensitive information used to train new ChatGPT models, and they plan to monitor whether those changes stick. But the finding still stands — the original setup broke the rules. ### Why does this matter beyond Canada? Because this is the clearest version yet of a broader regulatory move: don’t wait for a grand unified “AI law” if existing privacy law already covers the conduct. That makes enforcement easier. You do not have to solve every philosophical question about AI safety to say a company needed valid consent, deletion procedures, and accuracy safeguards before deploying a product. Canada is basically telling regulators elsewhere that the boring administrative-law route may be the fastest real route. ### What’s the catch for OpenAI? The catch is that fixing future training practices does not erase the precedent. If regulators can pin GPT-3.5 and GPT-4 to concrete privacy violations, that creates a template others can reuse — in courts, in data-protection probes, and in rulemaking fights over scraping and model training. OpenAI may have reduced immediate Canadian exposure, but the legal theory against broad, indiscriminate data collection just got a lot more tangible. ### Bottom line? Canada did not ban ChatGPT. It did something more durable. It said the messy guts of AI training still count as personal-data processing — and that means the old rules still apply.