Policy & Regulationopenaiprivacycanadapipeda

Canadian Regulators Find OpenAI Violated Privacy Laws

||By LDS Team
6.9
Relevance Score
Canadian Regulators Find OpenAI Violated Privacy Laws
Photo: blogger.googleusercontent.com · rights & takedowns

A joint investigation by the Office of the Privacy Commissioner of Canada (OPC) and the provincial privacy commissioners of Alberta, Quebec and British Columbia concluded that OpenAI's early development and training of ChatGPT models did not comply with federal and provincial privacy laws, the offices said in a joint report released May 6, 2026. The regulators identified alleged violations including overcollection of personal information, use without valid consent, and shortcomings in data-subject access and correction, according to the report (OPC, OIPC Alberta, CAI Quebec, OIPC BC). The report examined ChatGPT 3.5 and ChatGPT 4 as they existed in 2023. Privacy Commissioner Philippe Dufresne is quoted saying OpenAI "launched ChatGPT without having fully addressed known privacy issues," per IAPP. The regulators also noted OpenAI cooperated during the probe and has implemented or committed to measures such as retiring earlier models, deploying a filtering tool to mask personal data in training sets, and timed notice and data-export improvements, the offices said.

What happened

A joint investigation by the Office of the Privacy Commissioner of Canada (OPC) and the provincial privacy commissioners for Alberta, Quebec, and British Columbia concluded that OpenAI's early training and deployment of ChatGPT models did not comply with federal and provincial privacy laws, according to the joint report published May 6, 2026 (OPC; OIPC Alberta; CAI Quebec; OIPC BC). The investigation examined the versions of the product in use when the probe began in April 2023, including ChatGPT 3.5 and ChatGPT 4, the report states (OIPC Alberta). The regulators identified alleged problems including overcollection of personal information, use without valid consent, and shortfalls in data-subject access, correction, and deletion, according to the joint findings (IAPP; OPC). Privacy Commissioner Philippe Dufresne is quoted saying OpenAI "launched ChatGPT without having fully addressed known privacy issues," per IAPP. The joint report records that OpenAI engaged with the investigation and has implemented or committed to a set of privacy-protective steps, including retiring earlier models deemed noncompliant, using a filtering tool to detect and mask personal information in publicly available and licensed training datasets, and making user notices and export tools clearer within specified timeframes, the offices said (Engadget; OPC overview).

Technical details

Editorial analysis - technical context: The regulators focused on data provenance and lifecycle controls that matter for model training compliance: whether personal data was lawfully collected, whether notice and consent practices covered scraped or third-party data, and whether mechanisms existed to locate, correct or delete individuals' records once incorporated into training corpora. These are common technical-compliance touchpoints across jurisdictions enforcing privacy law against large-scale machine learning projects.

Context and significance

This joint enforcement action is one of the more prominent cross-jurisdictional privacy findings against an AI model developer, and it frames privacy risk in model training as an actionable regulatory concern. For practitioners building or managing training pipelines, regulators' emphasis on provenance, masking/filters, and data-subject access aligns with ongoing legal debates under PIPEDA and comparable provincial statutes.

What to watch

Editorial analysis: Observers should track how the OPC and provincial offices follow up on the report's recommendations and timelines, whether other national regulators cite the findings, and how vendors implement or measure the effectiveness of filtering and dataset-retirement controls. Also watch for updates to user-facing notices and data-export functionality described in the joint findings and whether independent reviews assess the sufficiency of claimed mitigations.

Reported sources

The summary above is based on the joint report and public statements from the Office of the Privacy Commissioner of Canada and participating provincial privacy commissioners, plus coverage by IAPP and Engadget reporting on the May 6, 2026 joint findings.

Key Points

  • 1Joint Canadian regulators found OpenAI's 2023 training of ChatGPT models violated federal and provincial privacy laws, per the May 6, 2026 report.
  • 2Regulators highlighted overcollection, use without valid consent, and data-subject access failures, underscoring provenance and lifecycle control gaps for training data.
  • 3Industry observers should expect increased scrutiny on dataset provenance, masking tools, and demonstrable access/correction mechanisms for ML training pipelines.

Scoring Rationale

This joint federal-provincial enforcement finding is a notable regulatory precedent for model training privacy and will matter to teams handling large scraped or licensed datasets; the score is moderated for freshness because the principal report was published May 6, 2026.

Practice with real Ad Tech data

90 SQL & Python problems · 15 industry datasets

250 free problems · No credit card

See all Ad Tech problems