Canadian officials claim OpenAI violated federal and provincial privacy laws
Source: Engadget
Iryna Tolmachova/Shutterstock
Investigation Findings
Philippe Dufresne, the Privacy Commissioner of Canada, has found OpenAI was not compliant with Canadian federal and provincial privacy laws in the training of its AI models. The investigation, conducted jointly with privacy commissioners in Alberta, Quebec, and British Columbia, identified several issues:
- OpenAI gathered vast amounts of personal information without adequate safeguards to prevent its use in model training.
- The company failed to obtain consent for collecting and using that personal information.
- Warnings in ChatGPT note that interactions could be used for training, but third‑party data that OpenAI purchased or scraped also includes personal details that users are unlikely to be aware of.
- Users have no way to access, correct, or delete the data used to train the models.
- OpenAI’s attempts to acknowledge inaccuracies in ChatGPT responses were deemed lackluster.
A full summary of the findings is available from the Privacy Commissioner’s office: .
OpenAI’s Response and Commitments
Canada’s Privacy Commissioner notes that OpenAI was open and responsive during the investigation and has already committed to several changes:
- Retired earlier models that violated Canadian privacy regulation.
- Implemented a filtering tool to detect and mask personal information (e.g., names, phone numbers) in publicly accessible internet data and licensed datasets used for training.
- Within three months, will add a new notice to the signed‑out version of ChatGPT stating that chats can be used for training and advising users not to share sensitive information.
- Within six months, will:
- Make data export tools easier to understand and use, and improve explanations of how users can challenge the accuracy of ChatGPT’s responses.
- Confirm implementation of strong protections for future datasets that are retired, preventing their use in active development.
- Test protective measures for minor relatives of public figures (who are not themselves public figures) to ensure the models deny requests to share their name or date of birth.
Broader Regulatory Context
The investigation, opened in 2023, follows heightened scrutiny of OpenAI after its connection to the February 2026 mass shooting in Tumbler Ridge. Reports indicate that OpenAI flagged the alleged shooter’s account in 2025 for containing warnings of real‑world violence but did not escalate the concerns to Canadian law enforcement.
In the aftermath, regulators demanded changes to OpenAI’s safety approach. The company subsequently agreed to collaborate more closely with Canadian law enforcement and health agencies. Relevant coverage:
- Mass shooting context:
- Flagging incident:
- Safety demands:
- OpenAI’s agreement to strengthen safety protocols: