Four Regulators, One Verdict: What the Canadian ChatGPT Privacy Finding Means for Your Business

Written By Charmaine Nyanhemwa

On May 6, 2026, four Canadian privacy regulators — the federal Office of the Privacy Commissioner (OPC), the Commission d’accès à l’information du Québec (CAI), and the provincial commissioners of British Columbia and Alberta — released the results of a three-year joint investigation into OpenAI’s ChatGPT. The finding was unambiguous: OpenAI violated Canadian privacy law in building and deploying its flagship AI product.

This is not a routine regulatory rebuke. It is the most significant enforcement action against a large AI developer in Canadian history, and it sets out — in granular, binding detail — what Canadian privacy law requires of any organization that develops, deploys, or integrates AI tools that process personal information. If your organization uses AI in any meaningful way, this decision deserves your attention.

Background: Three Years in the Making

The investigation began in spring 2023, when a complaint was filed with the OPC alleging that OpenAI had collected, used, and disclosed personal information without proper consent in training ChatGPT. Recognizing the national scope of the issue, the OPC quickly brought its provincial counterparts in Quebec, British Columbia, and Alberta into a coordinated joint probe — an unusual step that signals how seriously regulators viewed the matter.

Over three years, the Offices examined how OpenAI collected personal information from publicly accessible internet sources and licensed third-party datasets, and how it used interactions between ChatGPT users and the platform to fine-tune its GPT-3.5 and GPT-4 models. The investigation focused on the models that powered ChatGPT at the time of launch — not the most recent iterations — but the findings are structured to apply forward.

What the Regulators Found

The investigation identified violations across six distinct areas of Canadian privacy law:

A. Consent

The regulators’ central finding is that OpenAI failed to obtain valid consent for two key practices: scraping personal information from the public internet to build its training dataset, and using users’ ChatGPT interactions to fine-tune its models.

On the scraping question, the finding is precise and important: “publicly accessible” does not mean “free to collect.” Under PIPEDA and its provincial equivalents, personal information drawn from public internet sources does not qualify as “publicly available” in the sense that exempts organizations from consent requirements — particularly where the information is sensitive or the proposed use falls outside what the person who originally posted it would reasonably expect. The mere fact that something is on the internet does not make it available for training a commercial AI system.

On the use of user interactions for model training, the Offices found that the design of ChatGPT’s opt-out mechanism — which, until April 2024, required users to turn off their chat history entirely in order to opt out of having their conversations used for training — was a deceptive design pattern that did not constitute meaningful consent. Users who wanted to keep their chat history had no way to prevent their data from feeding the model.

B. Transparency

OpenAI’s disclosures about how personal information was collected and used were inadequate. Generic references to training on “publicly available data” fall short of the specificity required. Organizations must identify the categories and sources of personal information used, explain how models function, and disclose known limitations on accuracy and explainability.

C. Accuracy

The Offices criticized OpenAI for launching ChatGPT while knowing the model was prone to fabricating factual information about real people. Privacy law imposes an obligation to take reasonable steps to ensure personal information is accurate, complete, and up to date. Deploying a system with known hallucination risks, without adequate disclosures and verification mechanisms, does not satisfy that obligation.

D. Retention

OpenAI had no formal data retention or deletion policies in place at the time of launch. The Offices found this was a fundamental gap — not a procedural oversight. Organizations must establish how long personal information will be kept and when it will be deleted, and must implement those policies before going to market.

E. Access Rights

OpenAI’s mechanisms for users to access or correct personal information held about them were found to be insufficient.

F. Accountability

The investigation found broader weaknesses in OpenAI’s internal governance: inadequate privacy management policies, insufficient training, and a lack of demonstrable accountability for privacy outcomes.

A Critical Provincial Divergence — and Why It Matters

The four regulators agreed on the facts but reached different legal conclusions — and the differences are significant for any organization operating nationally.

Federal (OPC / PIPEDA): The complaint was found well-founded and conditionally resolved. The OPC accepted that building large language models is a legitimate purpose under PIPEDA, and accepted that OpenAI’s subsequent corrective measures — including deprecating earlier models trained without adequate privacy protections — resolved the federal complaint on a going-forward basis.

British Columbia and Alberta (PIPA-BC / PIPA-AB): The complaints were found well-founded and unresolved. The provincial commissioners concluded that their statutes impose more demanding and explicit consent requirements than PIPEDA, and that — critically — OpenAI’s training data scraping is based on consent that cannot be retroactively obtained. Under BC and Alberta law, the earlier models were built in a way that cannot simply be corrected.

Quebec (CAI / Private Sector Act): Partially unresolved, with outstanding issues on consent and retention under Quebec’s more prescriptive privacy regime.

The practical implication: Organizations cannot assume that federal PIPEDA compliance is sufficient. In British Columbia and Alberta in particular, the consent bar for AI training data is materially higher. Any organization operating across provinces — which is most organizations of any size — must conduct a jurisdiction-by-jurisdiction analysis.

What This Means for Canadian Organizations

If You Deploy AI Tools Built by Third Parties

The finding makes clear that privacy accountability does not end at the vendor relationship. If you integrate an AI tool into your operations that processes personal information about your customers, employees, or other individuals, you have an independent obligation to assess how that tool was built and how it handles data. Vendor due diligence must now include:

  • How was the model trained, and on what data?

  • Does the vendor have adequate consent for the use of personal information in training?

  • Does the vendor’s data processing agreement address Canadian privacy requirements specifically?

  • What are the vendor’s data retention and deletion policies?

  • What opt-out mechanisms are available to individuals?

A contractual warranty that a vendor “complies with applicable law” is not sufficient due diligence. The ChatGPT finding demonstrates that a sophisticated, well-resourced AI company can be found non-compliant with Canadian law despite having privacy policies in place. Organizations that rely on those policies without independent inquiry are assuming a risk they may not have properly assessed.

If You Are Developing AI Products or Features

The finding is, in effect, a detailed specification of what Canadian regulators expect before an AI product goes to market:

  • Training data: Personal information used in training must be consented to, not merely publicly accessible. Where sensitive information is involved, express consent is likely required. Filtering tools that detect and redact personal identifiers in training datasets are now an expected minimum standard.

  • Transparency: Be specific. Disclose the categories and sources of training data. Explain model function. Describe known accuracy limitations — particularly where model outputs may include personal information about real individuals.

  • Opt-out mechanisms: Opt-outs must be genuinely accessible and must not require users to sacrifice unrelated functionality. The ChatGPT chat history arrangement was specifically cited as a deceptive pattern.

  • Accuracy and hallucination risk: Where your model may generate personal information about real people, you need verification tools, output disclaimers, and a process for correction before launch — not after complaints arrive.

  • Retention policies: These must be in place before deployment, not developed in response to an investigation.

  • Privacy by design: Regulators expect technical mitigation measures at every stage of the AI lifecycle — from data collection through model training through deployment.

 If You Are a Healthcare Organization

The investigation has a parallel in the Ontario Auditor General’s AI report, released just days later on May 12, which found that AI Scribe tools used by Ontario physicians were deployed without adequate accuracy testing and without proper security documentation. Hallucinations — incorrect medications, missed mental health details — were documented in actual patient records. The standard for AI used in regulated contexts is higher, not lower. Privacy by design and pre-deployment accuracy validation are not optional.

The Legislative Gap — and What Comes Next

Privacy Commissioner Philippe Dufresne used the occasion of the finding to renew the call for modernizing Canada’s federal privacy legislation. PIPEDA was enacted in 2000. ChatGPT launched in 2022. The gap between the statute’s architecture and the reality of large language model training is not a technicality — it is structural.

Canada’s long-stalled successor to PIPEDA has not yet been enacted. In the absence of new legislation, the OPC is using investigations like this one to define standards through enforcement — a pattern that mirrors how European regulators used the GDPR’s early years. The implication for organizations is that regulatory expectations are being set now, through findings and guidance, even without a new statutory framework.

Organizations that wait for a new federal privacy law before updating their AI governance practices are waiting too long.

The Bottom Line

The ChatGPT finding is the clearest signal yet that Canadian regulators are prepared to scrutinize AI systems with the same rigour applied to any other data-processing practice. The fact that a product is widely used, commercially successful, and built by one of the world’s best-resourced technology companies did not insulate it from a finding of non-compliance. It will not insulate your organization either.

The core message from the finding is straightforward: the rules that govern the collection, use, and disclosure of personal information apply to AI — fully, and from the beginning. Launching first and building privacy compliance later is not a permissible approach under Canadian law. Neither is treating a public-facing privacy policy as a substitute for genuine privacy-by-design practices.

The time to review your AI governance framework — whether you are building, deploying, or simply using AI tools — is now.

This post is for general informational purposes only and does not constitute legal advice. Questions about AI governance, privacy compliance, or technology risk management in your organization should be directed to legal counsel. Please contact us to discuss your specific circumstances.

Charmaine Nyanhemwa
Previous

Ontario’s AI Audit Is a Warning Shot for Every Organization
Next

Regulatory Intelligence Brief