Canadian privacy regulators release landmark joint investigation findings on OpenAI’s ChatGPT
On May 6, 2026, the Office of the Privacy Commissioner of Canada (OPC), the Commission d’accès à l’information du Québec (CAI), the Office of the Information and Privacy Commissioner for British Columbia (OIPC-BC) and the Office of the Information and Privacy Commissioner of Alberta (OIPC-AB) jointly released the findings of their investigation into OpenAI OpCo, LLC’s compliance with federal and provincial private-sector privacy legislation in relation to ChatGPT (PIPEDA Findings #2026-002). This is a significant decision for any organization developing, deploying or using generative AI tools in Canada.
Background
The joint investigation, launched in 2023, examined how OpenAI collected personal information from publicly accessible Internet sources, licensed third-party datasets and user interactions with ChatGPT to train its GPT-3.5 and GPT-4 models. The regulators concluded that OpenAI’s initial training of ChatGPT did not comply with Canadian privacy laws, finding deficiencies across consent, transparency, accuracy, retention, access rights and accountability. Notably, while the regulators accepted that building large language models constitutes an “appropriate purpose” under privacy legislation, they held that OpenAI failed to obtain valid consent – particularly for scraping publicly accessible personal information and for using user interactions to fine-tune its models – and recommended various additional privacy protection measures.
A critical provincial divergence
The four regulators reached different conclusions. The OPC found the complaint well-founded and conditionally resolved under PIPEDA. However, the OIPC-BC and OIPC-AB found the complaint well-founded but unresolved, concluding that their provincial statutes are more specific and explicit than PIPEDA regarding consent, and that OpenAI’s models are based on scraped data for which it has not obtained – and cannot obtain – valid consent. The CAI found its complaint partially unresolved, with consent and retention issues outstanding under Quebec law.
Practical guidance for organizations
This decision has broad implications for any Canadian organization that develops, deploys or integrates AI tools that process personal information. Here are the key takeaways:
1. “Publicly accessible” does not mean “free to scrape”
The decision confirms that scraping personal information from the Internet does not constitute collection of “publicly available” information under PIPEDA or provincial legislation. Express consent may be required where the information is sensitive or the proposed use falls outside reasonable expectations. Under PIPA-BC and PIPA-AB, the consent requirements are even more demanding.
2. Implied consent requires real safeguards, not just shifting norms
The OPC accepted that public awareness of generative AI has evolved reasonable expectations. However, organizations cannot treat shifting societal norms as a blanket justification for implied consent to train AI models without demonstrating meaningful privacy-protective measures such as being open and transparent about their practices and minimizing the personal information collected and used.
3. Be specific about transparency
Generic statements that an AI system was “trained on publicly available information” are insufficient. Organizations should clearly identify the categories and sources of personal information used for training, explain how models function and communicate known limitations on accuracy and explainability.
4. Address accuracy proactively
Organizations must assess and disclose accuracy limitations before deployment – not wait for complaints. This includes implementing verification tools and providing clear disclaimers for any personal information in model outputs.
5. Have retention and accountability frameworks in place before launch
The regulators criticized OpenAI for deploying ChatGPT without formal retention and deletion policies. Organizations should establish retention schedules and accountability measures – including governance structures, policies and training – before any commercial deployment.
6. Embed privacy by design throughout the AI lifecycle
The regulators expect technical mitigation measures at each stage – from data collection through deployment – to limit personal information processing to what is necessary and proportional. Concrete examples from the report include filtering tools that detect and mask personal identifiers in training datasets before they are used for training, excluding data sources that contain significant personal information (such as social media and discussion forums), training models to refuse to provide private or sensitive information in outputs and providing opt-out mechanisms that allow users to prevent their interactions from being used for model training.
7. PIPEDA compliance does not equal provincial compliance
The divergent outcomes confirm that organizations operating across multiple provinces must account for the specific consent requirements of each applicable statute, particularly in British Columbia and Alberta.
Looking ahead
Privacy Commissioner Philippe Dufresne stated that this investigation “further reinforces the need to modernize Canada’s privacy laws for the digital age.” Organizations developing or deploying AI in Canada should treat this decision as a clear signal of regulatory expectations and assess their own practices accordingly.
Note: This article is of a general nature only and is not exhaustive of all possible legal rights or remedies. In addition, laws may change over time and should be interpreted only in the context of particular circumstances such that these materials are not intended to be relied upon or taken as legal advice or opinion. Readers should consult a legal professional for specific advice in any particular situation.
