Canada Finds OpenAI's ChatGPT Data Scraping Improper | TLY

AI Regulation Tracker  /  Regulator finding

Canadian regulators find OpenAI's ChatGPT web scraping contravened federal privacy law

Four Canadian privacy regulators concluded that OpenAI's mass collection of personal information to train ChatGPT was inappropriate and required express consent for sensitive information. The finding puts every firm that trains or deploys AI on Canadians' data on notice.

Canadian regulators find OpenAI's ChatGPT web scraping contravened federal privacy law regulation briefing
The Leveraged Years AI Regulation Tracker

Four Canadian privacy regulators have concluded that OpenAI contravened the law when it scraped personal information from across the web to train ChatGPT. In a joint finding released on May 6, 2026, the Office of the Privacy Commissioner of Canada, together with the regulators of Quebec, British Columbia, and Alberta, held that the collection was inappropriate and that the company could not rely on the information being publicly accessible to justify it.

What the regulators found

The finding, published as PIPEDA Findings #2026-002, concluded that OpenAI contravened subsection 5(3) of the federal Personal Information Protection and Electronic Documents Act, along with parallel provisions of the private-sector privacy statutes in British Columbia, Alberta, and Quebec. Subsection 5(3) permits an organization to collect personal information only for purposes that a reasonable person would consider appropriate in the circumstances. The regulators found that scraping personal information at scale from publicly accessible websites and licensed datasets to train GPT-3.5 and GPT-4 did not meet that standard.

On consent, the regulators were direct. Collecting and using personal information from public sources for model training was, in their words, outside individuals' reasonable expectations, so the company could not rely on implied consent. They noted that the training data necessarily swept in sensitive categories, including health information, financial information, and information about children, for which express consent is required. The point is not that consent can never be obtained for AI training. It is that the form of consent has to match the sensitivity of the data and the way a reasonable person would expect that data to be used. For sensitive categories, that means an opt-in, not an assumption drawn from the fact that a profile or post was visible online.

The four regulators acted together, which is itself worth noting. The federal commissioner led alongside counterparts in Quebec, British Columbia, and Alberta, the three provinces with their own private-sector privacy statutes deemed substantially similar to the federal law. A single company practice was measured against four overlapping legal regimes and failed under each. For firms that operate nationally, that coordination signals that a data-handling practice cannot be structured to satisfy one province while ignoring the others.

Why public availability is not a defense

The central operational lesson is that a webpage being public does not make the personal information on it free to collect for any purpose. Canadian law treats the appropriateness of the purpose and the reasonable expectations of the individual as separate questions from whether the data was technically reachable. A firm that ingests scraped or licensed data to build a model inherits the obligation to show a lawful basis for that collection. Buying a dataset from a vendor does not transfer that obligation away, because the responsibility attaches to the organization that uses the information, not only to the party that first gathered it.

This reasoning tracks the direction privacy regulators have taken elsewhere, and it lands on a practice that many AI developers have treated as routine. The volume of the collection did not help OpenAI's position. If anything, the regulators viewed the indiscriminate scale of the scraping, which pulled in whatever personal information happened to sit on the pages collected, as part of why the purpose failed the reasonableness test.

What the finding does not do

The finding is a regulator conclusion, not a court judgment or a fine. Under PIPEDA, the federal commissioner's findings take the form of recommendations rather than directly binding orders or monetary penalties. That distinction matters for how firms should read it. The document does not by itself impose a payment or shut down a service. What it does is establish the regulators' interpretation of the consent and appropriateness duties, which shapes future investigations and signals how similar practices will be assessed. The regulators also split on resolution: the federal commissioner deemed the matter conditionally resolved on the strength of OpenAI's remedial commitments, while British Columbia and Alberta found it unresolved, concluding that OpenAI cannot obtain valid consent for the scraped data under their stricter provincial statutes.

The cross-border angle

For US readers, the finding extends a line already visible internationally, including the Italian Garante's scrutiny of ChatGPT. US firms are squarely in scope where they have Canadian users, because the obligation attaches to the personal information of people in Canada regardless of where the company sits. The practical takeaway is consistent across these regimes: build a defensible record of why training data was collected, and secure express consent before touching sensitive categories.

Firms should not wait for an enforcement order to act. The appropriate response is to inventory data sources feeding AI systems, identify personal information collected on a public-availability rationale, and document a consent or reasonable-purpose basis for each.

Frequently Asked Questions

What did the Canadian regulators actually decide about ChatGPT?

In PIPEDA Findings #2026-002, released May 6, 2026, four regulators found that OpenAI's web scraping of personal information to train ChatGPT was inappropriate under PIPEDA and provincial law, and that express consent was required for sensitive information rather than consent implied from public availability.

Who is affected by this finding?

Any organization that trains or deploys AI using the personal information of people in Canada, including US firms with Canadian users. Compliance, legal, and product teams responsible for data sourcing should treat it as directly relevant.

Does the finding impose a fine on OpenAI?

No. Under PIPEDA, the federal commissioner's findings are recommendations, not directly binding orders or monetary penalties. The significance lies in the regulators' interpretation of the consent and appropriateness duties, which will guide future cases.

Can a firm rely on data being publicly available to justify using it for AI training?

No. The regulators held that public accessibility does not create implied consent and does not by itself satisfy the reasonable-purpose test. A firm must show that its collection purpose is appropriate and obtain express consent for sensitive data.

Browse the full AI Regulation News tracker

Informational analysis for working professionals, not legal advice. Confirm how any rule applies to your situation with qualified counsel.