Canadian regulators rule OpenAI violated federal and provincial privacy laws in AI training
OpenAI agrees to retire non-compliant models and implement new filtering tools following an investigation intensified by a safety failure in Tumbler Ridge.
Canadian regulators have formally determined that OpenAI breached federal and provincial privacy legislation regarding the training of its artificial intelligence models. The Privacy Commissioner of Canada, Philippe Dufresne, alongside counterparts in Alberta, Quebec, and British Columbia, concluded that the company failed to comply with the Personal Information Protection and Electronic Documents Act (PIPEDA) and related provincial laws.
The core of the investigation centred on OpenAI's data collection practices. Regulators found that the company gathered vast amounts of personal information without adequate safeguards to prevent its use in model training and failed to acquire proper consent from individuals whose data was involved. Furthermore, the inquiry highlighted that users were provided with no mechanism to access, correct, or delete the personal details used to train the systems.
While OpenAI's ChatGPT interface includes warnings stating that user interactions may be used for training, the regulators noted this does not cover third-party data purchased or scraped by the company. This data often contains personal details that individuals are likely unaware of, compounding the lack of transparency and control for affected users.
The investigation, which was opened in 2023, saw its scope and urgency significantly intensified following a mass shooting in Tumbler Ridge in February 2026. In that incident, OpenAI reportedly failed to escalate safety warnings from an alleged shooter to law enforcement, despite having flagged the account in 2025 for threats of real-world violence.
In response to these findings, OpenAI has agreed to retire non-compliant models immediately. The company has also committed to implementing filtering tools designed to detect and mask personal information, such as names and phone numbers, within publicly accessible internet data and licensed datasets used for training.
Looking ahead, OpenAI has agreed to introduce new user notices within three to six months to clarify how chats are used for training and to improve data export tools. The company also plans to confirm strong protections for future retired datasets and test measures to protect the minor relatives of public figures from having their names or dates of birth shared by the models.
