OpenAI Sued Over ChatGPT Data Sharing with Google and Meta
Key Takeaways OpenAI is facing a class-action lawsuit alleging unauthorized sharing of ChatGPT user data with Meta and Google. The complaint claims sensitive user conversations, identifiers, and...
Key Takeaways
- OpenAI is facing a class-action lawsuit alleging unauthorized sharing of ChatGPT user data with Meta and Google.
- The complaint claims sensitive user conversations, identifiers, and contact details were transmitted to third-party ad platforms without consent.
- The lawsuit cites violations of the federal Electronic Communications Privacy Act (ECPA) and California’s Invasion of Privacy Act (CIPA).
- If successful, the litigation could lead to significant statutory damages and reshape how AI platforms handle user data and integrate tracking technologies.
OpenAI Accused of Covert Data Sharing in New Lawsuit
OpenAI Global LLC is currently embroiled in a class-action lawsuit filed in the Southern District of California, alleging that the company secretly integrated Meta’s Facebook Pixel and Google Analytics into its ChatGPT web interface. This integration, the lawsuit claims, transformed private chatbot conversations into valuable tracking data for online advertising networks.
Table Of Content
The complaint, initiated by California resident Amargo Couture on behalf of all U.S. users who have interacted with ChatGPT.com, asserts that OpenAI disclosed users’ chat topics, personal identifiers, and contact information to Meta and Google without explicit consent. This alleged conduct is cited as a breach of the federal Electronic Communications Privacy Act (ECPA), California’s Invasion of Privacy Act (CIPA), and state constitutional privacy protections.
The legal document highlights that ChatGPT is frequently utilized for discussions involving “sensitive and personal topics,” including financial matters, health concerns, and legal issues. It further suggests that a substantial portion of proprietary company data entered into ChatGPT is confidential.
Users, the lawsuit argues, held a reasonable expectation that their interactions with the AI would remain private and not be disseminated to external ad technology platforms. This legal challenge emerges amidst a growing number of privacy and copyright disputes targeting generative AI technologies, following previous lawsuits that questioned OpenAI’s data collection and training methodologies.
Allegations Against Meta’s Facebook Pixel
The lawsuit details how the Facebook Pixel code, embedded within ChatGPT’s web pages, allegedly initiates silent, real-time HTTP requests to Facebook’s servers with every user interaction. These requests are said to include contextual information derived from the chat, such as a browser tab title like “Super Bowl 2005 Winner” originating from a user query. Crucially, the requests also reportedly contain cookies, including c_user, fr, and fbp, which can be linked to a specific Facebook account via the user’s Facebook ID.
Meta’s own documentation is referenced in the complaint to assert that this telemetry data is subsequently fed into its “Core Audiences,” “Custom Audiences,” and “Lookalike Audiences” systems. This process, it is claimed, facilitates highly granular advertising targeting across Facebook and Instagram platforms.
Allegations Against Google Analytics and Ads
Regarding Google, the complaint posits that Google Analytics and associated Google Ads tags capture hashed email addresses used for ChatGPT sign-ups or logins. Additionally, device and browser identifiers, along with other Google Signals cookies, are allegedly collected to map user activity to logged-in Google profiles.
The legal filing includes sample network traces that reportedly show event payloads where a hashed email address appears under an “em” field, alongside cookies such as Secure-3PSID, which are linked to Google account identities.
Google Analytics is then accused of augmenting this data with cross-device behavior patterns, demographic signals, and remarketing capabilities. This, the lawsuit contends, enables OpenAI and Google to retarget users based on their ChatGPT activity and integrate these events into broader advertising and analytics products.
Legal Framework and Potential Impact
Substantively, the lawsuit contends that OpenAI “intentionally installed wiretaps” on ChatGPT.com by embedding Meta and Google tracking scripts, thereby facilitating third-party interception of user communications. Under ECPA, the plaintiffs argue that each ChatGPT interaction constitutes an “electronic communication,” and transmitting these communications to Meta and Google via client-side JavaScript and tracking pixels qualifies as an unlawful interception, disclosure, and use.
Under CIPA Sections 631 and 632, the Meta Pixel and Google Analytics tags, along with their associated cookies and servers, are characterized as “machines, instruments, or contrivances” used to read or observe the content of communications and to eavesdrop on confidential sessions without the consent of all parties involved.
The proposed nationwide class encompasses all U.S. residents whose personally identifiable information (PII) and ChatGPT communications were allegedly disclosed to third parties through the website. A California subclass is seeking statutory damages under CIPA, potentially amounting to up to 5,000 USD per violation.
The plaintiffs are also seeking injunctive relief, which would compel OpenAI to remove or redesign its tracking integrations and prohibit further disclosure of chatbot-derived data to ad technology partners. If certified and successful, this case could expose OpenAI to significant statutory damages and effectively subject browser-based tracking of AI chats to the same legal scrutiny currently applied to health-site pixels and session-replay scripts, which have recently faced aggressive enforcement and litigation.
For cybersecurity and privacy professionals, these allegations underscore critical considerations regarding the instrumentation of AI front-ends. The embedding of generic marketing pixels and analytics tags into AI tools that process highly sensitive, free-form text may inadvertently create unexpected surveillance channels that regulators and courts could interpret as wiretaps. The detailed network captures presented in the complaint, from tab titles to cookie values, provide a clear indication of how plaintiffs’ experts are now scrutinizing AI platforms for covert data flows to third-party domains. Organizations deploying commercial Large Language Model (LLM) front-ends or developing their own should anticipate similar examinations and urgently reassess their telemetry, cookie consent mechanisms, and data-sharing agreements to ensure that sensitive AI conversations are not inadvertently leaking into advertising ecosystems due to outdated web-tracking configurations.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.