Canada's privacy regulators have ruled that OpenAI trained ChatGPT on Canadians' personal information without valid consent. The finding is aimed at OpenAI, but the lesson lands squarely on any business that now runs customer or staff data through AI tools.
On May 6, 2026, the Office of the Privacy Commissioner of Canada, together with the privacy regulators of Quebec, British Columbia, and Alberta, published the results of a joint investigation into OpenAI. They concluded that the way ChatGPT was first built and trained did not comply with Canadian privacy law. This is a plain-language summary of what they found and, more usefully for a small business, what it changes for you.
What the regulators found
The four regulators looked at how OpenAI collected the data used to train ChatGPT, and reached a clear conclusion: the company scraped large amounts of personal information from the public internet, including sensitive material like health information, political views, and children's data, without getting valid consent. The headline principle is the one every business should take away: information being publicly accessible online does not mean you have consent to collect and use it.
The regulators also flagged weak transparency (people could not reasonably know their data was being used to train an AI model), factual inaccuracies about real people, and gaps in letting individuals access or correct their information. The OPC found the complaint well-founded and conditionally resolved; the BC and Alberta regulators, whose laws are more explicit on consent, found it well-founded but unresolved. OpenAI has since limited the personal and sensitive data it uses to train new models.
Why this matters for a small business
You are not OpenAI, and nobody is investigating your shop for scraping the internet. But the ruling sets the regulator's expectations for everyone, and two of them reach directly into a small business:
- "It was already public" is not a defence. If you collect personal data, from a website, a list you bought, or a tool that gathers it, you still need a lawful basis and consent. The same logic applies to feeding personal information into an AI tool.
- Putting customer or employee data into ChatGPT is now a privacy problem, not just a security one. When a staff member pastes a client list, a contract, or HR details into a public chatbot, that is a collection and disclosure of personal information you are accountable for under PIPEDA.
- Accountability is on you. Regulators expect documented policies on what data goes where, how long it is kept, and who is responsible, before the tool is in daily use, not after a complaint.
In other words, this is the regulatory weight behind the shadow AI risk we wrote about: quietly pasting sensitive data into chatbots is no longer just a leak waiting to happen, it is a privacy-law exposure with named regulators now acting on AI.
The provincial catch
The investigation showed something important about Canada's patchwork: British Columbia, Alberta, and Quebec have private-sector privacy laws that are stricter than the federal PIPEDA, especially on consent. The same conduct the OPC called "conditionally resolved" was left unresolved by BC and Alberta because their statutes set a higher bar. If you have customers or staff in those provinces, or in Quebec under Law 25, you are held to the tougher standard, not the federal floor. For a small business, that simply reinforces the safe default: collect less, be clear about why, and get real consent.