ChatGPT illegally shares chatbot queries, user IDs, and email addresses with Google and Meta, a new class-action lawsuit claims. However, the case is probably going nowhere, just like thousands of similar cases filed in California's legal wilderness.
Imagine uploading your tax returns to ChatGPT or asking the chatbot for financial advice based on your family’s situation. Of course, you believe these conversations are private.
According to a class action lawsuit filed on Wednesday in the US District Court for the Southern District of California, they’re not.
The lawsuit, filed in the name of plaintiff Amargo Couture, claims that OpenAI shares users’ ChatGPT queries and personal information with Meta and Google through online tracking technology – by embedding Facebook Pixel and Google Analytics tracking codes on the ChatGPT website.
These codes then automatically transmit the data in real time to the tech giants without users’ content.
Those chats aren’t private
This indeed sounds invasive. So much information is put into ChatGPT that some sources estimate the average company leaks confidential material to the chatbot hundreds of times per week.
“The same is true of individuals, who increasingly rely on ChatGPT to gather information and advice on their most personal issues,” the complaint states.
“As such, personal privacy on ChatGPT is an issue with broad implications for individuals’ control of their privacy and personal information.”
Millions of people are treating AI chatbots as trusted confidants. Users routinely share medical questions, legal dilemmas, financial details, and personal problems with tools like ChatGPT, Claude, Gemini, and Perplexity.
As a matter of fact, another proposed class-action complaint was filed in San Francisco federal court on April 1st, accusing Perplexity of embedding hidden trackers that transmit user conversations to Meta and Google.
The assumption is that those chats are private, but they’re not. However, this doesn’t actually mean you, the user, hadn’t agreed to OpenAI’s privacy policies that do permit some degree of data collection for model training, analytics, or product improvement.
Most users choose the default
According to Aras Nazarovas, an information security researcher at Cybernews, this is why the allegations are unlikely to hold up in court.
“Using Google Analytics and Facebook’s tracking pixels is very common across most websites, no matter the industry. These are industry standard services, even though they’re definitely not very privacy-friendly,”
Aras Nazarovas.
“Seems like a pretty weak case to me. OpenAI’s privacy policy does disclose that it shares your information with a ton of third parties, including advertisement partners,” Nazarovas said.
“Using Google Analytics and Facebook’s tracking pixels is very common across most websites, no matter the industry. These are industry standard services, even though they’re definitely not very privacy-friendly.”
If you agree to any AI company’s privacy policy, you cannot reasonably expect truly private AI, in other words.
Check if your data has been leaked
Private AI means the AI model processes your data in an environment only you control, on your own device, inside your company network, or through a vendor contractually blocked from training on your prompts. Most users choose the default mode, though, and that’s on them.
CIPA needs reforming, critics say
Besides, the elephant in the room is that all those cases are filed in California.
It’s truly a great place to file pretty meaningless “shakedown” lawsuits against businesses since that’s precisely what the California Invasion of Privacy Act (CIPA), a nearly 60-year-old law, allows.
Curious what others think about this story? Contribute your thoughts to the debate below.
CIPA, passed in 1967, meant to criminalize traditional wiretapping and eavesdropping, primarily in the context of landline telephone calls.
The law was never meant to wrangle the complexities of the digital age or regulate how businesses track user interactions on the internet, the Fresno Chamber of Commerce, a business advocacy group, recently pointed out in a press release.
“Plaintiffs’ attorneys are dusting it off in the modern era to challenge common website tracking tools,” the organization said.
“They’re alleging that certain online features such as search boxes and tracking technologies (like cookies and pixels) allow companies or their vendors to – using CIPA’s language – ‘intercept’ or ‘eavesdrop on’ user interactions without consent.”
The state’s business community is now supporting potential CIPA reform, driven by Senator Anna Caballero. She’s seeking to amend key provisions of CIPA to include a “commercial purpose” exception.
This would make it clear that routine website business practices, such as the use of session replay technology, chat features, or third-party analytics, do not constitute unlawful wiretapping or eavesdropping when used for legitimate commercial purposes.
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked