What the OPC's ChatGPT Ruling Means for Your Canadian Business
Canada's federal and provincial privacy regulators found that OpenAI collected personal information without valid consent and gave people no real way to correct or delete it. Here's what the ChatGPT finding actually changes for a business using AI.
On May 6, 2026, Canada's privacy regulators dropped a finding that every business using AI should read. The federal Office of the Privacy Commissioner, together with the authorities in Quebec, British Columbia and Alberta, concluded that OpenAI collected personal information to train ChatGPT without valid consent, couldn't clearly account for what it held about individual Canadians, and offered no meaningful way for people to correct or delete their data. The ruling is about OpenAI. The lesson lands on all of us.
Here's the part worth sitting with: the regulators didn't say AI is illegal, or that scraping the web is off-limits by default. They said the ordinary rules — consent, purpose, access, correction — still apply when the output is a model instead of a mailing list. That's the whole story, and it's more useful to your business than the headline.
What Did the Regulators Actually Find?
The joint investigation looked at how ChatGPT was built and run in Canada, and three problems stood out.
- Collection without valid consent. OpenAI scraped enormous volumes of web content — much of it containing personal information — to train its models, without a consent mechanism that Canadian law would recognize. The regulators rejected the idea that "publicly accessible" means "free to take."
- A transparency gap. When people asked what ChatGPT knew about them, OpenAI often couldn't give a clear, reliable answer. If you can't say what personal information you hold, you can't really protect it or honour a request about it.
- No real correction or deletion path. People had no meaningful way to fix wrong information a model produced about them, or to have their data removed. Under Canadian privacy law, those aren't optional courtesies.
None of this is exotic. Strip away the word "AI" and you have a textbook consent-and-access problem. The regulators simply refused to let the technology be an excuse.
Does This Ruling Apply to a Business Like Mine?
You're not OpenAI, so the direct finding isn't aimed at you. The reasoning behind it is. Any time your organization collects personal information to build, train, fine-tune or feed an AI system, you need a valid legal basis, and if you're relying on consent, it has to be meaningful — informed, specific, and not buried in a wall of terms nobody reads.
Two situations catch most Canadian businesses:
- You're training or customizing a model on your own data. Support transcripts, customer records, CRM notes. If that data holds personal information — it almost always does — your original consent has to actually cover using it to build AI. "We collect data to provide our service" usually doesn't stretch that far.
- You're using a third-party tool like ChatGPT. Here the risk flips. You may be feeding personal information into someone else's system every time an employee pastes a client email or a candidate's résumé into a chat window. Where does it go, is it used for further training, and can you honour an access request for it later?
Mapping those flows is the unglamorous work that keeps you out of trouble, and it's the starting point of any real AI governance practice. Our State of Canadian AI Compliance 2026 report found that most organizations can't confidently list which AI tools their staff are already using — and you can't govern what you can't see.
Can I Still Use ChatGPT After This?
Yes. Nothing in the finding bans ChatGPT or its competitors in Canada. What it does is raise the bar on how carefully you use them. A few practical guardrails:
| Do | Avoid |
|---|---|
| Use enterprise or API tiers with clear data-handling terms | Pasting client or employee data into consumer chat tools |
| Turn off training-on-your-inputs where the option exists | Assuming your prompts are private by default |
| Write a short internal AI-use policy staff can follow | Letting every team pick its own tools with no oversight |
| Keep a list of which AI tools touch personal information | Treating "it's just a chatbot" as a reason to skip review |
The mistake we see most often isn't a company doing something reckless on purpose. It's a well-meaning employee dropping a spreadsheet of customer details into a free tool to "clean it up quickly," with no idea where that data now lives.
What Should You Actually Do This Quarter?
You don't need a governance department to respond well. Start here:
- Find the AI already in use. Ask around, check expenses, look at browser extensions. Shadow AI — tools adopted without approval — is where most of the exposure hides.
- Know your data flows. For each AI tool that touches personal information, write down what goes in, where it lives, and whether it feeds further training.
- Fix consent and purpose. If you're training on customer data, confirm your privacy notice and consent actually cover it. If they don't, either update them properly or stop using that data for AI.
- Give people a way in. Make sure someone can answer "what do you hold about me, and can you correct or delete it?" — the exact question OpenAI stumbled on.
- Write it down. A one-page record per AI system — purpose, data, oversight — is worth more than a binder nobody opens.
The Real Takeaway
The OpenAI finding isn't a warning about ChatGPT specifically. It's Canada's regulators stating plainly that AI doesn't get its own rulebook. Consent, purpose, transparency, and the right to correct or delete — the same principles that governed a mailing list in 2005 — govern a model in 2026. Businesses that internalize that now will find the next ruling, and the one after, a lot less alarming.
This article is general information, not legal advice; how these rules apply depends on your specific systems, data, and where you operate.
At Canuckt, we built Valdra to make this visible instead of theoretical — a place to record which AI systems your business uses, what personal information they touch, and how consent and oversight are handled, so a question from a regulator or a customer has a real answer waiting.
Frequently asked questions
What did the OPC find about ChatGPT?+
In a joint investigation published on May 6, 2026, Canada's federal privacy commissioner and the regulators of Quebec, British Columbia and Alberta found that OpenAI scraped large volumes of personal information from the web to train ChatGPT without valid consent, couldn't reliably explain what it held about individuals, and gave people no meaningful way to correct or delete their data.
Does the ChatGPT ruling apply to my business?+
The finding is about OpenAI, not your company. But its reasoning applies to everyone: if you collect personal information to build or feed an AI system, you still need a valid legal basis, and consent has to be meaningful. Using a tool that was trained improperly can also pull your own use of it into question.
Can I still use ChatGPT for my business after this ruling?+
Yes. The finding doesn't ban ChatGPT in Canada. It does mean you should be careful about what personal information you put into it, check the data-handling terms of the enterprise or API tier you use, and avoid pasting client or employee information into consumer chat tools without a clear basis and safeguards.
What is the main compliance lesson from the OpenAI finding?+
Consent and purpose still govern AI. You can't treat 'it's for AI training' as a free pass to collect or repurpose personal information. Know what data feeds your models, why you're allowed to use it, and how a person could ask to see, fix or remove it.
Is scraping public data for AI legal in Canada?+
Not automatically. Canadian regulators have been clear that information being publicly accessible online does not make it free to collect and reuse. Personal information stays personal information, and PIPEDA's consent and purpose rules — plus Quebec's Law 25 — still apply to it.
Protect your data before sending it to AI.
Shielk automatically redacts PII from your content — so your team can use AI tools safely.
Try Shielk Free