OpenAI

ChatGPT Sites: Complying with data protection laws

Understand your data protection responsibilities when creating and operating a ChatGPT Site.

Updated: 3 hours ago

Complying with data protection laws

Some countries or regions, including the EU, the United Kingdom, Brazil, and certain U.S. states, have laws that protect information about individuals and place obligations on people and organisations who collect and use “personal data” or “personal information.” For example, the EU and the UK have the General Data Protection Regulation (GDPR) which protects the “personal data” of people who reside in those regions.

When you build a website or app (“Site”) using our services, you may need to comply with the GDPR and other similar data protection laws and regulations. For example, you might need to comply with the GDPR if:

  • You are based in the UK or EU.

  • Your Site will have users in the UK or EU.

This article is intended to help you comply with your obligations under data protection laws. However, please note that this isn’t legal advice and is provided for informational purposes only. We recommend that you seek your own legal advice to understand your obligations under any laws that may apply to you, depending on where you and your Sites’ visitors are located.

Your role under data protection laws

If your Site collects or otherwise processes personal data from visitors, you are responsible for deciding why and how that information is used and for complying with applicable privacy and data-protection laws. Under the ChatGPT Sites Terms, you are the data controller of End User Data collected through your Site. Personal data can include names, email addresses, profile information, posts or comments, photos, and online or device identifiers. ChatGPT Sites must not process Protected Health Information or payment-card data.

Data protection laws place various obligations on data controllers. We have provided an overview of these obligations below.

Our role under data protection laws

Most of the time when you use OpenAI’s services as a user, OpenAI is the data controller, and so is responsible for complying with data protection laws in relation to your personal data, in accordance with our Privacy Policy.

By using Sites, you instruct OpenAI to process End User Data as needed to provide and operate your Site. Where applicable, OpenAI processes that data under the OpenAI Data Processing Addendum or the Data Processing Addendum signed by your organization and OpenAI. Review the agreement and DPA that apply to your account.

An overview of obligations

Data protection laws like the GDPR place obligations on parties processing personal data (controllers and processors) and also grant rights to individuals whose personal data is being processed. We have provided an overview below of the key things to think about when operating your Site, to help you comply. However, this is not a comprehensive guide to the GDPR or other relevant data protection laws.

  1. Providing notice: You should have a visible Privacy Policy on your Site explaining what data you collect, how you use it, and how people can control it. See How to prepare a Privacy Policy for more detailed guidance. You should also make sure you only use people’s personal data in a way they would expect. If you think they might not expect you to use their personal data in a particular way, consider adding an extra notice on the Site, in a place where people are more likely to see it.

  2. Giving people choices: You should give people as much choice as possible about what personal data is collected on the Site and how it is used. In some cases, you should ask for opt-in consent, such as asking the individual to tick a box or move a toggle. This list is not exhaustive, and there will be other situations where you should also ask for consent. If your Site allows users to post information publicly, this should be very clear to users when they post. For example, we recommend you ask people to specifically opt-in if you want to:

    • Send them email marketing

    • ChatGPT Sites must not process Protected Health Information or payment-card data. If your Site processes other sensitive personal data, make sure the processing is within the visitor’s reasonable expectations and obtain express opt-in consent when required by applicable law.

    • Set cookies on your Site, unless the cookies are strictly necessary for the Site to function (see below).

  3. Data minimisation: You should only collect the personal data that you need for the Site to work. If you don’t need someone’s address, gender, or data of birth, you should not ask for it. Also, you should not keep personal data for longer than you need. Think about how long you need to keep the data for in order to operate your Site, and then delete it after that date.

  4. Data security and personal data breaches: Use appropriate security measures for your Site and for any other system where you store information collected through it. OpenAI’s breach-notification obligations are governed by the agreement and Data Processing Addendum that apply to your account. You are responsible for determining whether you must notify affected individuals, regulators, or other authorities.

  5. Data Subject Rights: Privacy laws may give individuals rights to access, correct, delete, restrict, object to, or receive a copy of their personal data. Provide a clear way for Site visitors to submit requests, and respond within the deadlines required by the laws that apply to you.

  6. Data transfers: Privacy laws may restrict transfers of personal data across countries or regions. Review the hosting and residency information for Sites and the agreement and Data Processing Addendum that apply to your account. ChatGPT Sites does not support data residency or inference residency at launch. Do not assume a particular hosting country or transfer mechanism without checking the terms that apply to you.

  7. Cookies and similar tracking technologies: If your Site uses non-essential cookies or similar tracking technologies, you may need to obtain consent before placing or reading them. Requirements vary by location, so review the rules that apply to you and your visitors.

  8. Children’s data: If your Site is directed at children under 18, you should be particularly careful about any data protection or privacy risks, as children have special protection under the law. A number of data protection authorities and other regulators have published additional guidance to help online services directed at children, which we recommended you review. Note that under the ChatGPT Sites Terms, you may not create a Site that targets or is designed for children under 13 or under the applicable age of digital consent.

Was this article helpful?