Lawsuit: Hidden Data Transfer Directly from ChatGPT

The court filing, first reported by Analytics Insight, provides a detailed description of how the data collection allegedly took place. The plaintiff claims that OpenAI embedded tracking codes — Facebook Pixel from Meta and Google Analytics — into the ChatGPT web interface. These tools are commonly used on ordinary websites to track traffic and target advertising, but their presence in an environment where users enter sensitive personal information is, according to security experts, highly problematic.

According to the lawsuit, not only the text of the queries was transferred, but also account identifiers and email addresses. If a user was simultaneously logged into their Facebook or Google account while using ChatGPT, there is a real possibility that these conversations were directly linked to their real identity. This means that queries related to health issues, financial problems, or personal relationships could have ended up in the hands of the two largest advertising companies in the world.

How Facebook Pixel and Google Analytics Work

For uninvolved readers, it is worth explaining what these tools are. Facebook Pixel is a small fragment of code that websites place in their source. When the page loads, this code sends Meta information about what the user is doing — for example, which pages they view, what they write into forms, or which products they browse in an e-shop. Google Analytics works similarly, tracking visitor behavior and helping website owners optimize content.

On a standard corporate website or e-shop, this is standard and legal practice, provided the user has the option to consent. In the case of an AI chatbot, where people routinely enter very personal data, however, deploying these tools without clear and explicit consent is, according to security experts, ethically and legally questionable. "ChatGPT users have a reasonable expectation that their conversations will remain between them and the artificial intelligence," comments one American lawyer specializing in digital privacy.

Impact on the Privacy of Millions of Users

ChatGPT is now used by over 500 million active users weekly worldwide, including tens of thousands of Czechs. The platform has become a place where people come not only with technical questions but also with very intimate topics — health issues, financial problems, family conflicts, or work-related stress. It is this trust in anonymity and privacy that the lawsuit alleges has been abused.

Particularly concerning is the fact that if the data was actually tied to specific users through their Meta or Google account logins, it could theoretically be used for advertising targeting based on the content of AI conversations. This means that if a user wrote to ChatGPT about debt problems, they might start seeing ads for loans or consultations with insolvency administrators on Facebook or in Google services.

OpenAI's Position and Legal Defense

OpenAI has not yet officially commented on the lawsuit. The court case does not yet have a set date for the first hearing. Lawyers expect the company to appeal to its privacy policy, which contains provisions on sharing data with third parties. This "fine print" may, according to experts, be OpenAI's key line of defense.

"OpenAI's legal team will likely emphasize that users agreed to the terms of use upon registration," explains one commentator. "The question remains, however, whether this consent was truly informed and whether users understood the extent of data collection in the context of AI chats."

Broader Context: Perplexity and Pressure on the Entire Industry

OpenAI is not alone in this case. According to Analytics Insight, a similar case was filed against Perplexity AI, a competing AI search platform, a few weeks ago. This suggests that the problem of inadequate privacy protection in generative AI may be systemic, not isolated.

Courts and regulators in the United States and Europe are beginning to send a clear signal: technological progress must not come at the expense of fundamental human privacy. The pressure for transparency in data collection and processing in AI systems is growing, and developers will increasingly have to prove that they respect users' rights.

Is This Being Recorded in Europe Too? GDPR and the AI Act

For Czech and European users, it is crucial that strict legislation applies to data protection in the European Union. The General Data Protection Regulation (GDPR) requires explicit consent for the processing of personal data and gives users the right to know how their data is used. If it were proven that OpenAI collected sensitive conversations and passed them on to Meta or Google without clear and informed consent, it could mean a GDPR violation with potential sanctions in the millions of euros.

In addition, the EU AI Act has come into force, placing additional obligations on operators of AI systems regarding transparency and the protection of fundamental rights. AI models must ensure that the processing of personal data takes place in accordance with European regulations. The Czech Office for Personal Data Protection (ÚOOÚ) has previously warned that chatbots processing personal data are subject to the same rules as any other digital service.

How to Protect Your Chats: Practical Steps for Users

Although the court case may drag on for months or years, there are steps ChatGPT users can take today to minimize the risk of sensitive data leaks:

• Use your browser's private mode when working with ChatGPT to minimize linking with existing cookies from Meta and Google.
• Log out of Facebook and Google in other browser tabs before using ChatGPT.
• Do not enter personal data into chats — credit card numbers, birth numbers, passwords, or health diagnoses should not be entered into AI chats at all.
• Use the "Temporary Chat" feature in the paid version of ChatGPT Plus, if OpenAI offers it for conversations that should not be saved.
• Consider alternatives — European or local models that may offer stricter data protection.

Security experts repeatedly warn that conversations with public cloud AI services should always be understood as potentially monitored. "If you don't want something to appear on the front page of a newspaper, don't write it into ChatGPT," summarizes one Czech cybersecurity expert.

What Lies Ahead: A Precedent for the Entire AI Industry

This case could have far-reaching consequences. If the court finds the lawsuit justified, it could open the door to thousands of similar cases against OpenAI and other AI service providers. For the entire industry, this would mean the need for a transparent audit of data flows and clearer rules for data collection in AI applications.

The message for Czech users is clear: although AI tools like ChatGPT offer enormous value, it is not possible to blindly believe that all conversations will remain private. Protecting personal data in the age of artificial intelligence requires not only better regulation but also informed and cautious users.