OpenAI Global LLC is defending against a class-action lawsuit filed in the Southern District of California that accuses the company of embedding Meta's Facebook Pixel and Google Analytics tracking code into ChatGPT's web interface, allegedly transmitting users' sensitive conversations to advertising platforms without authorization. California resident Amargo Couture filed the complaint on behalf of all U.S. ChatGPT.com users, claiming OpenAI disclosed chat topics, user identifiers, and contact details to Meta and Google in violation of the federal Electronic Communications Privacy Act (ECPA), California's Invasion of Privacy Act (CIPA), and state constitutional privacy protections.
The lawsuit centers on how ChatGPT handles highly sensitive user data. Users routinely discuss confidential topics including financial matters, health concerns, and legal issues through the platform, with some estimates indicating a significant portion of company data entered into ChatGPT is confidential. Plaintiffs argue users had a reasonable expectation these conversations would remain private between themselves and OpenAI, not be transmitted to third-party advertising technology platforms.
According to the complaint, Facebook Pixel code embedded in ChatGPT's web pages triggers silent HTTP requests to Facebook servers during each user interaction, allegedly capturing browser tab titles derived from queries (such as "Super Bowl 2005 Winner") along with cookies including c_user, fr, and fbp that link back to specific Facebook accounts. Meta's documentation is cited to show this telemetry feeds into Core Audiences, Custom Audiences, and Lookalike Audiences systems for targeted advertising across Facebook and Instagram. On Google's side, the suit alleges Google Analytics captures hashed email addresses from ChatGPT sign-ups, device identifiers, and Google Signals cookies that map activity to logged-in Google profiles, enabling cross-device tracking and remarketing based on ChatGPT usage.
The legal theory asserts OpenAI "intentionally installed wiretaps" by embedding these tracking scripts, enabling third-party interception of electronic communications in transit. Under ECPA, plaintiffs characterize each ChatGPT interaction as an electronic communication, with copying to Meta and Google via client-side JavaScript constituting unlawful interception. Under CIPA, the tracking pixels, cookies, and associated servers are described as instruments used to read communication contents and eavesdrop on confidential sessions without all-party consent. The proposed nationwide class seeks statutory damages up to $5,000 per violation for California residents, plus injunctive relief to remove tracking integrations.
Security and privacy teams should treat this case as a warning about instrumenting AI interfaces with standard marketing analytics. Embedding generic tracking pixels into tools handling sensitive, free-form text creates potential surveillance channels that courts may classify as wiretaps. Organizations using commercial language model interfaces or building their own should immediately audit telemetry implementations, review cookie consent flows, and examine data-sharing contracts to ensure AI conversations are not leaking into advertising ecosystems through legacy web-tracking configurations.
Source: https://cybersecuritynews.com/openai-chatgpt-privacy-lawsuit/