Three years after the joint investigation began, Canada’s privacy regulators reached a conclusion that will matter well beyond OpenAI: collecting personal information through ordinary commercial channels, terms of service, account creation, website interaction, does not satisfy the valid consent standard under Canadian privacy law when that data is used to train AI models. The OPC’s final report makes this explicit.
Understanding why requires a short detour into what Canadian privacy law actually requires.
**What “Valid Consent” Means Under PIPEDA and Law 25**
Canada’s federal privacy framework, PIPEDA, requires that consent be meaningful, that the individual understand what they are consenting to, that the purpose be specific, and that consent be obtained at or before the time of collection. Quebec’s Law 25, which strengthened provincial requirements significantly in 2022 and 2023, adds additional specificity requirements and, for certain high-sensitivity uses, requires explicit rather than implied consent.
The gap that the OPC found in OpenAI’s practices isn’t subtle. When a user creates a ChatGPT account, they agree to terms of service. Those terms disclose that data may be used to improve the service. But “improving the service” is not the same as “training a large language model on your personal interactions.” The OPC’s finding holds that the latter requires its own specific disclosure and consent, the former doesn’t cover it.
This isn’t a novel legal theory. It’s the same logic that Canada’s regulators have applied to other data collection practices for years. What’s new is its application to AI training data at scale.
**The Consent Gap in AI Training, Why Standard Practices Fall Short**
Most AI companies building on commercially available data have used one of three approaches: passive collection from public web sources, account-based collection with terms-of-service consent, or licensed dataset acquisition. The OPC’s finding targets the second. It may reach the first.
Passive web collection raises its own consent questions under PIPEDA when the collected data includes personal information, names, contact details, personal communications posted publicly. The OPC has not yet ruled definitively on scraped public-web data, but the logic of the ChatGPT finding extends there. If the collection purpose (AI training) wasn’t disclosed at the point of collection, the consent argument is the same.
AI Training Data Consent Exposure Assessment
Canadian AI Training Data Consent Audit
- Identify Canadian user personal information in training datasets
- Review consent docs for AI training purpose specificity
- Confirm consent obtained at or before collection
- Assess Quebec Law 25 requirements separately
- Document remediation steps before regulatory inquiry
Licensed dataset acquisition is the cleanest path, but only if the licensing chain includes a consent audit that traces back to the individuals whose data appears in the dataset. Many dataset licenses don’t. The legal exposure sits with the company that uses the dataset, not just the one that assembled it.
**Who Else Has This Exposure**
A framework for assessing exposure under the OPC’s consent theory requires three questions. First: does your training data include personal information as defined under PIPEDA, names, contact details, identification numbers, personal communications? If yes, the consent question applies. Second: was consent obtained at or before the time of collection, with a purpose disclosure specific enough to cover AI training? If the disclosure said “improving our services” or similar, the answer is probably no. Third: is the data Canadian in origin, collected from individuals in Canada, or primarily from other jurisdictions?
The third question matters because PIPEDA applies to private-sector organizations collecting personal information about Canadians in the course of commercial activity. A US-based AI company that collected data from Canadian users through a commercial product has PIPEDA exposure on that data, regardless of where the company is headquartered.
The practical implication: any AI company that has trained on data collected from Canadian users through a consumer product, with consent obtained through standard terms of service, may have the same legal exposure that the OPC just confirmed against OpenAI. The OPC has not announced an investigation sweep. But the finding creates a documented theory of liability that plaintiffs, provincial regulators, and class action counsel will read carefully.
**What OpenAI Committed To, and What Remains Unresolved**
OpenAI reportedly committed to providing transparency updates within three to six months of the OPC’s finding, with quarterly compliance reports to follow. The specific technical changes required, whether that means retroactive consent collection, data deletion, training data audit, or something else, were not detailed in the published report. CTV News coverage of the finding noted the preliminary nature of the commitments.
This matters for two reasons. First, the specifics of OpenAI’s remediation will establish a de facto standard for what valid AI training consent compliance looks like in Canada. Other companies will model their own remediation programs on whatever the OPC accepts from OpenAI. Second, the quarterly reporting commitment creates a public accountability mechanism. If OpenAI’s compliance submissions become publicly available, they’ll be among the most detailed records of what AI training data consent compliance actually requires in practice.
Analysis
The OPC's finding is unusually consequential as a standard-setter. OpenAI's remediation commitments will define what the regulator accepts as compliant. Every AI company with Canadian exposure should watch those quarterly reports closely.
**The Cross-Jurisdictional Pattern**
Canada doesn’t stand alone. Italy suspended ChatGPT in 2023 before accepting OpenAI’s compliance commitments. The EU’s GDPR, as applied to AI training data, has generated investigations across multiple member states. Japan’s APPI amendment, covered in a prior TJS brief, extended consent requirements for sensitive data. Japan’s APPI update and the Canadian OPC finding now form a pair: two distinct consent frameworks in non-EU jurisdictions reaching similar conclusions about standard AI training practices.
The US remains the outlier. No federal privacy framework comparable to PIPEDA exists. But the cross-jurisdictional convergence creates practical compliance pressure for US-based AI companies regardless, because any company operating globally cannot design separate training pipelines for each jurisdiction. The consent standard that applies in the most restrictive relevant jurisdiction tends to set the practical floor.
**Compliance Action Checklist**
For AI companies with Canadian market exposure, five steps are worth taking before the OPC’s remediation guidance crystallizes around OpenAI’s case. Identify Canadian user data in training datasets, specifically personal information as PIPEDA defines it. Review consent documentation for AI training purpose specificity. Map your collection timeline to confirm consent was obtained before collection, not retroactively. Assess Quebec Law 25 requirements separately, they exceed PIPEDA in several areas. Document any remediation steps now, before any regulatory inquiry arrives. The company that arrives at an OPC inquiry with documented good-faith compliance steps is in a materially different position than one that doesn’t.
The OPC finding is a final report, not a court judgment. OpenAI cannot appeal it in the same way a court ruling could be appealed. What it can do, and reportedly is doing, is commit to compliance. That path is available to every AI company in the same position. Taking it proactively, before an investigation begins, is almost always less costly than taking it after.