#141. ⚠️ Your ChatGPT conversations are almost certainly at risk

This is educational material and does not constitute legal advice nor is any attorney/client relationship created with this article, hence you should contact and engage an attorney if you have any legal questions. No warranties, express or implied, are made with respect to its accuracy. Information contained herein, or information relied upon, is subject to change without notice.

On May 13, 2025, OpenAI was ordered to retain all user data as part of an evidence preservation decision by the court.

A subsequent letter two days later from OpenAI asking the court to reconsider its decision was soundly rejected.

At first blush, it seemed that all of OpenAI’s 500 million (700 million?) ChatGPT users’ data would need to be retained; even deleted and “temporary” messages’ content was included in the order.

Not clear, however, was the extent to which this order impacted third party services that utilized ChatGPT via OpenAI’s API. While it seemed unambiguous that such services without negotiated zero data retention policies (ZDR) were almost certainly implicated, it was unclear whether those with negotiated ZDR policies were safe.

Today we have some clarity as follows:

Per OpenAI's official statement, the court order does not apply to Education, Enterprise, or 3rd party services that utilize the OpenAI API, but IF AND ONLY IF they've negotiated ZDR policies with applicable business associate agreements (BAAs), an especially essential point to maintain HIPAA compliance.

In all other situations -- i.e., Basic, Plus, Pro, Team, and 3rd party API use without ZDR/BAA -- it should be assumed that all data will be permanently retained by OpenAI unless/until the court order is lifted. This includes "Temporary" or "incognito" chats, as well as chats that you have deleted.

For clarity:

❌ ChatGPT Basic
❌ ChatGPT Plus
❌ ChatGPT Pro
❌ ChatGPT Team
❌ ChatGPT API via 3rd parties without negotiated ZDR policies

✅ ChatGPT API via 3rd parties + ZDR policies with a BAA (like GC_ai)
✅ ChatGPT Enterprise
✅ ChatGPT Education

Per the California bar's guidance on Gen AI, lawyers "must not input any confidential information of the client into any generative AI solution that lacks adequate confidentiality and security protections...."

As a practical matter, while all client material is not privileged (i.e., cannot be compelled as evidence in court), all client material is still confidential. Hence, continuing to use an instance of ChatGPT not excepted by this court order is effectively breaching professional ethics rules involving client confidentiality for lawyers, doctors, and other professions.

Sources:

(1) OpenAI's ZDR policies (https://platform.openai.com/docs/guides/your-data)

(2) OpenAI's official statement clarifying the above (https://openai.com/index/response-to-nyt-data-demands/)

(3) California bar Guidance on gen AI (https://www.calbar.ca.gov/Portals/0/documents/ethics/Generative-AI-Practical-Guidance.pdf)

Looking for past newsletters? You can find them all here.