OpenAI OpCo LLC – €15,000,000 Fine (Italy, 2024)

€15,000,000Garante per la protezione dei dati personali2 November 2024Italy
final
Fine

General GDPR enforcement action

This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.

OpenAI was fined €15 million by Italy's data protection authority for mishandling user data with its ChatGPT service. The authority found that OpenAI failed to notify them about a data breach and did not have a valid reason for using personal data to train the AI. This case is significant because it shows that companies must be transparent and protect user data properly.

What happened

OpenAI violated GDPR by not notifying the authority about a data breach and using personal data without a valid legal basis.

Who was affected

Users of ChatGPT whose personal data was used without proper consent.

What the authority found

The Italian authority ruled that OpenAI did not comply with several GDPR requirements, including transparency and data breach notification.

Why this matters

This ruling highlights the need for companies to be transparent about data use and to notify authorities of breaches promptly. It sets a precedent for strict enforcement of data protection laws in the tech industry.

GDPR Articles Cited

AI-verified

Art. 6(GDPR)
Art. 12(GDPR)
Art. 13(GDPR)
Art. 24(GDPR)
Art. 25(GDPR)
Art. 32(GDPR)
Art. 5(1)(a) GDPR
Art. 5(2) GDPR
View original scraped data
Art. 5(1)(a) GDPR
Art. 5(2) GDPR
Art. 6 GDPR
Art. 12 GDPR
Art. 13 GDPR
Art. 24 GDPR
Art. 25 GDPR
Art. 32 GDPR

Original data from scraper before AI verification against source document.

Source verified 4 March 2026
verified correct
Italy enforcementGarante per la protezione dei dati personali actionsAll OpenAI OpCo LLC actions
Full Legal Summary
Detailed

The Italian DPA has imposed a fine of EUR 15 million on OpenAI in connection with the operation of the generative AI chatbot “ChatGPT”. The DPA found that OpenAI had violated provisions of the GDPR, inter alia, by failing to notify the DPA of a data breach that occurred in 2023, by using users' personal data to train ChatGPT without providing a valid legal basis for such processing, and by violating the principle of transparency. Additionally, OpenAI did not implement age verification, potentially risking exposure of children under 13 to inappropriate content. Furthermore the DPA ordered OpenAI to carry out a six-month public information campaign to educate users on how ChatGPT processes data and how they can exercise their GDPR rights.

Related Enforcement Actions (0)

No other enforcement actions found for OpenAI OpCo LLC in IT

This is the only recorded action for this entity in this jurisdiction.

Details

Fine Date

2 November 2024

Authority

Garante per la protezione dei dati personali

Fine Amount

€15,000,000

Enforcement Tracker ID

ETid-2497

Sources

About this data

Data: CMS GDPR Enforcement Tracker
Licensed under CC BY-NC-SA 4.0
AI-verified and classified

Cite as: Cookie Fines. OpenAI OpCo LLC - Italy (2024). Retrieved from cookiefines.eu

Report Inaccuracy

Last updated: