California: Class Action against ChatGPT for Breach of Privacy
Regulations governing the use of AI technologies are constantly evolving in countries around the world. A class action is currently underway in California against Microsoft and OpenAI. The action alleges various violations of privacy protection laws stemming from use of these companies’ AI products.
The plaintiffs, who have asked to remain anonymous, are demanding USD 3 billion. The class action alleges that AI products based on the ChatGPT software collected and disclosed personal information without proper transparency and notification. Additionally, the plaintiffs claim OpenAI conducted these actions without obtaining consent and in violation of privacy protection laws.
Microsoft is also a defendant in the class action, since it integrated OpenAI’s technologies in most of the software and services it provides (such as Azure OpenAI Service, Microsoft Teams, Bing, etc.).
The class action alleges that the companies are using AI products to “collect, store, track, share, and disclose” the personal information of millions of internet users, including product information, accounts, names, contact information, means of payment, and more. The class action also alleges that the companies are using the scraped information for the purpose of training their AI technology products, which may also result in exposure of personal information.
The class action also cited other companies using AI products (such as Reddit) and warned about the privacy protection risks associated with the use of various AI tools.
Regulations around the World
This class action joins a series of lawsuits and enforcement proceedings against ChatGPT in the European Union and Israel, as we wrote about in April.
Initially, the European Union, through the European Data Protection Board, decided to form a task force to examine possible law enforcement actions against ChatGPT.
Next, data protection authorities in both Italy and Spain opened investigations against OpenAI due to concerns about leaks of personal information and alleged violations of the European General Data Protection Regulation stemming from use of the software. Later, Italy blocked ChatGPT until further notice.
In Israel, a motion was filed with the Lod District Court to certify a class action. The motion alleges that ChatGPT violates provisions of Israeli privacy protection laws by misusing user information. This includes concerns related to transparency, duration of information retention, information processing purposes, and disclosure to third parties.
The European Parliament’s draft AI Act, the class actions mentioned above, and the law enforcement proceedings against OpenAI in various countries all serve as a cautionary tale to companies about the importance of meticulously controlling the privacy protection and data security aspects of every use and development of AI technologies. Doing so will serve to avoid regulatory scrutiny and mitigate class action risks.
***
Our firm’s Privacy, Data Protection and Cyber Department is at your service to answer any questions or to provide clarifications in this regard or about any other issues pertaining to privacy protection and data security laws.
Dr. Avishay Klein heads the Privacy, Data Protection and Cyber Department.
Adv. Ben Norman is an associate in the department.