Italy’s data protection agency, the Italian Data Protection Authority (IDPA), has fined OpenAI €15 million ($15.7 million) for privacy violations. The agency also ordered OpenAI to conduct a six-month public awareness campaign to educate users on how ChatGPT collects and processes personal data.
The IDPA’s investigation revealed that OpenAI failed to notify authorities about a data breach in March 2023. The watchdog also found that the company processed personal data to train its AI model without establishing a valid legal basis, violating transparency obligations under Europe’s General Data Protection Regulation (GDPR).
Lack of Age Verification Raises Concerns
The investigation found OpenAI lacked proper age verification mechanisms, potentially exposing children under 13 to inappropriate content. The IDPA emphasized that this oversight could harm minors who are not developmentally equipped to engage with such technology responsibly.
The watchdog stated, “OpenAI has not provided mechanisms for age verification, with the consequent risk of exposing minors under 13 to responses that are unsuitable for their level of development and self-awareness.”
Mandatory Public Awareness Campaign
As part of its corrective measures, the IDPA required OpenAI to launch a six-month public awareness campaign through radio, television, newspapers, and online platforms. The campaign must inform users and non-users about how ChatGPT collects and uses data and explain the rights available under GDPR, including the ability to oppose data usage, request corrections, or demand data deletion.
At the end of the campaign, the IDPA expects users to understand how they can exercise their rights to protect their personal data.
Reduced Fine and Future Oversight
The IDPA noted OpenAI’s cooperative behavior during the investigation, which contributed to a reduced fine. Despite this, the agency underscored the importance of adhering to GDPR standards.
Following the investigation, OpenAI relocated its European headquarters to Ireland. Future inquiries will now fall under the jurisdiction of the Irish Data Protection Commission (DPC), which serves as the lead supervisory authority.
This case serves as a reminder of the potential consequences for companies that violate GDPR regulations, with penalties reaching up to €20 million or 4% of global annual revenue.