Back to Blog
AI Adoption8 min read

After the OPC's ChatGPT Ruling: How Canadian SMBs Should Vet Their AI Vendors for PIPEDA Compliance

By Anton Kuznetsov

On May 6, 2026, the Office of the Privacy Commissioner of Canada, together with provincial regulators in British Columbia, Alberta, and Quebec, released a landmark joint finding: the way OpenAI initially trained ChatGPT violated Canadian privacy law. Four separate violations were identified — overbroad data collection, lack of valid consent, insufficient transparency, and inadequate deletion mechanisms. The finding covered OpenAI's practices specifically, but the implications reach every Canadian business using AI tools to handle personal information.

No Canadian SMB built ChatGPT's foundational model. The investigation's relevance to your business lies in a different clause of PIPEDA: the accountability principle. Under PIPEDA, the organization that collects personal information remains accountable for how that information is handled — including when it is transferred to a third party for processing. If your business submits client data to an AI tool, and that tool's vendor does not meet Canadian privacy standards, your organization shares in the compliance exposure.

The ChatGPT investigation tells you, precisely, what Canadian regulators expect of organizations handling personal information in an AI context. That standard applies to your vendor selection process.

What the Regulators Found

The joint investigation by the OPC, the Commission d'accès à l'information du Québec (CAI), and the information and privacy commissioners of British Columbia and Alberta produced four specific findings against OpenAI:

Overbroad collection. OpenAI scraped personal information from public websites at a scale far exceeding what any identified purpose justified. PIPEDA's collection limitation principle requires that only information necessary for the identified purpose be collected. Gathering everything available and deciding what to use later does not satisfy that requirement.

Lack of valid consent. The OPC found that the assumption that publicly accessible information may be collected for commercial AI training — without explicit consent — does not satisfy PIPEDA. Meaningful consent, as the Canadian regulators interpret it, cannot be implied from the fact that information appeared on a public website.

Insufficient transparency. Organizations must explain to individuals why their information is being collected and how it will be used. The data collection underlying ChatGPT's training was not accompanied by adequate disclosure, leaving affected individuals with no practical ability to understand or object to the use of their information.

Inadequate deletion mechanisms. When an individual requests correction or deletion of their personal information, PIPEDA requires organizations to comply. ChatGPT's foundational model architecture made targeted deletion of specific personal information structurally difficult — an outcome the regulators found unacceptable.

OpenAI has since deprecated its GPT-3.5 and GPT-4 models and implemented filtering tools in subsequent training runs. The complaint was conditionally resolved under PIPEDA. The privacy commissioners of British Columbia and Alberta reached a stronger conclusion: under their provincial statutes, training on scraped data for which valid consent was never obtained cannot be retroactively remediated.

Why This Matters If You Didn't Train a Model

PIPEDA Principle 1 — Accountability states that an organization is responsible for personal information in its possession or custody, including information transferred to a third party for processing. You remain accountable for ensuring that your vendors provide a comparable level of protection.

In practical terms: submitting client data to an AI tool that operates under consumer-grade terms — where the vendor's agreement permits using your inputs for model training or product improvement — is a PIPEDA compliance event waiting to happen. The ChatGPT investigation tells you what standard regulators apply. The accountability principle tells you that your organization, not just the vendor, is in scope.

This is not a theoretical concern. The OPC's 2025-26 Annual Report, released June 4, 2026, recorded 3,044 PIPEDA complaints — a 109% increase year-over-year — and nearly 700 breach reports from businesses, affecting more than 20 million Canadians. The OPC attributes part of the surge to increased public awareness of AI data practices. That awareness is raising the volume and quality of complaints, and it is not receding.

The Adoption-Governance Gap

Canadian business AI adoption is accelerating significantly. Statistics Canada's Q2 2026 Business Conditions Survey found that 19.2% of Canadian businesses now use AI to produce goods or deliver services — triple the 6.1% reported in Q2 2024. The growth is fastest in information and cultural industries (42.3%), finance and insurance (40.4%), and professional, scientific and technical services (32.4%).

A June 2025 Edelman survey commissioned by Microsoft Canada — using a broader definition that includes any active AI use — found 71% of Canadian SMBs are now using AI or generative AI in operations. Of those, only 58% have implemented internal policies to govern how AI tools are used.

The gap between 71% adoption and 58% policy coverage is where the compliance exposure concentrates. Businesses that have adopted AI tools quickly, without reviewing the vendor's data handling terms, without assessing what personal information is being submitted to the model, and without disclosing AI processing to the individuals whose data is involved, are operating outside PIPEDA's accountability requirements.

The Regulatory Landscape: No Federal AI Law — Yet

Canada currently has no federal AI-specific law in force. Bill C-27, which would have enacted the Artificial Intelligence and Data Act (AIDA), died on the Order Paper when Parliament was prorogued in January 2025. AIDA's proposed framework — mandatory risk assessments, human oversight requirements, and harm mitigation obligations for high-impact AI systems — represents the clearest signal of where federal regulation is heading, but it carries no legal weight today.

Until a successor is enacted, two Canadian frameworks constitute the operative AI governance standard for businesses: PIPEDA, and the Voluntary Code of Conduct on the Responsible Development and Management of Advanced Generative AI Systems, which ISED published in September 2023. The Voluntary Code identifies six organizational commitments — accountability, safety, fairness and equity, transparency, human oversight and monitoring, and support for the responsible AI ecosystem — and has been adopted by major Canadian organizations including Telus, IBM Canada, Kyndryl, Mastercard, and CGI.

The Voluntary Code is not legally binding, but it reflects what regulators expect. The OPC's Principles for Responsible, Trustworthy and Privacy-Protective Generative AI, released jointly by all Canadian privacy regulators in December 2023, goes further: it explicitly addresses organizations that *use* generative AI — not just those that build it — establishing consent, transparency, and accountability requirements that apply today, under existing PIPEDA.

Five Questions to Ask About Every AI Tool You Use

The ChatGPT investigation provides a practical filter for vendor assessment. For each AI tool your organization uses to process personal information, answer these five questions:

1. Is this an enterprise agreement with explicit data processing terms?

Consumer-tier subscriptions — free plans and personal-plan accounts — typically permit the vendor to use your inputs for model training or improvement. Enterprise agreements for services like Microsoft 365 Copilot, Azure OpenAI Service, and comparable enterprise AI platforms contractually prohibit training models on your data. If employees are using personal-plan AI accounts with client or employee data, that exposure needs to be resolved.

2. Where does your data go, and can you prove it?

Under PIPEDA's accountability principle, your responsibility for personal information does not end at the Canadian border. IBM's 2025 Cost of a Data Breach Report found that 69% of Canadian organizations rate data sovereignty as their most important factor in selecting an AI or cloud vendor. Confirm whether your AI vendor processes data in Canada, and whether an adequate data processing agreement covers any transfers outside the country.

3. Can you honour deletion requests?

The ChatGPT investigation found that OpenAI's model architecture made targeted deletion structurally difficult. Before using an AI tool with personal information, confirm that information submitted through that tool can be identified, retrieved, and deleted in response to an individual's request under PIPEDA.

4. Does your privacy policy disclose AI processing?

PIPEDA's transparency principle requires that individuals know when and how their personal information is being processed. If you use AI tools to process client communications, documents, or records, your privacy policy should describe that in plain language. A policy that says nothing about AI processing while AI is actively used creates the exact transparency gap the OPC identified in the ChatGPT ruling.

5. Do you have an approved tool list?

One AI tool with a clear enterprise agreement is manageable. The compliance exposure scales with the number of tools and the inconsistency of data handling controls. A documented list of approved AI tools — specifying the terms under which each is used and what data types employees may submit — establishes the governance baseline that PIPEDA accountability requires.

Three Actions for This Month

Vendor assessment does not require a large investment. These three actions address the most common gaps:

Review your current AI tool contracts. For each tool used with client, employee, or financial data, confirm the subscription tier and data processing terms. Consumer-plan AI services should not receive personal information until enterprise-grade terms are in place.

Add an AI disclosure to your privacy policy. If your policy does not currently describe the use of AI tools to process personal information, add a plain-language statement covering the tools in use, the categories of data they process, and how individuals can request information about or deletion of their data.

Communicate an approved tool list to your team. Share which AI tools are approved, what data types they may receive, and how to request approval for new tools. Employees cannot govern what they have not been told.

The adoption window in Canada is open. The federal government's AI for All strategy targets 60% of Canadian businesses using AI by 2034. The businesses that build vendor governance infrastructure now — while adoption is accelerating but before the inevitable regulatory escalation — will not be spending incident response resources on preventable PIPEDA compliance events.


Sources


Understanding your PIPEDA exposure when using AI tools is the first step — knowing whether your specific vendors meet the standard the OPC established in the ChatGPT ruling is the second. Cloud Forces helps Canadian SMBs conduct AI vendor audits, update privacy policies to reflect AI processing, and build approved tool frameworks aligned with OPC and ISED guidance. Explore our AI Advisory services or book a free consultation to assess your current AI vendor stack for PIPEDA compliance.

Anton Kuznetsov
Founder & Principal Engineer

Anton Kuznetsov is the founder and principal engineer of Cloud Forces, the Toronto firm he started in 2018 to make custom software and AI practical and affordable for Canadian SMEs. He works hands-on across application development, cloud architecture, and the production systems Cloud Forces runs for its clients.

Ready to bring AI to your business?

Book a free AI Readiness Consultation — no commitment required.

Book Free Consultation