In the ongoing copyright infringement case brought by The New York Times against OpenAI and Microsoft (The New York Times Company v. Microsoft Corporation et al., Case No. 1:23-cv-11195 (S.D.N.Y.)), Judge Ona T. Wang recently issued an order requiring OpenAI to preserve and segregate all output log data (i.e., ChatGPT chat data), regardless of whether OpenAI has committed to delete such data in its consumer-facing policies, or is required to do so due to privacy law requirements or commitments under its customer agreements. OpenAI challenged the May 13 order, but Judge Wang denied the company’s motion in a second order issued on May 16, in which the judge brushes off OpenAI’s concerns – including with respect to user requests for deletion and privacy law considerations (at least for now) – in favor of preserving potential evidence in the case.
This, of course, raises concerns for users of OpenAI who rely on OpenAI’s commitment to delete ChatGPT conversations to manage risk, or who otherwise have bespoke agreements with OpenAI governing data retention and deletion. If your organization or employees use ChatGPT, here are some key questions and considerations in light of the order:
- What data does your organization process using ChatGPT? If data either submitted to or created by your use of ChatGPT includes sensitive data, personal data, proprietary or confidential information, or information of your organization’s customers, consider the risks of OpenAI retaining each of these data sets.
- Sensitive or personal information will trigger privacy law compliance concerns. Will the order halting deletion of ChatGPT data prohibit your organization from honoring consumer deletion requests or risk violation of other data privacy laws or your own data use/retention policies, data minimization commitments or representations you make to consumers?
- If your organization uses ChatGPT to process data of, or create data for, customers, your customer agreements may be implicated. Will you be able to comply with obligations related to data retention or deletion in your client contracts if you continue to use ChatGPT while this order is in effect? Also, consider whether you are required to notify your customers of changes in data handling practices under your contract or if contacting customers may otherwise make sense if you continue using ChatGPT during this period.
- Even general confidential or proprietary data about your own organization, including trade secrets, could be at increased risk if retained by ChatGPT, as the large amounts of data that can be accrued during the use of generative AI tools like ChatGPT can be targets for hackers or otherwise at risk of data breaches (risks that otherwise would be mitigated by periodic deletion).
- Beyond deletion requirements, what other protections might your organization have in place for your data processed by OpenAI? Check your contract for strong confidentiality protections that extend to your data (both input and output generated by ChatGPT), restrictions on the use of your organization’s data for training or other purposes not specifically related to your use of OpenAI tools, and requirements to provide notice of disclosure of your data and limitations restricting disclosure to only the data that is strictly required to be disclosed by law.
- For users of OpenAI’s enterprise or API services who may have specific contractual data deletion obligations in contracts with OpenAI, is this order likely to impact commitments made under those agreements? If so, consider what rights, if any, you may have under your contract.
Ultimately, if you have concerns about being able to comply with privacy laws or adhere to commitments your organization makes to consumers or your customers, consider whether using ChatGPT to process the relevant datasets while the order is in effect carries too great of a risk. Similarly, if your contract with OpenAI relies heavily on deletion in lieu of other protections for your data or confidential information, continuing to submit such data or information to ChatGPT carries increased risk and should be evaluated based on your contract and use case. In other cases, continued use of ChatGPT, with stricter parameters/policies around what types of data can be submitted as a prompt, may make most sense for your organization.
In any case, ChatGPT users should mitigate risk in the short term and stay tuned. The court has instructed the parties to the lawsuit to continue discussing the best way to preserve evidence while also taking into consideration OpenAI’s concerns, so it is possible the scope of data retention could change as those discussions progress.