A class action filed May 13 in California federal court alleges that OpenAI shared user chat queries, emails, and user IDs with Meta and Google through the Meta Pixel and Google Analytics tracking tools, without obtaining the informed consent California's wiretap statute requires. Attorney Robert Freund is on the filing. The complaint cites the California Invasion of Privacy Act (CIPA) and the federal Electronic Communications Privacy Act. OpenAI did not immediately comment. This is the allegation stage โ none of it is adjudicated โ but the mechanism named is concrete and worth understanding.
The technical pattern alleged is the standard ad-tech embed: Meta Pixel and Google Analytics scripts loaded on pages where users submit data, transmitting some payload back to Meta and Google for advertising attribution. The same pattern has produced a growing CIPA docket against health-care portals and consumer apps since 2023. The unresolved technical question โ and the question that decides the suit โ is what actually flowed into the trackers. If the payload was page-view metadata, URLs, and click events, that is standard web analytics that has survived most CIPA challenges. If chat-message bodies, prompts, or email contents transited the pixel calls, that is the wiretap reading the plaintiffs are pressing. The complaint asserts the latter; discovery will decide.
The legal hook here is specific to California: CIPA is a two-party-consent statute, and the doctrine that has done the damage in Pixel cases treats the third-party tracker as a "non-party to the communication" rather than a service-provider extension of the website. OpenAI's privacy policy does disclose that it "collects, stores, and shares" consumer inputs and personal information โ the plaintiffs' claim is that general disclosure does not equal specific informed consent for routing chat content through Meta and Google's ad-tech infrastructure. The same legal gap sits inside most consumer AI products that have a marketing site, a signed-in chat surface, and any pixel-based attribution.
For builders shipping consumer AI: audit what actually goes into your trackers. Form fields, prompt text, response text, query strings, conversation IDs โ every payload is a potential exhibit in a future CIPA filing if it includes communication content rather than navigation metadata. Generic privacy-policy disclosure has been losing on this question. Server-side tagging that strips content before it reaches Meta or Google is the architectural answer some teams have moved to; consent banners that specifically name third-party trackers are the legal answer others have. Expect more of these filings against major AI products this year โ OpenAI is the first big AI-native name to enter a line of litigation that has otherwise been hitting hospitals, retailers, and telehealth apps.