In P.M. v. OpenAI, users are suing OpenAI for allegedly violating federal (ECPA) and state (CIPA) wiretapping laws by collecting user data when they input content into ChatGPT or into third-party websites’ search features that have integrated ChatGPT APIs. Users are also alleging that OpenAI violates the Computer Fraud and Abuse Act of 1986 (CFAA), a federal anti hacking law, for the same action of collecting their user data (especially their metadata) when using ChatGPT and ChatGPT plugins on third party websites. They argue that OpenAI effectively hacks users’ platform access, exceeding user’s authorized access for OpenAI when using ChatGPT, and intercepts their private information (i.e., user data) without their knowledge or consent.
A subset of Illinois-based plaintiffs further allege OpenAI violated the Illinois Biometric Privacy Act (BIPA) when it collected their biometric identifiers without having a written policy, informing users in writing, receiving a written release, and meeting BIPA’s other procedural requirements (described above). Specifically, they claim that OpenAI collected and relied on their facial images from scraped photos from the internet to train image diffusion products like DALL-E. They allege OpenAI collected facial geometry data of Illinois residents, without which DALL-E could not exist. If the case moves forward into discovery, OpenAI may have to finally divulge the sources of its training data beyond what has been uncovered by others.