2 min readSanitized AI Team

Canada Just Told OpenAI Its Training Data Practices Broke Privacy Law. Here's What That Means for Every Organization Using AI.

PrivacyComplianceAI Governance

Yesterday, Canada's privacy regulators made it official: OpenAI's original ChatGPT training practices violated federal and provincial privacy law. The joint investigation — involving the OPC, Quebec's CAI, and the privacy commissioners of BC and Alberta — found overcollection of personal information, lack of valid consent, insufficient transparency, and no accountability framework before launch.

OpenAI has since retired those earlier models and committed to new safeguards. The regulators called the complaint conditionally resolved at the federal level.

Most coverage will focus on what OpenAI did wrong. We want to talk about what it means for your organization.

The finding that should keep your CISO up at night

The regulators didn't just fault OpenAI for scraping public data. They flagged that OpenAI gathered personal information — including sensitive details like health conditions and political views — without adequate safeguards, and released the product without fully addressing known privacy risks.

Now ask yourself: what is your workforce doing right now with the tools OpenAI has built?

79% of Canadian office workers use AI at work. Only 25% use enterprise-approved tools. The rest are on whatever helps them hit a deadline — ChatGPT, Gemini, Grok, Perplexity — entirely outside your visibility. And according to research from Kiteworks, 93% of employees input company data into AI tools. That includes customer records, clinical notes, financial data, and source code.

The OPC investigation focused on how OpenAI handled data to train its models. But the exposure risk for your organization isn't just about OpenAI's training pipeline. It's about what your employees are submitting right now, today, through AI prompts — and whether any of that data is regulated, sensitive, or simply none of OpenAI's business.

The Canadian ruling highlights a critical gap: consent isn't just about the terms of service you sign; it's about the data flow you control. If your employees are feeding sensitive information into third-party AI systems without explicit organizational oversight, you are already in a state of non-compliance.

The solution isn't to ban AI, but to sanitize the interaction. By stripping sensitive identifiers and PII at the point of entry, organizations can leverage the power of LLMs while ensuring that their training data—and their active prompts—never break the law.

See how Sanitized AI stops sensitive data from leaving the prompt box.