ChatGPT runs on cookies. Not the kind you bake, but the small text files your browser stores every time you visit chatgpt.com. OpenAI's cookie policy, last updated in February 2026, splits these into three categories: necessary, analytics, and marketing. Each serves a different purpose, and each carries different consent obligations depending on where your users are located.
With over 800 million weekly active users and a new advertising programme rolling out across free and Go-tier accounts, the cookie footprint of ChatGPT has grown since its 2022 launch. If you run a website that integrates with OpenAI's services - or redirect users to chatgpt.com - the compliance implications are worth paying attention to.
What Cookies Does ChatGPT Actually Set?
OpenAI groups its cookies into three broad categories, mirroring the standard classification used across most cookie categories in the industry. The specifics, however, are worth examining cookie by cookie.
Necessary Cookies
These are the cookies ChatGPT cannot function without. Block them and you lose the ability to log in, maintain a session, or switch between models. Specific examples include:
| Cookie Name | Purpose |
|---|---|
auth_session_minimized | Maintains your login session across page loads |
oai-last-model | Remembers which GPT model you last selected |
oai-locale | Stores your language and region preference |
oai-ip-country | Detects your country for region-based compliance rules |
oai-model-sticky-for-new-chats | Keeps your preferred model for new conversations |
login_session | Authenticates your identity during the session |
Under both the GDPR and the ePrivacy Directive, strictly necessary cookies are exempt from consent requirements. Article 5(3) of the ePrivacy Directive permits cookies that are essential for a service explicitly requested by the user. Logging into ChatGPT qualifies.
That said, the line between "necessary" and "functional" is not always obvious. A cookie like oai-locale stores your language preference - useful, but arguably not essential to the core chat functionality. Different data protection authorities may classify it differently.
Analytics Cookies on ChatGPT
OpenAI uses analytics cookies to understand how people interact with ChatGPT: which features see the most use, where users encounter friction, and how the platform performs. These cookies help OpenAI improve the product, but they are not required for it to work.
In jurisdictions that follow the GDPR model, analytics cookies require prior opt-in consent. They fall outside the "strictly necessary" exemption because they serve the platform operator's interests, not the user's immediate request. The French CNIL has been particularly firm on this point, fining Google EUR 325 million in September 2025 for displaying ads in Gmail without prior consent and for using consent designs that pushed users toward personalised advertising.
OpenAI does provide a cookie preferences panel on its sites. In GDPR-applicable regions, analytics cookies are not activated by default - users must opt in. The mechanism is accessible via a "Cookie Preferences" link in the footer of chatgpt.com.
Marketing and Advertising Cookies
This is where things get more complex. ChatGPT sets marketing cookies from several third-party platforms, including Google, LinkedIn, Meta, Reddit, TikTok, and Microsoft. These cookies help OpenAI measure the effectiveness of advertising campaigns that bring users to ChatGPT.
Specific marketing cookies observed on ChatGPT include:
| Cookie Name | Platform | Purpose |
|---|---|---|
_gcl_au, _gcl_aw | Google Ads | Campaign attribution and conversion tracking |
ANID, NID | Ad personalisation and frequency capping | |
li_fat_id, bcookie | LinkedIn campaign performance measurement | |
li_gc, lidc | Consent state and data centre routing |
In early 2026, OpenAI launched an advertising pilot inside ChatGPT itself. Ads now appear for users on free and Go-tier accounts (the Go tier costs USD 8 per month and launched globally in August 2025). Paid tiers - Plus, Pro, Enterprise, Business, and Education - remain ad-free.
OpenAI states that advertisers do not receive access to individual user conversations, chat history, or personal details. Instead, ad targeting relies on contextual signals within the current conversation and aggregated engagement metrics like total views and clicks. This approach sits closer to contextual advertising than behavioural profiling, though it still involves cookies that fall squarely under GDPR consent requirements.
The GDPR and ChatGPT: A Regulatory Timeline
OpenAI's relationship with European data protection authorities has been anything but smooth. In March 2023, Italy's Garante temporarily banned ChatGPT after a data breach exposed chat histories and partial payment details of a small number of ChatGPT Plus subscribers. The ban lasted roughly a month before OpenAI implemented measures to address the Garante's concerns.
The investigation continued. In December 2024, the Garante fined OpenAI EUR 15 million for multiple GDPR violations, including training ChatGPT on personal data without an adequate legal basis, failing to notify the authority of the March 2023 breach within the required timeframe, and lacking proper age verification for users under 13. OpenAI was also ordered to run a six-month public awareness campaign across Italian media.
OpenAI has since established its European headquarters in Ireland, activating the GDPR's one-stop-shop mechanism. Primary supervisory authority now sits with the Irish Data Protection Commission.
The CNIL's September 2025 fines against SHEIN (EUR 150 million for cookie and consent breaches) and Google (EUR 325 million for consent manipulation) underscore a broader trend: European regulators are aggressively enforcing cookie consent rules, and AI platforms are not exempt.
What This Means If Your Website Uses ChatGPT
The compliance picture depends on how your website interacts with OpenAI's services.
API Integration (Server-to-Server)
If your website calls the OpenAI API to power chatbots, content generation, or internal tools, OpenAI does not place any cookies on your users' browsers. The API operates server-to-server - your users never interact directly with chatgpt.com. No cookies from OpenAI, no additional consent obligations related to those cookies.
Your own cookies still apply, of course. If you use Google Analytics or marketing pixels alongside your ChatGPT-powered features, those require their own consent flows.
Redirecting Users to chatgpt.com
If your website links to or redirects users to chatgpt.com, OpenAI controls the cookies set during that interaction. Your responsibility is limited, but you should inform users in your privacy policy that they may be redirected to a third-party service with its own cookie and data practices.
Embedding Third-Party ChatGPT Widgets
This is the grey area. If you use a third-party chatbot widget that relies on OpenAI but runs on your domain, any cookies that widget sets - whether analytics, functional, or marketing - may become your compliance responsibility. Under the controller-processor framework, the entity that determines the purposes and means of data processing bears the primary compliance burden. If the widget sets cookies on your domain, that entity is likely you.
Run a cookie scan after installing any ChatGPT-based widget. You need to know exactly what cookies appear and categorise them correctly in your consent banner.
Managing Cookie Consent for AI-Powered Services
The rules for AI platform cookies are no different from the rules for any other website cookie. The core GDPR principles still apply: lawfulness, transparency, purpose limitation, and data minimisation.
For website owners, the practical steps are straightforward. Audit your site to identify every cookie, including those set by third-party AI integrations. Classify each cookie correctly. Block non-essential cookies until the user gives informed, affirmative consent - pre-ticked boxes and implied consent through continued browsing do not meet the GDPR standard.
If you operate in the United States, the CCPA and CPRA use an opt-out model rather than opt-in. The opt-out requirements still demand a clear mechanism, and eight US states now mandate support for Global Privacy Control signals. Brazil's LGPD takes a consent-centric approach similar to the GDPR, while Canada's PIPEDA requires meaningful consent proportional to data sensitivity.
The Bigger Picture: AI, Advertising, and Cookie Law
OpenAI reportedly burned through approximately USD 9 billion in 2025, and the majority of ChatGPT's weekly users have never paid for the service. Advertising is the financial mechanism that makes the free and Go tiers viable - and it brings marketing cookies from Google, LinkedIn, Meta, and other ad networks into the ChatGPT experience.
The European Commission's November 2025 Digital Omnibus proposal could reshape cookie rules further, potentially folding the ePrivacy Directive into the GDPR and allowing some cookies under a "low-risk" exemption or legitimate interest basis. That proposal is in early legislative stages and unlikely to take effect before 2031.
For now, non-essential cookies - including the analytics and marketing cookies ChatGPT uses - require prior opt-in consent in the EU and UK. Google Consent Mode v2 has become the industry standard for bridging consent signals with advertising platforms.
Frequently Asked Questions
Does ChatGPT set cookies on my browser?
Yes. When you visit chatgpt.com, OpenAI sets necessary cookies for authentication and session management, plus optional analytics and marketing cookies if you consent to them. The exact cookies depend on your region and your consent choices.
Can I use ChatGPT without accepting marketing cookies?
Yes. In GDPR-applicable regions, marketing and analytics cookies are not activated until you opt in. You can use ChatGPT's core features with only the strictly necessary cookies enabled. Adjust your preferences via the "Cookie Preferences" link in the site footer.
Does the OpenAI API set cookies on my website visitors' browsers?
No. The OpenAI API operates server-to-server. Your users never interact directly with OpenAI's websites, so no OpenAI cookies are placed on their browsers. Any cookies on your site come from your own implementation.
Are ChatGPT's advertising cookies GDPR compliant?
OpenAI provides consent mechanisms in GDPR-applicable regions and states that marketing cookies are opt-in, not on by default. Whether the implementation fully satisfies all DPA expectations remains to be tested - European regulators have shown willingness to fine even large platforms for consent design issues.
What happened when Italy banned ChatGPT?
In March 2023, Italy's Garante temporarily blocked ChatGPT over data protection concerns following a data breach. The ban lasted about a month. In December 2024, the Garante fined OpenAI EUR 15 million for GDPR violations including lack of legal basis for training data processing and failure to report the breach.
Do ChatGPT ads use my conversation data for targeting?
OpenAI says advertisers do not receive access to your conversations, chat history, or personal details. Ad targeting uses contextual signals from the current conversation and aggregated metrics like total views and clicks, rather than behavioural profiles built from your chat history.
Should I update my cookie banner if my site links to ChatGPT?
If you simply link to chatgpt.com, OpenAI handles its own cookies on its domain. Your main obligation is to note in your privacy policy that users may be redirected to a third-party service. If you embed a ChatGPT-based widget on your own domain, you likely need to audit and disclose any cookies it sets.
Start Managing Your Cookie Compliance
If your website integrates with ChatGPT or any other AI service, knowing which cookies are active on your domain is the first step. Kukie.io scans your site, identifies every cookie, and helps you build a consent flow that meets GDPR, CCPA, and LGPD requirements.
