A federal class action filed on May 13, 2026, accuses OpenAI Global, LLC of embedding Meta's Facebook Pixel and Google Analytics tracking code into ChatGPT.com and using those tools to transmit users' conversation topics, email addresses, and persistent identifiers to Meta and Google in real time - without user knowledge or consent. The case, Couture v. OpenAI Global, LLC, Case No. 3:26-cv-03000-H-GC, was filed in the United States District Court for the Southern District of California.

The plaintiff, Amargo Couture, a California resident who used ChatGPT throughout 2025 and 2026 to research health, financial, and other personal matters, brings the suit individually and on behalf of all United States residents who accessed ChatGPT.com and entered queries into the service. The complaint asserts four counts: violation of the Electronic Communications Privacy Act (ECPA), violation of the California Invasion of Privacy Act (CIPA) under sections 631 and 632, and invasion of privacy under the California Constitution and common law.

The tracking mechanism described in the complaint

The technical allegations at the heart of the case are granular. According to the complaint, when a user types a query into ChatGPT.com, that query becomes the title of the browser tab - a piece of data that the Facebook Pixel, embedded in the site's JavaScript, then captures and forwards to Meta's servers in a simultaneous GET request. The complaint provides a network-level packet capture as evidence. The data field labeled "pmd[title]" in the transmission contains the literal conversation title - "Super Bowl 2005 Winner" in the example cited - sent alongside the user's Facebook ID cookies.

Three cookies are central to the Meta tracking allegations. The c_user cookie contains the user's unencrypted Facebook ID and expires after 90 days if the user checked the "keep me logged in" option, or clears when the browser closes. The fr cookie contains at least an encrypted Facebook ID and a browser identifier, expires after 90 days, and resets each time the browser logs back into Facebook. The _fbp cookie is set as a first-party cookie by the host website - in this case, ChatGPT.com - expires after 90 days, and resets on each return visit to the same site. According to the complaint, all three cookies were transmitted together with query content to Meta's servers, enabling Meta to link the query to a specific, identified Facebook user.

The Facebook ID, or FID, is described in the complaint as a de facto identity link: any ordinary person who obtains a user's FID can navigate directly to that user's public Facebook profile. Meta does not dispute this property in its own documentation, according to the filing.

Google Analytics and the email address intercept

The Google-side allegations involve a different set of identifiers but follow a structurally parallel mechanism. According to the complaint, when a user logs into ChatGPT using an email address, Google Analytics - also embedded in ChatGPT.com's code - intercepts a hashed version of that email address, marked in the transmitted data by the "em" identifier. A second network-level capture included in the complaint shows the hashed value sent alongside a session ID and a document title matching the user's active ChatGPT conversation.

The complaint addresses the hashing directly. Although hashing is sometimes presented by ad-tech companies as an anonymization technique, Google - as the entity that creates and receives the hash - can decrypt the value and match it to its existing advertising profiles, according to the filing. The Federal Trade Commission has made similar arguments in public-facing technical documents cited in the complaint, noting that "hashing is vastly overrated as an anonymization technique" and that "hashes are not anonymous and can still be used to identify users."

Beyond the email hash, the complaint identifies the Secure-3PSID cookie as a second Google-side identifier transmitted through ChatGPT.com. That cookie contains the user's Google profile ID. Combined with Google Signals - an opt-in feature that associates Analytics data with signed-in Google account holders across devices - Google Analytics can, according to the filing, build a cross-device picture of how a given user behaves online and use that picture to power remarketing campaigns through Google Ads, Display and Video 360, and Search Ads 360.

According to the complaint, Google Analytics uses several distinct identity spaces to stitch together user profiles: a User-ID of up to 256 characters assigned during login; user-provided data such as email, phone, and name; a device ID derived from the _ga cookie's client ID on desktop and from the app-instance ID on mobile; and behavioral modeling that uses machine learning to estimate the behavior of users who decline analytics cookies based on the behavior of similar users who accept them.

What data was allegedly transmitted

The complaint is specific about what changed hands. For Meta: the query topic as captured in the page title, the c_user and fr cookies containing the Facebook ID, and the _fbp cookie identifying the browser. For Google: the URL of the conversation page on ChatGPT.com, a hashed email address captured at login or account creation, a session ID, the Secure-3PSID cookie with the Google profile ID, and a document title matching the active conversation. Both categories of transmission occurred, according to the complaint, at the moment the user entered a query - not at page load, but as an ongoing, real-time event.

The complaint draws attention to a feature of ChatGPT's interface that makes this data particularly sensitive. Unlike a standard webpage title - which might read "Men's Shoes | Brand Name" - a ChatGPT conversation title is an AI-generated summary of the user's actual question. A user researching a medical condition, a legal problem, or a financial situation will, in many cases, have those topics summarised as the conversation title. That title then travels, under the complaint's theory, to Meta and Google's advertising infrastructure.

The case rests on two federal and state wiretapping statutes that courts have extended to internet communications. The ECPA, codified at 18 U.S.C. section 2511, prohibits the intentional interception of electronic communications. The complaint argues that each ChatGPT interaction constitutes an "electronic communication" under the statute's definition at 18 U.S.C. section 2510(12), and that embedding the Facebook Pixel and Google Analytics - which capture and redirect communication content to third parties in real time - constitutes unlawful interception under 18 U.S.C. section 2511(1)(a). Statutory damages under the ECPA are sought at $10,000 or $100 per day per violation.

CIPA, codified at California Penal Code section 630 et seq., was enacted in 1967 to address telephone wiretapping. Its language has since been applied by courts to internet communications. In Matera v. Google Inc. (2016), the Northern District of California held that CIPA applies to "new technologies" and must be construed broadly to effectuate its remedial purpose. The Ninth Circuit, in In re Facebook, Inc. Internet Tracking Litigation (2020), reversed a lower court's dismissal of CIPA and common law privacy claims based on Facebook's collection of users' browsing history. Both decisions are cited in the complaint as precedent for applying the 1967 statute to pixel-based tracking.

Under CIPA section 631(a), liability attaches to anyone who, "by means of any machine, instrument, contrivance, or in any other manner," intentionally reads or attempts to learn the contents of a message in transit without the consent of all parties. The complaint frames the Facebook Pixel and Google Analytics code as precisely such instruments - each one causing the user's browser to secretly duplicate and forward the content of their ChatGPT session to a third party. Under Cal. Penal Code section 637.2, plaintiffs may seek the greater of $5,000 per violation or three times actual damages. Section 632, which prohibits recording confidential communications without all-party consent, provides the same remedy.

Count IV pleads invasion of privacy under the California Constitution and common law, framing the alleged interception not merely as a statutory violation but as an intrusion upon seclusion of a "serious" nature, given the sensitivity of the communications at issue.

The class definition and scale

The complaint defines two putative classes. The national class covers all United States residents who accessed ChatGPT.com and entered queries during the class period. The California subclass covers California residents who used the site while in California. The complaint notes that the exact membership is unknown at filing but estimates "millions of individuals" in the class. The aggregate claims exceed $5,000,000, the threshold for federal jurisdiction under the Class Action Fairness Act.

OpenAI Global, LLC is incorporated in Delaware and maintains its principal place of business at 1455 3rd Street, San Francisco, California 94158. The complaint establishes venue in the Southern District of California on the basis that a substantial part of the alleged events - the plaintiff's queries and their interception - occurred there.

Context: a pattern of similar litigation

This case does not arise in isolation. A structurally identical action against Perplexity AI, Meta, and Google was filed on March 31, 2026, in the Northern District of California. That 140-page complaint alleged Perplexity embedded the Meta Pixel, the Conversions API, Google Ads, Google DoubleClick, Google Firebase, and Google Analytics within its AI search engine, forwarding users' private conversations to both companies. The Perplexity case was voluntarily dismissed on May 1, 2026, as PPC Land reported, without prejudice, leaving the underlying questions unresolved.

In August 2025, a federal jury found Meta violated CIPA by collecting sensitive health data from users of the Flo period-tracking app without consent - a case that also centred on Meta's SDK embedded within a third-party application. San Francisco Superior Court entered a $50 million final judgment against Meta in March 2026 over Facebook user data shared with third-party developers without adequate disclosure.

For the advertising technology industry, the Facebook Pixel has long served as a cornerstone of Meta's advertising infrastructure, enabling advertisers to build Custom Audiences and Lookalike Audiences based on off-platform user behaviour. The complaint quotes Meta's own documentation describing the Pixel as code that allows business customers to "make sure your ads are shown to the right people" and to find "people who have visited a specific page or taken a desired action on your website." Meta builds what it calls Core Audiences from this data - datasets drawing on users' interests, behaviour, and connections inferred from both on-platform and off-platform activity.

OpenAI, meanwhile, has been moving toward its own advertising model. A self-serve cost-per-click interface arrived at ChatGPT in early May 2026, adding a new dimension to questions about how the company monetizes user interactions. OpenAI was also ordered in November 2025 to turn over 20 million anonymized ChatGPT conversations to the New York Times in a separate copyright discovery dispute - a ruling that OpenAI argued raised significant user privacy concerns.

Canadian regulators found ChatGPT's privacy practices non-compliant from the outset, and Italy's Garante imposed a 15 million euro fine on OpenAI at the close of 2024 alongside mandatory public awareness campaigns. Those proceedings focused on OpenAI's use of personal data to train its models. The present complaint targets a different practice: the alleged routing of live user conversations to third-party ad platforms via standard web tracking infrastructure.

Why this matters for the marketing community

The complaint makes a point that has direct relevance for any company running Google Analytics or the Meta Pixel on a platform where users share sensitive information. The legal theory does not require that the tracking be unusual or proprietary - both tools are standard components of most web marketing stacks. What the complaint argues is that deploying them on a platform where the content of user interactions is sensitive creates wiretapping liability under statutes that predate the internet but have been extended to cover it.

The distinction the filing draws between a generic web page and a ChatGPT conversation page is operationally important. A user who asks an e-commerce site "what are your return policies" generates a page title of limited sensitivity. A user who asks ChatGPT about cancer treatment options, bankruptcy procedures, or domestic violence resources generates a page title that is, in effect, a statement of private need. That title travels to Meta and Google's servers, according to the complaint, in the same automatic transmission that occurs on any Pixel-enabled or Analytics-enabled site.

The case reinforces a broader tension that PPC Land has tracked throughout 2025 and 2026: as AI platforms accumulate users who share increasingly personal information in conversational formats, the standard advertising measurement infrastructure designed for conventional web browsing may carry legal risks that marketers and platform operators have not fully evaluated. The class action seeks injunctive relief alongside damages, meaning that if the plaintiffs prevail, the practical outcome could extend beyond financial penalties to structural changes in how AI platforms are permitted to integrate third-party tracking code.

Timeline

  • 1967 - California enacts the California Invasion of Privacy Act (CIPA), originally targeting telephone wiretapping
  • 2016 - Northern District of California holds in Matera v. Google Inc. that CIPA applies to "new technologies" and must be construed broadly
  • 2020 - Ninth Circuit reverses dismissal of CIPA claims in In re Facebook, Inc. Internet Tracking Litigation, establishing that CIPA covers internet browsing history collection
  • August 2025 - Federal jury finds Meta violated CIPA by collecting sensitive health data from Flo app users without consent via embedded SDK
  • November 13, 2025 - OpenAI ordered to turn over 20 million anonymized ChatGPT conversations to the New York Times in copyright discovery dispute
  • March 3, 2026 - San Francisco Superior Court enters $50 million final judgment against Meta over Facebook user data shared with third-party developers
  • March 12, 2026 - Ace Hardware sued in Northern District of California for alleged tracking via Google Analytics and Bazaarvoice Pixel even after cookie opt-out
  • March 31, 2026 - Doe v. Perplexity AI, Meta Platforms, and Google filed in Northern District of California, alleging embedded Meta Pixel and Google Analytics transmitted AI conversation data without user consent
  • April 15, 2026 - Meta upgrades the Facebook Pixel and Conversions API, adding new automation for small advertisers
  • May 1, 2026 - Doe v. Perplexity AI voluntarily dismissed without prejudice, leaving core privacy claims unresolved
  • May 13, 2026 - Couture v. OpenAI Global, LLC, Case No. 3:26-cv-03000-H-GC, filed in the Southern District of California, alleging ECPA, CIPA, and constitutional privacy violations
  • May 17, 2026 - Case active; no response filed by OpenAI at time of writing

Summary

Who: Plaintiff Amargo Couture, a California resident, filed a class action on behalf of all US residents who used ChatGPT.com, against OpenAI Global, LLC, a Delaware company headquartered in San Francisco.

What: The complaint alleges OpenAI embedded Meta's Facebook Pixel and Google Analytics into ChatGPT.com, causing users' conversation topics, Facebook IDs, hashed email addresses, and Google profile identifiers to be transmitted in real time to Meta and Google without user consent. Four counts are asserted: violations of the ECPA, CIPA sections 631 and 632, and invasion of privacy under the California Constitution.

When: The complaint was filed on May 13, 2026. The alleged conduct covers the period during which Couture used ChatGPT throughout 2025 and 2026. The class period is not yet formally defined pending certification proceedings.

Where: The case is assigned to the United States District Court for the Southern District of California, Case No. 3:26-cv-03000-H-GC. The alleged interceptions occurred in California. OpenAI's principal place of business is San Francisco.

Why: The complaint contends that users who entered sensitive personal, health, financial, and legal queries into ChatGPT held a reasonable expectation of privacy in those communications, and that OpenAI's integration of third-party advertising tracking infrastructure breached that expectation and violated state and federal wiretapping statutes. The case seeks statutory damages of up to $10,000 per ECPA violation and the greater of $5,000 per violation or three times actual damages under CIPA, along with injunctive relief to prevent continued disclosure.

Share this article
The link has been copied!