Meta’s AI Training Faces Legal Pushback, OpenAI Ordered to Retain Chat Logs, Montana tightens privacy law for kids

Privacy Corner Newsletter: May 8, 2025

In this edition of the Privacy Corner Newsletter:

• Legitimate interests and AI: Noyb challenges Meta's model training on public posts
• Warning: ChatGPT ordered to ‘preserve everything’ regardless of privacy settings and regulations
• Montana’s privacy law gets a reboot: Broader scope, more obligations, and a stronger focus on minors
• What we’re reading: Recommended privacy content for the week.

Legitimate interests and AI: Noyb challenges Meta's model training on public posts

Max Schrems’ privacy campaign group, noyb, has formally objected to Meta's plans to use public Facebook and Instagram posts from EEA users to train its artificial intelligence models, arguing the company's reliance on "legitimate interests" as a legal basis is unlawful under the GDPR.

• Meta announced it would use public user content and interactions with Meta AI to train its AI, offering users an opt-out.
• Noyb alleges that this processing lacks a valid legal basis, defies users' reasonable expectations, and will prevent people from exercising their data subject rights.
• The group has given Meta a deadline to provide evidence of compliance or cease the planned AI training.

⇒ What are Meta's plans for AI training in the EU?

In a news post last month, Meta said it would begin training its AI models with "public content shared by adults on Meta Products" (like public posts and comments) and interactions with Meta’s AI chatbots.

Meta stated it would notify EEA-based users via in-app messages and email about its intentions and provide a form for users to "object to their data being used in this way at any time." 

Meta suggested its approach was affirmed by a European Data Protection Board (EDPB) Opinion from December 2024, implying that the company would process the relevant personal data on the basis of its legitimate interests.

⇒ What is noyb's primary concern with Meta's approach?

Noyb's central argument is that Meta cannot lawfully rely on "legitimate interests" for this large-scale processing of personal data for AI training. 

The campaign group highlights several reasons why it believes Meta's intended processing would be unlawful. Noyb argues that users, some of whose posts could be many years old, would not reasonably expect their data to be repurposed for training a "general purpose" AI. 

Noyb says its critique aligns with the Court of Justice of the European Union (CJEU)’s reasoning in the important Bundeskartellamt case regarding Meta's use of data for personalized advertising.

⇒ What are some of noyb's other key objections?

Noyb's cease and desist letter, dated 14 May 2025, alleges that Meta’s plan would entail several other legal violations, including:

• Data subject rights: Noyb asserts that once data is ingested into an AI model like Meta's open-source "Llama," exercising GDPR rights (e.g., erasure, rectification) becomes de facto impossible, particularly as the model could be used by countless other controllers.
• Limited right to object: Meta offers only an ex-ante (before processing) “right to object”, whereas Article 21 GDPR provides that this can be exercised at any time, (including ex-post).
• Special category data: Noyb says that the processing will involve special category data (e.g., religious beliefs, sexual orientation shared on platforms), for which Meta would need a condition under Article 9 GDPR (namely, “explicit consent).
• Lack of transparency: The group says that users will be unable to properly understand the implications of Meta’s processing, given that the company has not published a legitimate interests assessment (LIA).
• Data protection principles: Noyb claims the plan would violate the GDPRs principles of fairness, purpose limitation, and data minimisation.
• Digital Markets Act (DMA): The letter also suggests that combining personal data from Facebook and Instagram for this new purpose without consent could breach Meta’s obligations as a “gatekeeper” under the DMA.

⇒ What's the next step?

Noyb is acting in its new capacity as a “qualified entity” under the Representative Actions Directive. 

With its new “teeth” bared, the campaign group requested Meta to provide evidence supporting its approach or return a signed declaration to “cease and desist” by 17:00 CET on 21 May 2025.

Warning: ChatGPT ordered to ‘preserve everything’ regardless of privacy settings and regulations

A New York judge has ordered OpenAI to preserve all ChatGPT output log data that it would otherwise delete, regardless of “numerous privacy laws and regulations” and users’ requests.

• The May 13 order arose out of an ongoing case against OpenAI brought by the New York Times (NYT), which accuses the AI firm of infringing its copyright.
• The judge ordered OpenAI to “preserve and segregate all output log data” that would “otherwise be deleted” as a result of users’ settings and legal obligations.
• A subsequent motion by OpenAI for the court to reconsider this preservation order was denied, though further discussions on the matter are scheduled.

⇒ What's this dispute about?

The core issue concerns the potential loss of evidence due to OpenAI's deletion of ChatGPT output log data. The judge’s order follows the NYT’s allegations that OpenAI has been deleting a significant amount of data that is relevant to its claims of copyright infringement.

OpenAI first expressed concerns to the judge about a blanket preservation order in January, citing users’ preferences and "numerous privacy laws and regulations." 

OpenAI’s defense was unsuccessful, leading to the May 13 preservation order. The judge denied a subsequent request to reconsider but agreed to consider arguments about modifying the order in a hearing set for May 27.

⇒ What does the order cover?

ChatGPT offers several “Data Controls” that function as privacy and confidentiality settings, including Temporary Chats, which “Don’t get saved in your history and don’t create memories,” and “data ownership” features, which allow ChatGPT Enterprise users to customize their data retention periods.

According to OpenAI’s interpretation of the order, the company is now required to “disregard legal, contractual, regulatory, and ethical commitments to hundreds of millions of people” who “use OpenAI’s services in a way that implicates uniquely private information.”

OpenAI claimed that retaining the relevant data is disproportionate for the purposes of the case and that deleting data “slated for deletion” would require “significant engineering work, infrastructure changes, and compute resources.”

“The Order prohibits OpenAI from honoring this commitment by (e.g.) forbidding OpenAI from 

complying with a user’s attempt to delete a conversation about a family member’s health condition 

or immigration status,” OpenAI’s letter to the judge states.

⇒ What are the implications?

In a May 16 response to OpenAI’s letter, Magistrate Judge Ona T Wang denied the company’s core legal arguments while acknowledging “open questions” remained around “the technological challenges of preservation and segregation,” and the “contractual obligations (OpenAI) may have with its users.”

For now, the order to preserve “all output log data” remains, and it appears to include all conversations and activity accessible to OpenAI.

As such, anyone inputting sensitive or personal data to ChatGPT should exercise caution, regardless of their privacy settings.

Montana’s privacy law gets a reboot: Broader scope, more obligations, and a stronger focus on minors

Montana has significantly revised the Montana Consumer Data Privacy Act (MCDPA) through Senate Bill 297 (SB 297), signed into law on May 8, 2025. 

• The MCDPA amendments take effect from October 1 this year and make the “big sky” state’s privacy law tougher in several respects.
• The law’s applicability will broaden considerably once the amendments take affect, bringing more businesses within the MCDPA’s scope.
• Other changes under SB 297 include new consumer opt-out rights and more extensive transparency obligations.

⇒ Changes to the MCDPA's scope

The amendments under SB 297 broaden the MCDPA’s reach in several ways:

Firstly, SB 297 lowers the MCDPA’s applicability threshold. Once the amendments take effect, the law will apply to entities that: 

• Control or process the personal data of at least 25,000 Montana consumers (down from 50,000), or 
• Control or process personal data of at least 15,000 consumers and derive more than 25% of their gross revenue from the sale of personal data (down from 25,000 consumers).

The law’s new privacy protections for minors (see below) will apply to any entity conducting business in Montana or delivering commercial products or services intentionally targeted to Montana residents, regardless of the volume of data processed.

Exemptions for financial institutions and nonprofits have also been narrowed.

⇒ New ‘duty of reasonable care’ for minors

SB 297 introduces a new “duty of reasonable care” on controllers offering online services, products, or features to users they actually know or willfully disregard are minors.

The law requires such controllers to avoid creating a “heightened risk of harm to minors", including by obtaining consent for certain data processing activities.

SB 297 introduces the “data protection assessments” seen in other states to Montana for the first time—but only in the context of processing that presents a heightened risk of harm to minors.

⇒ New consumer rights and transparency obligations

SB 297 will give consumers the right to opt out of profiling in furtherance of "automated decisions that produce legal or similarly significant effects"—a broader scope than the previous "solely” automated decisions that aligns Montana closer to most other states with comprehensive privacy laws.

Controllers must also comply with expanded transparency requirements and provide consumers with a way to opt out of targeted advertising or the sale of their personal data outside of the privacy notice.

⇒ More robust enforcement

While the law still does not include a private right of action, SB 297 allows the state’s Attorney General to seek civil penalties of up to $7,500 for each violation.

The law also scraps the 60-day “notice and cure” period previously available to all controllers facing enforcement. So if your organization violates the MCDPA, it could receive a civil penalty without a chance to put things right.

What We’re Reading

• Who’s Afraid Of Agentic AI?: Disesdi Susanna Cox discusses a recent data breach involving an agentic AI startup and nearly half a million people’s personal data.
• Artificial Intelligence (AI) Model Clauses: Contractual clauses for AI procurement from the Australian Digital Transformation Agency.
• Government suffers third defeat over copyright protection against AI: The latest on the UK government’s struggle to pass data protection and privacy reforms.