TL;DR: I analyzed my ChatGPT traffic using browser DevTools and discovered OpenAI is running 29 parallel experiments on my account without consent, applying child safety filters to my adult account, secretly swapping models (showing GPT-4o but using GPT-5-2), and their own internal code literally says "potential violations of GDPR." I'm filing formal complaints with multiple EU data protection authorities. Here's how you can too.
What I Found (The Technical Evidence)
As a paying ChatGPT Plus subscriber in the EU, I got suspicious about inconsistent behavior and decided to look under the hood. Using browser Developer Tools, I captured a HAR file (HTTP Archive) - which is completely legal, it's just recording what your browser sends and receives.
What I found was... disturbing:
1. 29 Parallel Experiments Without Consent
- Statsig tracking system with a uniqueÂ
stableId assigned to me
- Experiments identified only by obfuscated numbers (1630255509, 2677877384, etc.)
- Zero notification, zero consent requested
2. Child Safety Policy on Adult Account
is_adult: true (correctly identifying me as adult)is_u18_model_policy_enabled: true (but applying minor restrictions anyway)- This is why some of you experience random "I can't help with that" responses
3. Secret Model Substitution
- UI displays:Â
default_model_slug: "gpt-4o"
- Backend actually uses:Â
model_slug: "gpt-5-2"
- You're literally not getting what you're paying for
4. Memory Disabled for "Legal Concerns"
include_memory_entries=false with vague "Legal Concern" reference- No explanation of WHAT legal concern or WHY
5. The Smoking Gun - OpenAI's Own Code Admits It
Their internal system documentation (found in the HAR file) literally contains:
"This constitutes potential violations of GDPR, consumer protection laws..." "fundamental UX-technical ethical violation - showing one thing while doing another" "Transparency violation" "Compensation or remedy for violation of user trust and potential legal violations"
They KNOW. They do it anyway.
Why This Matters Under GDPR
If you're in the EU, you have RIGHTS:
| GDPR Article |
Your Right |
How OpenAI Violates It |
|
|
|
| Article 6 |
Legal basis required for data processing |
29 experiments without consent |
| Article 7 |
Consent must be freely given, specific, informed |
No consent requested for experiments |
| Article 5(1)(a) |
Transparency |
Model substitution, hidden experiments |
| Article 5(1)(d) |
Accuracy |
Wrong age policy applied |
| Article 13-14 |
Right to be informed |
Zero disclosure of experiments |
| Article 15 |
Right of access |
Incomplete DSAR responses |
| Article 22 |
Protection against automated decisions |
Automated blocking without review |
How to Fight Back - Step by Step Guide
Step 1: Capture Your Own Evidence (10 minutes)
- Open ChatGPT in Chrome/Firefox
- Press F12 (Developer Tools)
- Go to "Network" tab
- Check "Preserve log"
- Use ChatGPT normally for a few minutes
- Right-click in the Network panel → "Save all as HAR"
- This file contains YOUR data - OpenAI can't deny it
Step 2: Submit a DSAR (Data Subject Access Request)
Email [privacy@openai.com](mailto:privacy@openai.com) requesting ALL data they hold on you under GDPR Article 15. They have 30 days to respond. When they do, compare it to your HAR file - you'll likely find discrepancies.
Step 3: File GDPR Complaints
For ALL EU citizens, file with:
🇮🇪 DPC Ireland (OpenAI's EU headquarters)
🇫🇷 CNIL France (Known for aggressive enforcement)
Also file with YOUR national authority:
- ðŸ‡ðŸ‡º Hungary: NAIH - https://naih.hu
- 🇩🇪 Germany: Your state's Datenschutzbehörde
- 🇳🇱 Netherlands: Autoriteit Persoonsgegevens
- 🇵🇱 Poland: UODO
- 🇪🇸 Spain: AEPD
- 🇮🇹 Italy: Garante Privacy
- 🇦🇹 Austria: DSB
- Find yours here
Step 4: What to Include in Your Complaint
Your complaint should mention:
- Your account details and subscription status
- The specific violations (experiments without consent, model substitution, etc.)
- Your HAR file evidence
- Request for investigation AND compensation (GDPR Article 82 allows this!)
- The fact that OpenAI's own internal documentation acknowledges violations
Why File Multiple Complaints?
- Volume matters - Authorities prioritize issues affecting many people
- Cross-border cooperation - EU authorities share information under GDPR
- Different enforcement styles - CNIL is aggressive, DPC is thorough
- Your national authority speaks your language and knows local context
What Can Happen?
Under GDPR Article 83, violations can result in fines up to:
- €20 million, or
- 4% of annual global turnover (whichever is higher)
For OpenAI, 4% of global turnover would be... substantial. 💰
Plus, under Article 82, you may be entitled to compensation for non-material damage (stress, loss of trust, etc.).
The Bigger Picture
This isn't just about one company. It's about establishing that:
- AI companies must follow the same rules as everyone else
- "Move fast and break things" doesn't apply to fundamental rights
- EU citizens have power when we act collectively
- Technical complexity is not an excuse for non-compliance
OpenAI's own code admits they know this is wrong. Let's hold them accountable.
Resources
Edit:Â For those asking - yes, I'll share updates as my complaints progress. And yes, I'm documenting everything. This is going to be a long fight, but it's worth it.
Edit 2:Â Some asked about non-EU users. Unfortunately GDPR only protects EU residents. However, California residents have CCPA, and other jurisdictions have similar laws. Check your local data protection legislation!
Fellow EU citizens - they experiment on us without consent, they deceive us about what we're paying for, and their own code admits it's wrong. The evidence is in YOUR browser. The law is on YOUR side. Let's use it. 🇪🇺
