As businesses increasingly rely on AI tools like ChatGPT, one question keeps coming up: How does ChatGPT use cookies, and what can this teach us about privacy compliance?
If you’re a marketer, founder, developer, or privacy professional evaluating AI tools, understanding cookie practices is essential. Not only does it help you assess whether a platform aligns with your internal compliance standards, but it also offers a blueprint for building transparency into your own web ecosystem.
In this guide, we break down what cookies are, how ChatGPT uses cookies, and what legal measures OpenAI takes to ensure privacy compliance. Let’s get into it.
What are cookies?
Cookies are small text files stored on a user’s browser when they visit a website or use a web-based application. They perform several key functions:
- Essential operations: logging in or maintaining session state
- Security: preventing fraud or detecting unusual behaviour
- Preferences: saving language, theme, UI choices
- Performance and analytics: understanding how users interact with the platform
Internet cookies are widely used by websites, and many regulators require their responsible use. The privacy concern comes from how cookies are used, especially tracking cookies that share data with third parties without transparent consent.
When evaluating a platform’s cookie usage, the key questions people ask are:
- What data is being collected?
- Is it necessary for the service?
- Is it being shared or used for advertising?
- Do users have meaningful control over their cookie choices?
With ChatGPT, these concerns are common. So here’s what you need to know.
What types of cookies does ChatGPT use? (With real examples)
OpenAI’s cookie policy for ChatGPT is transparent and publicly available. It divides cookies into three broad categories:
- Necessary cookies
- Analytics cookies
- Marketing performance cookies
Let’s break these down in simple terms, using actual cookie names from ChatGPT’s ecosystem and explaining what they do.
Necessary cookies
They are essential for ChatGPT and other OpenAI services to function. If blocked, you generally can’t log in, use key features, or maintain a stable session.
They cover areas like:
- Service functionality
- Security
- User authentication
- Cookie consent and region handling
- Onboarding and UI features
Examples & what they do:
- oai-did: Device identification
- oai-last-model, oai-last-effort-mode and oai-model-sticky-for-new-chats: Remember which model or mode you last used for a consistent experience.
- oai-locale, locale, country and oai-ip-country, oai-ip-city: Store your language or region so the interface can respond appropriately and comply with region-based rules.
- auth_session_minimized, login_session, auth_provider, oai-client-auth-session: User authentication
In short, necessary cookies keep the lights on: they run the application, enforce security, and remember your basic settings and consent choices.
Analytics cookies
Analytics cookies help OpenAI understand how people use ChatGPT and related services, so they can improve performance, UX, and features. These are not strictly needed to show you a response, but they’re useful for product improvement and capacity planning.
Key sources & examples:
- Google Analytics (_ga and _ga_8MYC5SEFJ1): These are classic analytics cookies used on openai.com and chatgpt.com. They help measure things like:
- How many users visit a page
- Which pages or features are popular
- How users navigate through the site
- How many users visit a page
- Swoogo analytics (devday.openai.com): Cookies like _pk_id, _pk_ses, _pk_ref, _pk_hsr, and _pk_cvar are used for analytics specifically around OpenAI events, again focused on usage and engagement patterns.
Analytics cookies are typically non-essential, so in GDPR regions they’re only set after the user consents.
Marketing performance cookies
OpenAI lists a range of third-party marketing measurement cookies set on chatgpt.com and openai.com from well-known ad and social platforms.
These cookies help OpenAI:
- Measure how well their marketing campaigns perform
- Understand which channels (e.g. LinkedIn, Google, Meta, Reddit, TikTok, Bing) drive traffic or conversions
- Improve how they promote their products and services
They’re not necessary for the core ChatGPT functionality, but they are important for OpenAI’s growth and go-to-market strategy.
Examples & what they represent:
- LinkedIn cookies: Cookies like li_fat_id, lidc, li_gc, bcookie. etc, help LinkedIn and OpenAI measure the impact of LinkedIn-based campaigns.
- Google marketing cookies: _gcl_au, _gcl_aw, ANID, and NID are examples of marketing cookies used in connection with Google Ads and related tracking to understand how Google-powered campaigns perform and attribute conversions.
Similarly, ChatGPT uses cookies from Meta, Reddit, TikTok and Microsoft.
In practical terms, this means:
- If a user comes to ChatGPT or OpenAI pages from a marketing campaign (e.g. LinkedIn or Google Ads), these cookies help OpenAI understand whether that campaign was effective.
- In GDPR-style jurisdictions, these cookies must typically be opt-in, not on by default, because they fall under marketing/tracking.
How does ChatGPT ensure cookie compliance?
OpenAI implements several technical and legal safeguards to ensure that cookie usage aligns with global privacy laws such as the GDPR, CCPA, ePrivacy Directive, and other regional frameworks.
Transparency
ChatGPT’s cookie usage is publicly documented in its cookie policy. It also offers a cookie banner for users to exercise their cookie choices.
For the US audience, the privacy policy states that they do not share or sell personal information for targeted advertising and also describes how user rights can be enforced.
Consent banner for regulated regions
ChatGPT collects consent for non-essential cookies using a cookie banner. It offers clear Accept and Reject options, as well as granular controls for individual cookie categories.
User rights compliance
The platform allows users to revisit their cookie choices through the “Cookie preferences” link at the bottom.
ChatGPT also complies with global privacy rights, including the right to access, deletion, rectification and opt out (where applicable).
What if my website or business uses ChatGPT or OpenAI services?
Here are a few things you should know when using ChatGPT for your business:
Using the OpenAI API (Backend Use Only)
If your business uses ChatGPT through the OpenAI API, for example, to power internal tools, content generation, or customer support features, OpenAI does not place ChatGPT cookies on your users’ browsers.
This is because API usage is server-to-server, and users do not directly interact with OpenAI’s websites.
What this means for you:
- You are responsible only for cookies and trackers set on your own website or app
- OpenAI’s website cookies do not need to be listed in your cookie policy
- You should still disclose AI data processing in your privacy policy, where applicable
- Review OpenAI’s Business Terms and Data Processing Addendum to understand data handling practices
Redirecting users to ChatGPT or OpenAI websites
If your website redirects users to chatgpt.com or another OpenAI-owned domain, OpenAI controls the cookies set during that interaction.
In this case:
- Cookie consent and cookie disclosures are handled by OpenAI
- You are generally not required to list OpenAI’s cookies in your own cookie policy
- Inform users in your privacy policy that they may be redirected to third-party services subject to separate terms and privacy policies
- You may notify users before redirect that they are leaving your site
Using third-party AI chat widgets powered by OpenAI
If you use a third-party chatbot or widget that relies on OpenAI but runs on your website, any cookies set by that tool (analytics, marketing, or functional) could become your compliance responsibility. Client-side widgets that load scripts directly in users’ browsers may set cookies, make API calls from the user’s device, or track user behaviour.
This means you should:
- Identify and classify cookies set by the widget
- Obtain consent for non-essential cookies or provide opt-out options based on applicable laws
- Disclose them clearly in your cookie policy
Want to manage cookies on your own website?
If you are still trying to figure out cookie consent for your website, a reliable, compliant, automated solution is all you need.
CookieYes helps you:
- Automatically scan your website to identify and categorise cookies
- Generate a compliant cookie banner
- Block cookies until consent is given
- Maintain a cookie policy and privacy policy
- Meet GDPR, CCPA, LGPD, and global requirements effortlessly
Millions of businesses use CookieYes to make cookie compliance stress-free.
Now it is your turn! Take the first step toward transparent, compliant cookie practices with CookieYes.
Respect consent signals easily
Sign up to CookieYes for a user-friendly consent management experience
Try for free14-day free trialCancel anytime
FAQ on ChatGPT cookies
Consent requirements depend on applicable privacy laws. Under regulations like the GDPR, non-essential cookies require prior user consent, while strictly necessary cookies can be used without explicit consent.
For users, cookies impact privacy and experience. For businesses and developers, understanding ChatGPT cookies is important for privacy compliance, trust, and lawful data handling, especially when embedding or integrating AI tools into websites or apps.
Safna is the resident data privacy writer at CookieYes, where she breaks down privacy laws into actionable insights for businesses. The rest of her time is a mix of music, movies, and hot chocolate.
