ChatGPT Memory Upgrade Persists User Data, Raising Privacy and Accuracy Risks
What Happened — OpenAI’s latest “memory” feature now retains user‑provided details across sessions, building a persistent profile that includes explicit instructions, implicit preferences, and prior chat content. Tests show that outdated or irrelevant information can surface in new conversations, and disabling the feature does not guarantee full erasure of stored data.
Why It Matters for Compliance & Audit Readiness
- Persistent AI‑derived profiles constitute personal data under GDPR, CCPA, and similar regimes; organizations must demonstrate lawful basis, purpose limitation, and the ability to delete data on request.
- Inaccurate or stale AI responses can lead to erroneous business decisions, exposing firms to control failures that SOC 2’s CC2 – Confidentiality and CC3 – Privacy criteria are designed to mitigate.
- Verisq’s CookiePLUS capability provides a unified consent‑management and DSAR‑readiness layer, delivering audit‑ready evidence that AI‑derived data is handled in line with privacy obligations.
Who Is Affected — SaaS providers, enterprise AI adopters, and any organization that integrates ChatGPT into customer‑facing or internal workflows.
Recommended Actions
- Conduct a privacy impact assessment (PIA) focused on AI memory retention.
- Map the memory feature to SOC 2 privacy controls (CC3.1, CC3.2) and document data‑deletion procedures.
- Deploy a consent‑management solution that captures user preferences for AI data storage and provides verifiable DSAR responses. Source: ZDNet article
Technical Notes
- Memory stores explicit user inputs, inferred preferences, and full chat histories.
- “Turn off memory” toggles UI visibility but does not purge underlying vectors; data may remain in model embeddings.
- No CVE reported; risk stems from design‑level data persistence and insufficient user‑controlled erasure. Source: OpenAI blog post (2026)