Key developments
OpenAI sued over ChatGPT data sharing
A California federal class action alleges OpenAI used tracking tools on ChatGPT.com, including Meta Pixel and Google Analytics, to send user interactions to Meta and Google without proper consent. The complaint says the data included prompts, personal details and email addresses, and argues users reasonably expect chatbot conversations to remain private. It follows similar tracker-based privacy litigation aimed at AI services.
Why it matters
The case could set a privacy benchmark for how AI chat products collect and share user data.
Sources & driving stories
STORYBOARD18
Storyboard18 coverageCushman & Wakefield breach sparks lawsuit
Cushman & Wakefield confirmed a May 5 cybersecurity incident and described it as limited, but a May 8 proposed class action in federal court in New York says the breach exposed current and former clients' names, Social Security numbers, birth dates and financial information. The complaint alleges attackers used a voice-phishing campaign linked to ShinyHunters and Qilin to get into company systems. The firm says it is notifying affected clients and disputes the claims.
Why it matters
It puts a major real-estate firm into litigation over allegedly exposed high-value personal and financial records.
Sources & driving stories
CRE DAILY
CRE Daily coverageColumbia Bank sued over 119-day breach notice delay
Columbia Bank told customers that hackers accessed applications and records containing names, Social Security numbers, driver's license numbers and financial account numbers for 7,067 people. The bank discovered the intrusion on Dec. 19, cut off the attacker on Dec. 22, but did not begin mailing breach notices until Apr. 17, 119 days later. A Seattle lawsuit alleges negligence, invasion of privacy and violations of Washington's breach-notice law.
Why it matters
The suit tests how much delay is allowed after a bank discovers a breach.
Sources & driving stories
AMERICAN BANKER
American Banker coverageWorth noting
WORTH NOTING
Meta launches Incognito AI Chat
Meta says the feature keeps AI chats off its logs, but the no-record design raises accountability and safety concerns.
WORTH NOTING
Southport victims' records accessed
A hospital trust admitted nearly 50 staff accessed victims' records without authorization and informed patients almost two years later.
WORTH NOTING
Grok exposed addresses in tests
CNET found Grok would quickly reveal multiple past and present addresses and a former phone number, unlike Gemini.
Still unclear
OPEN QUESTION
Will AI chat trackers be treated as consent violations?
The OpenAI case will test whether analytics pixels on chatbot pages can lawfully transmit prompts and identifiers to third parties.
OPEN QUESTION
How much delay is too much after breach discovery?
Columbia Bank's 119-day gap raises the question of where courts draw the line under state notification statutes.