OpenAI Got Sued Over the Same Facebook Pixel Setup Most Marketing Sites Run

Bursor & Fisher filed a class action against OpenAI on May 13, 2026 in the Southern District of California, alleging ChatGPT.com embedded Meta's Facebook Pixel and Google Analytics that transmitted users' query topics alongside Facebook IDs and hashed emails in real time. Network captures from April 28 show cookies like c_user, fr, and _ga sending query strings to Meta and Google servers. The fix on your own properties is auditing every third-party tag that fires before consent.

The complaint names tags, not theories

The filing from Bursor & Fisher (the same firm behind most of the recent pixel privacy class actions) doesn't argue about intent. It just lists what fired. The network captures pulled from ChatGPT.com on April 28, 2026 show four pieces of tracking code running on the site:

• Meta's Facebook Pixel
• Google Analytics, with the "em" hashed-email identifier active
• A Google Ads conversion endpoint at www.google.com/pagead/1p-conversion/16679965591/
• Google Signals (cross-device identifiers)

Each query routed alongside the c_user and fr cookies, which are Meta's primary logged-in user identifiers, plus the _ga device ID. So a query like "Super Bowl 2005 Winner," which is the literal example cited by the plaintiff's counsel, traveled to Meta with the user's Facebook ID attached.

I'm not particularly surprised this was running. Most analytics implementations look like this. The specificity of the filing is the part that matters. They have the request URL, the cookie payloads, the timestamps. Statutory damages under California Penal Code §637.2 are $5,000 per violation, and coverage from Yahoo Finance flagged the math as potential liability in the billions once you multiply by the millions of US residents who hit ChatGPT.com in the relevant window.

This is the audit you keep deferring

The forensic technique used against OpenAI works on any site running a tag manager. It is a Chrome devtools network capture, a filter on the recipient domain, and an annotated screenshot. The complaint reads like a template any paralegal could run against a Shopify checkout, a SaaS pricing page, or a publisher article page.

Most marketing teams I've talked to over the past year have a vague "we audited our pixels in Q3" answer ready. It's almost always wrong by Q1 of the following year because every campaign launch adds another tag and nobody removes the old ones. From what I've seen, a typical container picks up extra tags every quarter and loses none until someone runs a deliberate prune.

The lawsuit doesn't break new doctrine. The novel part is that it skips the "wiretap analogy" debate and goes straight to "here is the request, here is the data, here is the cookie." That format is much easier for plaintiff firms to copy. Cybernews noted the complaint asserts four counts across ECPA, CIPA §631, CIPA §632, and California constitutional privacy. Four counts is a deliberate buffet so the plaintiff can lose two and still walk a defendant into settlement.

The four-line forensic audit to run today

If you do nothing else this week, do this on your highest-traffic sensitive page (login flow, search bar, account dashboard, anywhere users type something they consider private):

1. Open Chrome DevTools, Network tab, filter on "facebook.com" and "analytics.google.com." Reload the page and type a query.
2. Look at the Form Data payload on every outbound request. If anything in there is a query string, a user ID, or a hashed email, you have the OpenAI problem.
3. Cross-reference your consent management platform to confirm those tags should not fire pre-consent. Most CMPs default-allow analytics, which is the loophole the complaint pries open.
4. If a tag is firing pre-consent with PII attached, kill it in your tag manager, redeploy, and screenshot the network capture before and after so you have an audit trail.

The whole pass takes about 15 minutes per page. From what I've seen, the teams that run this honestly tend to find at least one tag still transmitting user-typed data without consent on the first page they check. The reason isn't laziness. It's that tag managers accrete, campaign launches keep adding tags, and nobody owns the pruning calendar.

Why discovery is the real risk

What gets companies to settle isn't the lawsuit itself. It's discovery. Once a class action survives a motion to dismiss, plaintiffs' counsel gets access to internal Slack threads, GTM change history, and any compliance memo where the legal team flagged a tag and engineering didn't pull it. That's the part marketing leaders should chew on.

It's not enough to fix the pixel today if the audit log shows you knew about it last year and shipped the campaign anyway. From what I've seen of these settlements, discovery tends to surface a Slack message somewhere that reads "yeah we'll get to that after Q4 launch," and that message becomes the centerpiece of the plaintiff's motion to certify the class.

It would be smart, for any marketing team running pixels alongside form fields or search inputs, to write a one-paragraph internal memo this week stating the date of the most recent audit, what tags were audited, and what was removed. Even if it never gets used, it shifts the discovery surface from "we never looked" to "we looked, here's the record." Cheap insurance.

ChatGPT is the headline; your pricing page is the actual story

The brand-name defendant in this filing is OpenAI. The reason it's worth writing about for marketers is that almost no part of the complaint depends on ChatGPT being an AI product. Replace "ChatGPT.com" with shopify.com, salesforce.com, your bank's login page, or your own pricing page, and the structure of the claim holds. The complaint is a portable template. Plaintiffs' firms have already noticed. Per coverage at The Deep Dive, a similar filing with a different plaintiff name has already landed in the Northern District of California.

The pressure on this category is stacking. We covered the Amazon Ads UK and EEA consent deadline earlier this month, which is the EU regulatory version of the same vise. And the GA4 AI Assistants channel that shipped a couple of weeks ago is the exact kind of feature that quietly widens what Google Analytics pulls from a session without re-prompting users about consent.

The Slack message I'd send to engineering on Monday

If I were a CMO or a head of growth right now, I'd send a single Slack message tomorrow: "Run the four-line audit on /search, /login, and /pricing this week, attach the before/after network capture, and post the result in #legal-marketing." Not a project. Not a vendor engagement. Twenty minutes of devtools, screenshotted, written down.

The Bursor filing made the cost of skipping that pass legible. It didn't invent the risk. It just handed plaintiffs' counsel a 50-page printable template, and that template is already on somebody's desk.

Notice Me Senpai Editorial