Businesses increasingly rely on generative AI tools like ChatGPT that may use cookies to collect personal data. The use of AI tools raises questions about cookies.

Does ChatGPT use cookies?

Are ChatGPT cookies First-party cookies or Third-Party Cookies?

Are there any differences between ChatGPT cookies and traditional website cookies?

If you’re a marketer, developer, or website owner, understanding cookie practices is essential for avoiding compliance risks.

In this guide, we break down how ChatGPT uses cookies, what data they collect, and what legal considerations there are for ChatGPT cookies and the GDPR/ eprivacy directive.

What Are ChatGPT Cookies?

ChatGPT cookies are small text files stored on a user’s browser when they interact with ChatGPT or embed it into a website. They help the service remember things like your session, preferences, and security context.

ChatGPT cookies are not different from cookies used by other websites or any SaaS platform.

The difference is how and when ChatGPT is used.

• First-party ChatGPT cookies
  When ChatGPT is used on OpenAI’s own site, these cookies are called first-party ChatGPT cookies. They support login, sessions, and security features.
• Third-party ChatGPT cookies
  When ChatGPT is used via API or embedded tools, these cookies are called Third-Party Cookies. They originate from a domain different from the one users are currently visiting.

Does ChatGPT Use Cookies?

Yes, ChatGPT uses cookies for authentication, session management, and security. OpenAI provides transparent and publicly available cookie policy for ChatGPT, where it lists all cookies used by ChatGPT.  

Besides cookies, OpenAI also uses other tracking technologies, such as pixels, web beacons, sharing of device IDs and other identifiers via APIs or local storage. For simplicity, OpenAI refers to these trackers as cookies in its Cookie Policy.

Cookies are usually not the main mechanism- ChatGPT relies mostly on tokens. However, browser-based elements still use many different types of cookies.

OpenAI divides cookies into three broad categories:

• Necessary cookies
• Analytics cookies
• Marketing performance cookies.

ChatGPT necessary cookies

ChatGPT necessary cookies are essential for ChatGPT and other OpenAI services to function. They allow OpenAI to authenticate users, manage sessions, or enable specific features.

Necessary cookies are used for:

• User authentication
• Session management
• Service functionality
• Security
• Cookie Consent and region management
• Onboarding and UI features.

Examples of ChatGPT necessary cookies include:

• __Secure-next-auth.session-token
  The cookie keeps users logged in and links the browser session to a user account.
• __Secure-next-auth.callback-url
  The cookie stores the URL and enables proper authentication redirects.
• oai-did
  It is used for device identification and security, supports fraud prevention and abuse monitoring.
• oai-auth-token
  It’s an authentication token, used to verify user identity during requests.
• cf_clearance
  It is used for bot protection and confirms whether the user passed a security check (e.g., CAPTCHA).
• _cfuvid
  It is used for rate limiting, traffic management, and helps apply security rules fairly.

ChatGPT analytics cookies

Analytics cookies help OpenAI understand how people use ChatGPT and related services, such as the number of users and how users interact with OpenAI services. These cookies are not strictly needed for ChatGPT to function, but they are used to improve performance, UX, and features.

Examples of ChatGPT analytics cookies include:

• _ga and _ga_8MYC5SEFJ1 (Google Analytics)
  These are classic analytics cookies used on openai.com and chatgpt.com. They are used to distinguish unique users via a client ID and track sessions across visits. These cookies help ChatGPT to count the number of users,  understand which pages or features are popular, and how users navigate through the site.
• _gid (Google Analytics)
  _gid cookies are used for short-term user tracking.
• __hstc (HubSpot)
  __hstc cookies build a usage timeline per user. They track the first visit, the last visit, and the session count.
• amplitude_id_* (Amplitude Analytics)
  These analytics cookies assign persistent user IDs and track user interactions (e.g. chatbot usage, events).
• ajs_anonymous_id (Segment)
  These cookies are used for cross-tool analytics tracking. They assign an anonymous user ID and sync data across analytics tools.

Note: ChatGPT analytics cookies are not strictly necessary for the service to function; thus, they require user consent under GDPR/eprivacy.

ChatGPT marketing performance cookies

Marketing performance cookies help ChatGPT understand the efficacy of its marketing efforts. These cookies measure the performance of marketing campaigns, analyze the channels that drive traffic or conversions (e.g. LinkedIn, Google, Meta, Reddit, TikTok), and help to improve the promotion of ChatGPT products and services.

ChatGPT itself is not a tracking/ads platform, but it sets cookies to measure its marketing efficiency and essential functionalities.

Examples of ChatGPT marketing performance cookies include:

• _fbp (Meta / Facebook Pixel)
  _fbp cookies are used for Ad targeting and retargeting. They track users across websites and help deliver personalized ads on Facebook and Instagram.
• _gcl_au (Google Ads)
  These ChatGPT marketing cookies are used for conversion tracking. They store ad click information and measure the effectiveness of Google Ads campaigns.
• li_fat_id, lidc, li_gc, bcookie. etc. (LinkedIn cookies)
  These cookies help LinkedIn and OpenAI measure the impact of LinkedIn-based campaigns.
• IDE (Google DoubleClick)
  IDE marketing cookies are used for cross-site advertising. They track user behavior across websites and build advertising profiles.
• test_cookie (Google DoubleClick)
  test_cookie is used for Ad delivery validation. It checks whether the browser supports cookies and ensures ads can be properly served.
• hubspotutk (HubSpot)
  These marketing cookies are used for marketing attribution. They track visitors across sessions and link form submissions and interactions to users.

Note: OpenAI/ChatGPT does not natively set marketing cookies. These appear when you combine ChatGPT with tools like ads, retargeting, or conversion tracking.

ChatGPT marketing performance cookies are not necessary for ChatGPT functionality. They are used for ads, attribution, and retargeting; thus, they always require consent under GDPR/ePrivacy Directive.

If you use ChatGPT for lead generation, support funnels, or conversion tracking, then you should:

• Block marketing cookies before consent.
• Clearly disclose tracking in your Cookie Policy.
• Distinguish AI usage for functional purposes from marketing tracking.

Not sure if your website uses cookies? Scan your website for free and see what cookies and other trackers your website uses:

What Data Do ChatGPT Cookies Collect?

In 2026, the data collected by ChatGPT cookies has increased significantly due to the introduction of the Memory feature and the launch of the ChatGPT Advertising Pilot for Free and Go tier users.

ChatGPT cookies may store:

• Authentication tokens: This data is strictly necessary. Secure identifiers keep users logged in across different tabs and sessions.
• CSRF protection: This is also strictly necessary data, used to prevent malicious websites from making unauthorized requests on your behalf.
• Feature flagging: It’s data that tells the site whether to enable specific 2026 features, like Advanced Voice Mode or Operator.
• Interaction metadata: Timestamps of a prompt, how long did it take to generate a response, and whether you approved the response.
• Error & crash logs: Detailed technical logs about your browser version, OS, and GPU/NPU utilization. This data is used to analyze and prevent the error or crash.
• Traffic sources: Referral URLs and your general geographic location based on your IP address.
• Personal preferences: Data regarding your preferred writing style, tone, and specific restrictions (e.g., "keep responses under 200 words" or “Write in 2-3 sentences”).
• Session state: Remembers whether you turned on or off Temporary Chat and your preferred sidebar organization.
• Contextual continuity: Data that helps to relate user’s current prompt to recent "Memories" stored in their profile.
• Starting from January 2026, Free and Go users now have targeting cookies enabled by default. These cookies collect the following data:
• Conversational context: Even if advertisers never see your chat history, cookies track the General Domain of your session (e.g., “Phone comparison” or "Car rental in Italy") to serve relevant sponsored content.
• Conversion tracking: If you click a sponsored link in a chat, cookies track whether you completed a purchase on the advertiser's site to measure Ad Effectiveness.
• Contact Syncing This is an optional feature. If you opt-in, cookies may cross-reference your device’s contact list to find friends on the platform.

Note: ChatGPT is different from ads platform. It doesn’t collect personal data to build advertising profiles. ChatGPT also doesn’t track users across unrelated websites, like ad networks do.

ChatGPT Cookies and GDPR: Key Legal Considerations

The GDPR in the European Economic Area (EEA) regulates user privacy online and personal data management.

In addition, the EU AI Act (fully applicable by August 2026) sets additional requirements on transparency and risk management.

Even if ChatGPT itself is compliant with the GDPR and the EU AI Act, you are responsible for the implementation of the compliance. You should use ChatGPT and related tracking/advertising tools on your site in a compliant way.

Remember these key legal considerations for ChatGPT cookie compliance with GDPR:

1. Lawful basis for data processing (Article 6)
   OpenAI primarily relies on legitimate interest for its model training on public data and Performance of a Contract to provide the service to users. For marketing and specialized data, OpenAI relies on explicit user consent.
2. You are a data controller
   If you embed ChatGPT, you become a data controller. Thus, you are responsible for disclosure and obtaining user consent. You decide the purpose and extent of data processing and must ensure GDPR compliance.
3. Disclosure
   GDPR requires transparency. Thus, when you use ChatGPT on your site, you must clearly explain which cookies are used, what data is processed, and whether third parties (like OpenAI) are involved in the processing.
4. ChatGPT cookies could collect personal data
   Even if ChatGPT does not intentionally collect personal data, it may still obtain the data. For example, a simple session cookie can collect data that becomes personal data when tied to a logged-in user or linked with prompts or usage history.
5. Data minimization principle
   To comply with the data minimization principle of the GDPR, OpenAI offers a Temporary Chat mode. Conversations in this mode are not used for training and are automatically deleted from OpenAI's servers within 30 days.
6. Transparency & AI labeling
   The EU AI Act requires AI tools to mark AI-generated content to prevent users from being deceived by synthetic content. In 2026, ChatGPT includes machine-readable watermarks and a visible "Generated by AI" disclaimer on every output.
7. Right to be forgotten
   Under GDPR, users have the right to be forgotten and can request to remove their personal data from ChatGPT’s training set and output responses. OpenAI provides a dedicated Privacy Portal where individuals can submit specific URLs or chat logs containing their personal info and request data removal.
8. Right to rectification
   Users also have the right to correct their data. OpenAI satisfies this right via a Correction Tool that allows users to argue and update factual errors about themselves in the model's dataset.
9. Data portability
   Under Article 20 of the GDPR, users can request a full data export, which includes all prompts sent, all data stored about the user, and a list of all custom "GPTs" they have interacted with. OpenAI must provide such data in a JSON or CSV format.
10. Age assurance & minor protection
    GDPR-K (Children's Privacy) and the Online Safety Act require websites and apps to protect minors from malicious online content. To comply with both regulations, ChatGPT uses Biometric Age Estimation for new accounts. Users under 13 are strictly prohibited, and users aged 13–18 have the "Training" and "Sharing" features disabled by default.
11. International data transfers
    Depending on the ChatGPT setup, some data may be processed outside the EU. Thus, you need to comply with GDPR requirements for international data transfers.
12. Data Protection Impact Assessment (DPIA)
    Article 35 of GDPR requires businesses to perform DPIA for high-risk features. This document must be updated and available for audit by the Irish Data Protection Commission (DPC). Some ChatGPT features are considered high-risk data management. To comply with the requirement, OpenAI maintains an active DPIA for high-risk features, such as medical advice or coaching.

Is User Consent Required for ChatGPT Cookies?

strictly necessary cookies, used for login or security, do not require consent. Consent is required for analytics, marketing performance, and tracking ChatGPT cookies when they collect data to track user behavior, perform analytics, or enable personalization beyond basic functionality.

OpenAI states in its Cookie Policy that it uses three broad categories of cookies:

• Necessary cookies
• Analytics cookies
• Marketing performance cookies. 

Under GDPR and the ePrivacy Directive, no consent is required for strictly necessary cookies, when cookies are used to log in and manage sessions, they are required for security reasons, and are strictly necessary to deliver the service.

Consent is required for analytics, marketing performance, and Tracking Cookies. When ChatGPT cookies collect user data to track user behavior, perform analytics, or enable personalization beyond basic functionality, you must obtain user consent.

Do You Need a Cookie Banner for ChatGPT Integrations?

It depends on your setup. If you use only strictly necessary cookies, you don’t need a banner. You need a Cookie Banner for ChatGPT integrations when you use analytics, tracking, or personalization.

Under GDPR and the ePrivacy Directive, consent is not required for strictly necessary cookies. Thus, you don’t need a banner if:

• You use only strictly necessary cookies, and
• You don’t use analytics, tracking, or personalization.

You do need a banner if:

• You track usage of the chatbot.
• You integrate ChatGPT with analytics tools.
• You store identifiable user information.
• You track users to deliver personalized ads.
• You set any non-essential cookies.

For example, if you embed ChatGPT on your site to track conversations for product insights, you need a Cookie Banner.

The easiest and most reliable way to provide a cookie banner and obtain user consent is to use a Consent Management Platform (CMP).

CookieScript CMP could be your best choice to provide a cookie banner, collect user consent, and comply with data privacy laws for ChatGPT integrations.

CookieScript is a Google-certified CMP with the GOLD tier in the Google tiering system. It is also trusted by users. In 2025, CookieScript received the fourth consecutive badge in a row as the leader on G2, a peer review site, and became the best CMP on the market for a whole year!

CookieScript CMP provides the following features:

• Consent logs with timestamps
  It record consent categories, when users agreed and from which region, which helps to demonstrate GCPR compliance.
• Third-party cookie blocking
  Together with automatic cookie blocking, keeps analytics, advertising pixels and similar tools turned off until the relevant consent is given
• Automatic monthly cookie scans and scheduled rescans
  The CookieScript Cookie Scanner picks up new or changed tags introduced by marketing tools or plug-ins, so the cookie inventory does not drift away from reality.
• Google Consent Mode v2 integration
  It allows high-level analytics and modelling while limiting what is sent when consent is refused or narrowed, which supports healthcare data protection while still giving useful reports.
• Global Privacy Control 
  CookieScript honors the GPC signal and allows users to opt out of tracking.
• geo-targeting
  it adjusts banners and consent journeys to the jurisdiction, for example stricter EU flows alongside more tailored US messaging.
• Support for 40+ languages
  Cookies and tracking can be shown in languages patients and caregivers actually understand.

CookieScript also offers affordable pricing. You can get a fully compliant consent management tool for as little as €8 per month per domain for basic features, or €19 per month per domain for full compliance.

How to Block ChatGPT Cookies

There are several ways to block ChatGPT cookies, starting from the hard block by browser settings, using OpenAI platform controls, or using a GPC signal or ChatGPT Temporary chat" (the Incognito alternative).

However, be aware that blocking all cookies will prevent you from logging in, as ChatGPT requires strictly necessary cookies for authentication and security.

1. The hard block by browser settings

This is the most effective way to stop tracking and Third-Party Cookies. Use these steps to specifically target OpenAI's domains (chatgpt.com and openai.com).

Google Chrome:

1. Go to Settings > Privacy and security > Third-Party Cookies.
2. Scroll to Customized behaviors and click Add next to Not allowed to use third-party cookies.
3. Type [*.]chatgpt.com and [*.]openai.com.

Safari (Mac/iOS):

1. Go to Settings > Privacy.
2. Check Prevent Cross-Site Tracking. To block all cookies, select Block all cookies.

Firefox:

1. Go to Settings > Privacy & Security.
2. Under Enhanced Tracking Protection, select Custom.
3. Check Cookies and select All third-party cookies from the dropdown.

2. The Privacy Portal by OpenAI

In 2026, OpenAI introduced a more granular Privacy Portal to control user data collection and sharing. This is the response to new EU and US regulations.

You can manage the Privacy Portal directly on the site:

Cookie Preferences Footer: Scroll to the bottom of the ChatGPT sidebar or homepage and click Cookie Preferences. You can manually toggle off targeting and functional cookies while keeping strictly necessary ones active.

Data Controls Menu:

1. Click your profile icon > Settings > Data Controls.
2. Toggle off Improve the model for everyone to stop your data from being used for training.
3. Toggle off Memory to stop the AI from storing long-term cookie-related data about your preferences.

3. Automated blocking by GPC signals

In 2026, ChatGPT officially honors Global Privacy Control (GPC) signals.

Global privacy control (GPC) is enabled by a browser (e.g. Brave) or an extension (DuckDuckGo privacy essentials) and notifies website owners that users don’t want sell or share their Personal Information. Once activated, GPC sends a "Do Not Sell or Share" signal to all websites at once without manually configuring them for each website.

ChatGPT honors the GPC signal. When ChatGPT detects this signal, it automatically opts you out of its 2026 Advertising Pilot and performance Tracking Cookies. You don’t have to configure anything else.

4. Use Temporary Chat (The Incognito Alternative)

If you want the privacy of a cookieless experience without breaking the site functionality, use Temporary Chat, offered by OpenAI:

1. Open a new chat.
2. Click the Model Picker (top left) or the profile icon.
3. Toggle on Temporary Chat.

It works like the Incognito mode on browsers. No history is saved, no Memory is accessed, and session-specific tracking is deleted when you close the tab.

How to Make Your Website ChatGPT Cookie-Compliant

To make your website ChatGPT cookie-compliant, you must understand what’s being set on your site, classify cookie categories, limit cookie usage to what’s necessary, stay transparent, and use a CMP to block non-essential cookies before consent and keep consent records.

Read this practical checklist to make your website ChatGPT cookie-compliant:

Step 1: Use a Consent Management Platform (CMP)

Use a CMP like CookieScript to:

• Scan the site for cookies.
• Show a compliant banner.
• Block cookies before consent.
• Log user consent.
• Implement Google Consent Mode and IAB TCF v2.2.

Read the CookieScript cookie banner setup guide.  

Step 2: Scan and monitor cookies

Identify cookies triggered by ChatGPT or related scripts.

Use professional scanners like CookieScript Cookie Scanner that scan not only for cookies, but also scan for local storage, session storage, tracking pixels, and other trackers, which are regulated by privacy laws.

Step 3. Classify cookies categories

After you detect cookies, group them into categories:

• Essential (no consent is needed)
• Analytics
• Marketing
• Tracking.

Also group cookies into categories: first-party vs. third-party. Third-party cookies are regulated more strictly; many privacy laws require blocking them by default until consent.

Step 4: Block non-essential cookies before consent

Make sure no cookies fire before consent: delay chatbot loading until consent.

Note: Make sure to detect and block third-party cookies. Disclose the use of third-party cookies in your Cookie Policy and block them by default until user consent.

CookieScript CMP automatically detects and blocks third-party scripts from loading until users give consent.

Step 5. Update your Cookie Policy

Your Cookie Policy must provide general information about cookies: what cookies are used, what information they collect, and how users can manage them.

In addition to other first-party and third-party cookies, be explicit about ChatGPT cookies:

• Mention ChatGPT/OpenAI if you use it.
• Explain the purpose of ChatGPT cookies, what data they collect, and how users can handle them.

Step 6. Keep consent records

GDPR requires businesses to keep detailed consent records with timestamps and categories, which users have agreed.

Keep consent records:

• When consent was given.
• Which categories did the user agree to.
• The actual Cookie Policy when the user gave consent.

Use a CMP that is able to keep detailed consent records for proof of compliance. CookieScript CMP records user consent with timestamps, which can later be downloaded.

Step 7. Respect data minimization and data retention principles

GDPR requires not to collect excessive user data. If you don’t need data, do not collect it.

The data retention principle of GDPR requires deleting data after it fulfilled the function for which it was collected.

Remove user data from your data set when it is no longer needed (when you deliver the service to the user).

In conclusion, ChatGPT cookies aren’t the problem. The possible problem could be unclear cookie implementation. To make your website ChatGPT cookie-compliant, you must audit what’s actually happening on your site, limit usage to what’s necessary, stay transparent, and use a CMP to block non-essential cookies before consent and keep consent records.

Frequently Asked Questions

Does ChatGPT use cookies?

Yes, ChatGPT mostly uses strictly necessary cookies, needed for authentication, session management, and security. OpenAI provides a transparent and publicly available cookie policy for ChatGPT, where it lists all cookies used by ChatGPT. ChatGPT itself is not an advertising platform, but cookies can still be set depending on integration into a website. Use CookieScript Cookie Scanner to scan your site for cookies. 

What Are ChatGPT Cookies?

ChatGPT cookies are small text files stored on a user’s browser when they interact with ChatGPT or embed it into a website. They help the service remember things like your session, preferences, and security context. ChatGPT cookies are no different from cookies used by other websites or SaaS platforms. Use CookieScript Cookie Scanner to know which cookies and other trackers your site uses.

Do you need user consent for ChatGPT cookies?

Strictly necessary cookies, used for login or security, do not require consent. Consent is required for analytics, marketing performance, and tracking ChatGPT cookies, when they collect data to track user behavior, perform analytics, or enable personalization beyond basic functionality. Use a CMP like CookieScript to deliver a cookie banner, obtain and store user consent.

Do I need a cookie banner if I use ChatGPT on my website?

It depends on your setup. If you use only strictly necessary cookies, you don’t need a banner. You need a cookie banner when your ChatGPT implementation includes analytics, tracking, or marketing tools that collect personal data. Use a CMP like CookieScript to deliver a cookie banner, obtain and store user consent.

Can ChatGPT cookies track users across websites?

On their own, ChatGPT cookies do not track users across websites; they are generally limited to functional and security purposes. However, cross-site tracking could occur if you implement additional tools like Google Analytics, Meta Pixel, or LinkedIn cookies alongside ChatGPT. Use CookieScript Cookie Scanner to know which cookies and other trackers your site uses.