I almost deleted the email—the travel industry can't afford to

The notification email arrived on a Wednesday. "OpenAI has updated its privacy policy." My finger was halfway to the trash icon. 

Then I opened it. What I found wasn't routine. 

The April 30, 2026 update formalizes ChatGPT as an advertising platform—OMG! For the first time, OpenAI's U.S. policy says in plain language that the company receives purchase data from advertisers, shares user identifiers with marketing partners for off-platform tracking and uses personal data to promote OpenAI's own products on other people's sites. 

WIRED's reporting the next day confirmed the marketing-privacy setting is on by default for free U.S. accounts and off for paid ones. It is exactly the configuration that produced consent decrees against Sephora and Honda. It is also the moment ChatGPT became a paid-media surface that competes with Google Hotels, Kayak, Skyscanner and the metasearch ecosystem. At this point you might well be considering hiring a decent lawyer. 

The February 2026 update that preceded it was no less consequential, just quieter: contact-syncing that uploads your phone's address book and processes the identifiers of people who have never agreed to anything with OpenAI; algorithmic age estimation that infers whether you are under 18 from how and when you use the service; explicit retention windows now sitting in the policy text. 

Atlas, OpenAI's browser, joined the policy. So did Sora 2 and Saved Memories. The European policy was split out as a separate document because the U.S. advertising architecture could not be lawfully published in Europe without immediate regulatory action. Oh man, the lawyers must have had fun working on threading this set of needles. 

So let’s get into it. If you sell travel, six things matter.

First, channel strategy. Criteo signed as the first ad-tech partner in March. CPMs in the pilot ran from $60 down to $25 between February and April. Anecdotal evidence from Wave—two advertisers are reportedly close to these numbers.

If your customers are using free ChatGPT to research "where to stay in Lisbon for four nights in October," the recommendation set is now shaped in part by who paid. Treat it as a new channel category with its own attribution model—not as an extension of search and not as something Google will defend you against. Some call it GEO, others poo poo it as fancy SEO. It’s new, it’s evolving and you need to pay attention. 

Second, the consumer-versus-deployer split. The privacy policy I just described governs consumers using ChatGPT. It does not govern your hotel chatbot, your IROP rebooking assistant or your itinerary builder. Those run under the OpenAI Business Terms and Enterprise DPA, where you are the controller and OpenAI is the processor. Conflating the two is the most common compliance mistake I see in early travel deployments.

The Enterprise DPA's data annex—which you have to ask Procurement for; it is not on the website—is where the answer to "what about medical accommodations and religious-dietary preferences?" actually lives. Get it. Read it. If it does not cover the categories your deployment surfaces, negotiate an amendment, build pre-prompt filtering or scope the deployment more narrowly. Pick one.

Third, the intermediary problem nobody is contracting around. If you take supplier content and run it through AI to normalize descriptions, infer attributes or generate summaries, you may have crossed from sub-processor to joint controller under the European Court of Justice's Wirtschaftsakademie line. That carries direct liability to data subjects under GDPR Article 26 and joint-and-several liability under Article 82. Layer the Package Travel Directive's strict liability for misrepresentation on top, and the B2B contract stack most travel-tech firms are operating with simply does not allocate the exposure.

When an AI-generated hotel description contains an error and a downstream consumer complains, who pays? The answer in most current B2B travel-tech contracts is silence. Renegotiate accuracy warranties and AI-output indemnities now, not after the first complaint.

Fourth, the EU AI Act deadline on August 2, 2026. Travel insurance pricing, creditworthiness checks for installment-pay and fraud-screening with creditworthiness implications are almost certainly Annex III high-risk systems. General booking and recommendation probably are not. Irregular-operations rebooking and disability-related accessibility decisioning sit in the disputed middle.

The boundary is a debate point worth having with counsel before the deadline rather than after, because the enforcement posture in Europe after August 2 is not going to be forgiving, and the documentation burden for an in-scope system is not trivial.

Fifth, the algorithmic-discrimination question that sits one layer above the AI Act. Colorado's AI Act took effect in February. CPPA's automated-decision-making regulations finalize this year. If your booking engine uses an age signal—whether OpenAI-supplied, brand-derived or behaviorally inferred—and that signal interacts with pricing, eligibility or accessibility, you are the entity bearing the discrimination liability. Not OpenAI.

Document your testing across protected-category cohorts before deployment, because reactive defense requires contemporaneous evidence, not post-hoc reconstruction.

Sixth, the watch-list. The Irish DPC, the Italian Garante and the French CNIL all have live investigations into OpenAI's training-data legitimate-interest theory. Any one of them can produce a binding precedent.

The U.S. data-broker registration regimes in California, Vermont, Texas and Oregon may yet treat advertiser-supplied purchase data flowing into OpenAI as data-broker activity. The OpenAI IPO, whenever it lands, will force more granular disclosure of these flows and the risks to both AI models and those using them and their byproducts.

If you are a free-tier user reading this: Settings > Data Controls > Marketing Privacy. Turn it off. What looks very innocuous is in fact the gateway to your data. Here is the before and after view on an iPhone.

If you are responsible for a travel brand's AI strategy: The email you nearly deleted has changed your channel mix, your contract stack, your DPIA register and your AI Act exposure. The cost of ignoring this update is not zero–far from it. It is just deferred, and it’s going to hit you soon enough.

A note on regulatory status: Two of the regulatory anchors referenced are currently in motion and warrant a brief caveat. The European Commission's Digital Omnibus proposal of November 19, 2025 has proposed adjusting the EU AI Act's high-risk-system timeline by linking it to availability of harmonized standards; the August 2, 2026 date remains operative but is under review by the Parliament and the Council. Separately, the EU-U.S. Data Privacy Framework was upheld by the General Court o September 3, 2025 (Latombe v Commission, T-553/23), but is now on appeal to the Court of Justice (filed October 31, 2025); it remains the operative transfer mechanism pending appeal. Both should be tracked.