The 20-Million-Chat Subpoena: How the NYT v. OpenAI Discovery Order Rewrote Everyone's Assumptions About Privacy and Deletion

A federal judge ordered the production of roughly 20 million de-identified chat logs from a consumer AI product. That fact alone should change how you think about privacy in any system where a vendor holds your data. The ruling didn't just affect one company's litigation strategy — it exposed a structural problem that every AI user, and every enterprise buyer, now inherits. Delete buttons are UI elements. Court orders are something else entirely.

Key Takeaways

What Actually Happened in the NYT v. OpenAI Discovery Fight?

The sequence matters, so here it is compressed.

In May 2025, US Magistrate Judge Ona T. Wang ordered OpenAI to preserve and segregate all ChatGPT output log data that would otherwise be deleted — including data subject to user deletion requests and privacy laws worldwide — until further court order. That meant the 30-day deletion window, the one users relied on, was suspended by judicial fiat.

The New York Times, as plaintiff in the copyright suit, initially sought a sample of 120 million logs. OpenAI pushed back and proposed a smaller 20-million-log de-identified sample with personally identifiable information removed. That counterproposal became the baseline.

Then, on January 5, 2026, US District Judge Sidney Stein affirmed the magistrate's order, rejecting OpenAI's attempt to produce only conversations it had pre-selected as relevant. The judge said flatly: no case law requires ordering the least burdensome discovery possible. He also found the legal ownership of the logs uncontested — users voluntarily submitted their communications, so ChatGPT's operator held them.

The court noted the total universe of retained consumer output logs was in the tens of billions. Twenty million was a rounding error, proportionally. That framing made the order feel modest to the court and enormous to everyone else.

Why Did the Court Override a Deletion Policy?

Because a deletion policy is not architecture. It's a business decision, revocable by the same entity that made it — and overridable by any court with jurisdiction.

The preservation order suspended deletion under user preferences and under privacy laws worldwide. Read that again. Not just US privacy law. The court's order, at least temporarily, superseded GDPR-style deletion rights, CCPA requests, everything. The judge treated the logs as litigation-relevant evidence, and evidence preservation trumps privacy policy in US federal courts.

The order was later narrowed and eventually terminated as a blanket mandate. But that termination was specific to this case. It doesn't block other courts from issuing different mandates in future proceedings. The structural vulnerability — that any court can compel retention of data a vendor promised to delete — remains fully intact.

What About Enterprise Tiers?

Notably, when the case went before the Magistrate Judge on May 27, the court clarified that ChatGPT Enterprise was excluded from the preservation order. The reason wasn't the enterprise contract language. It was the technical design — enterprise tiers with true data isolation and different retention architectures simply didn't hold the same kind of logs in the same way.

This is the point. The enterprise carve-out wasn't a policy exemption. It was a technical one. The architecture made preservation moot because the data wasn't there to preserve.

How Is This Precedent Spreading to Unrelated Cases?

Faster than anyone expected.

In a New York civil lending dispute — Assini v. Hayward — a Nassau County Supreme Court judge quashed a subpoena seeking a defendant's full ChatGPT history, ruling that AI interactions qualified as protected work product. It was one of the first state-level rulings applying work-product doctrine to generative AI. The plaintiffs had pointed to U.S. v. Heppner, a federal criminal case that established a different discovery framework for AI-generated content, but the judge distinguished that criminal precedent from the civil context.

The distinction matters less than the fact that it was argued at all. Lawyers are now routinely citing AI-chat discovery rulings — from the NYT case, from Heppner, from Warner — in disputes that have nothing to do with copyright or Big Tech. Your ChatGPT history is no longer a curiosity in litigation. It's a discoverable asset, and the only open question is which privilege framework — if any — applies to it.

Does "AI Privilege" Exist Yet?

No. Not as a formal legal doctrine.

Legal analysts now discuss Heppner and Warner as parallel, competing frameworks on AI privilege. A Freshfields analysis from February 2026 notes that courts have taken different views depending on whether users had a reasonable expectation that their AI use would remain private. In one federal case, a judge found that certain attorney-generated chatbot conversations constituted protected opinion work product — but only because the user believed prompts would remain private under the platform's user agreement.

That belief is getting harder to sustain. A legal review out of New Zealand — reflecting a broader global trend — concludes that chat logs with generative AI tools are generally not subject to legal advice privilege. The AI isn't your lawyer. It's not your doctor. Current law doesn't extend professional confidentiality to it.

Sam Altman has called for an "AI privilege" framework akin to attorney-client or doctor-patient privilege. It's an interesting proposal. It is not the law.

What Did the Sanctions Fight Reveal About Internal Data Practices?

Quite a lot. And none of it was flattering.

In July 2026, TechCrunch reported that deposition testimony had allegedly revealed OpenAI had already built an internal database of approximately 78 million de-identified ChatGPT conversations before the NYT suit was even filed. The company had also reportedly developed a "Bloom filter" tool under a project internally called "Project Giraffe" — designed to detect regurgitation in outputs.

The New York Times and the Daily News are now asking the judge to sanction OpenAI for allegedly withholding this evidence, including a request to bar OpenAI from using the 20-million-log sample as evidence in its own defense.

Set aside the litigation tactics for a moment. The structural revelation is what matters here: a company that told users data was deleted after 30 days had, according to these allegations, already assembled a database of 78 million conversations for internal research purposes. The "delete" button and the internal data pipeline were operating under different assumptions.

Why Does De-Identification at This Scale Not Solve the Privacy Problem?

Because de-identification is a spectrum, not a binary.

Courts are treating de-identification — stripping names, emails, phone numbers — as adequate privacy protection for compelled disclosure. The January 2026 ruling accepted de-identification with PII removal as the standard for the 20-million-log production. On paper, that sounds reasonable.

In practice, security researchers and journalists have demonstrated repeatedly that anonymized logs can be re-identified from contextual details. If you told an AI about your custody dispute in Portland involving your ex who works at a specific hospital, stripping your name doesn't make you anonymous. The specifics of your life are the identifier.

At 20 million logs — let alone tens of billions — "anonymize and produce" is becoming the industry's default legal safe harbor. Courts find it proportional. Vendors find it compliant. And the actual privacy guarantee is leaky at best.

The only durable answer is non-collection. You can't be compelled to produce data you never held.

What Should Enterprise Buyers Be Asking Their AI Vendors Now?

The question has changed. It used to be: "Do you delete my data?" Now it should be: "What happens to my data the day you get sued by someone else?"

The NYT case demonstrated that a single plaintiff in a single copyright suit can trigger a preservation order covering all consumer logs — globally. Your enterprise's data might sit on the same infrastructure. Unless the vendor's architecture physically separates your data (and can prove it to a court), your logs are in the blast radius of someone else's lawsuit.

Major law firms are already advising enterprise clients to audit their AI vendor relationships with exactly this scenario in mind. The checklist isn't about privacy policies anymore. It's about architecture:

If your vendor can't answer these questions with architectural specifics — if the answers are policy documents rather than system design — you have a problem that hasn't surfaced yet. It will surface the next time someone sues your vendor.

How Does the 42-State Attorney General Subpoena Compound This?

On June 12, 2026 — four days after a confidential IPO filing — a coalition of 42 state attorneys general served OpenAI with a subpoena demanding records on advertising, user engagement and retention, consumer and health data handling, treatment of minors, and model behavior including sycophancy.

This is a different legal mechanism — regulatory investigation rather than civil discovery — but it compounds the same structural problem. The data that exists can be demanded. The data that was promised-deleted-but-wasn't can become the centerpiece of a sanctions motion. And the data that was genuinely never collected can't be produced, which is the only posture that's unambiguously safe.

For enterprise buyers, the compounding effect is the risk. Your vendor is simultaneously subject to private litigation discovery, regulatory subpoenas from dozens of state AGs, and whatever comes next. Every one of those proceedings can generate its own preservation order. Your data is in there unless the architecture prevents it.

What Does "Delete Means Gone" Actually Require, Architecturally?

It requires that deletion be a physical operation, not a policy promise. And it requires that the data not exist in a form that a court can order preserved.

There are a few approaches that actually hold up:

Each of these has trade-offs. Ephemeral compute means no persistent memory across sessions. Client-side encryption adds latency and complexity. Non-collection limits what the system can do on the server side. There is no free lunch here — only honest trade-offs between capability and exposure.

How We Think About This at Selina

We build an AI assistant with memory. Memory is useful — that's why people want it. But memory is also data, and data is subpoenable.

So here's what we do, and what we don't do, stated plainly.

Selina's memory is encrypted at rest. It is NOT end-to-end encrypted — a slice of each request reaches a frontier provider at inference, because that's how inference works. We route requests across a stack of frontier models, selected per task, and that routing means memory content transits to a provider in order to generate a response. We don't pretend otherwise.

Files and transfers via SelinaSEND are different. Those are zero-knowledge, end-to-end encrypted. We can't read them. By design.

Non-content operational metadata — the kind of telemetry any system generates — is kept for a short retention window. Not zero. A short window. We don't claim zero retention because that would be false.

When you delete something in Selina, delete means gone. Actually gone. Not flagged, not soft-deleted, not retained in a parallel research database. We don't maintain an internal corpus of 78 million conversations for regurgitation analysis. We don't have a "Project Giraffe." The architecture is designed so that deleted data is destroyed, not reclassified.

Is this a perfect system? No. Memory is not zero-knowledge encrypted — we just said that. The account is protected, not encrypted end-to-end. We make honest trade-offs: persistent, useful memory in exchange for the reality that inference requires data to transit to a provider. But the data we don't hold can't be subpoenaed from us. That's the architectural guarantee, and it's the only kind that survives a court order.

What's the Actual Lesson of the 20-Million-Chat Subpoena?

The lesson is simple, and it's structural, not legal.

A privacy policy is a promise. A court order overrides promises. The only thing that survives both is architecture — systems designed so the data doesn't exist in a producible form.

The NYT v. OpenAI discovery fight didn't create this principle. It just made it visible at a scale — 20 million conversations, tens of billions in the total universe — that's impossible to ignore. And the precedent is already propagating into ordinary civil disputes, privilege arguments, and regulatory investigations that have nothing to do with the New York Times.

If you use an AI system that retains your data, you are one lawsuit away from that data being compelled into a courtroom. Not your lawsuit. Someone else's. The preservation order doesn't need your name on it.

The question isn't whether your vendor has a good privacy policy. The question is whether their architecture makes the policy moot — because the data isn't there to produce.

That's the question worth asking. Everything else is a terms-of-service page you'll never read until it's too late.

If the architecture matters to you: start a free 7-day trial — no card required.

Frequently Asked Questions

What did the January 2026 ruling in NYT v. OpenAI actually require?

US District Judge Sidney Stein affirmed an order compelling OpenAI to produce roughly 20 million de-identified ChatGPT logs, overriding the platform's standard 30-day deletion policy. The court also rejected OpenAI's proposal to hand over only pre-selected, relevant conversations.

Why was the deletion policy overridden by the court?

Because a deletion policy is a business decision, not a technical architecture, and evidence preservation trumps privacy policy in US federal courts. The preservation order suspended deletion under both user preferences and privacy laws worldwide, at least temporarily.

Why was ChatGPT Enterprise excluded from the preservation order?

The exclusion wasn't due to contract terms but to technical design: enterprise tiers use true data isolation and different retention architectures, so they simply didn't hold the same kind of logs that could be preserved.

Does legal privilege currently protect AI chat conversations?

No, there is no formal 'AI privilege' doctrine yet. Courts have reached different conclusions depending on context—one civil case found work-product protection, a legal review found AI chats generally aren't covered by legal advice privilege—and Sam Altman's call for an attorney-client-like AI privilege remains a proposal, not law.

Why doesn't de-identifying chat logs fully solve the privacy problem?

De-identification only strips obvious identifiers like names and emails, but security researchers have shown anonymized logs can be re-identified from contextual details in the conversation itself. Courts still treat this de-identification as adequate for compelled disclosure, even at scales of 20 million or more logs, making non-collection the only durable protection.

Sources & References

Michael C.

Michael C.

Founder & Principal Engineer, Selina Labs

Michael builds Selina, a privacy-first AI that remembers you across conversations. He ships security-sensitive AI in production — real attacks, real fixes, measured in minutes and dollars — and writes about privacy, security, and LLMs from that seat. Top Rated Plus and expert-verified on Upwork.