Open Letter to OpenAI: Stop Excessive PII Collection for ChatGPT Age Verification
Open Letter to OpenAI: Stop Excessive PII Collection for ChatGPT Age Verification
The Issue
To: OpenID Compliance Team and AI Service Providers
Subject: Concerns Over Excessive PII Collection for Age Verification
We, the undersigned, call on OpenAI and identity providers to respect user privacy and stop unnecessary collection of sensitive personal data for age verification.
The Problem
Every time we hand over personal details—our name, date of birth, even a photo—without clear consent or strict safeguards, we create a ticking time bomb. These details aren’t just harmless data points; they’re keys to our identity. When stored unnecessarily by online services, they become prime targets for hackers, fraudsters, and identity thieves. A single breach can expose millions, leading to financial loss, reputational damage, and years of recovery. Privacy isn’t a luxury—it’s a fundamental right. Age verification should never come at the cost of turning our most sensitive information into a honeypot for cybercrime. History has shown that large-scale data breaches often start with unnecessary data collection—don’t let age checks become the next security disaster.
Our Position
1.) Data Minimisation: Collect only what is strictly necessary. For age verification, a simple “over 18” confirmation or tokenised proof should suffice.
2.) Consent Transparency: Consent must be meaningful, informed, and presented before data collection, with clear retention and destruction policies.
3.) PII Risk Controls: Sensitive identifiers (full name, DoB, photo) require:
- Encryption and blinding measures.
- Defined retention periods and destruction metadata.
- Audit trails for third-party sharing.
Why This Matters
Centralising sensitive data creates a honeypot for hackers and undermines trust. Collecting more than necessary violates global standards such as:
- GDPR (EU) – Data minimisation and proportionality.
- CCPA (California) – Purpose limitation and right to delete.
- ISO/IEC 29100 – Privacy by design and accountability.
- Convention 108+ – Proportionality and transparency.
Ignoring these standards erodes trust and exposes millions to identity theft.
Our Request
We call on OpenID and AI service providers to:
1.) Justify the legal basis for requiring these attributes.
2.) Provide clear retention and destruction policies.
3.) Implement robust security measures to protect PII.
Until these safeguards are in place, we urge providers to adopt privacy-preserving alternatives for age verification.
Call to Action
Sign this letter to demand privacy-first solutions and hold providers accountable.
Sign below to support this initiative and demand responsible data practices. Together, we can ensure age verification does not become a gateway to mass identity risk.
29
The Issue
To: OpenID Compliance Team and AI Service Providers
Subject: Concerns Over Excessive PII Collection for Age Verification
We, the undersigned, call on OpenAI and identity providers to respect user privacy and stop unnecessary collection of sensitive personal data for age verification.
The Problem
Every time we hand over personal details—our name, date of birth, even a photo—without clear consent or strict safeguards, we create a ticking time bomb. These details aren’t just harmless data points; they’re keys to our identity. When stored unnecessarily by online services, they become prime targets for hackers, fraudsters, and identity thieves. A single breach can expose millions, leading to financial loss, reputational damage, and years of recovery. Privacy isn’t a luxury—it’s a fundamental right. Age verification should never come at the cost of turning our most sensitive information into a honeypot for cybercrime. History has shown that large-scale data breaches often start with unnecessary data collection—don’t let age checks become the next security disaster.
Our Position
1.) Data Minimisation: Collect only what is strictly necessary. For age verification, a simple “over 18” confirmation or tokenised proof should suffice.
2.) Consent Transparency: Consent must be meaningful, informed, and presented before data collection, with clear retention and destruction policies.
3.) PII Risk Controls: Sensitive identifiers (full name, DoB, photo) require:
- Encryption and blinding measures.
- Defined retention periods and destruction metadata.
- Audit trails for third-party sharing.
Why This Matters
Centralising sensitive data creates a honeypot for hackers and undermines trust. Collecting more than necessary violates global standards such as:
- GDPR (EU) – Data minimisation and proportionality.
- CCPA (California) – Purpose limitation and right to delete.
- ISO/IEC 29100 – Privacy by design and accountability.
- Convention 108+ – Proportionality and transparency.
Ignoring these standards erodes trust and exposes millions to identity theft.
Our Request
We call on OpenID and AI service providers to:
1.) Justify the legal basis for requiring these attributes.
2.) Provide clear retention and destruction policies.
3.) Implement robust security measures to protect PII.
Until these safeguards are in place, we urge providers to adopt privacy-preserving alternatives for age verification.
Call to Action
Sign this letter to demand privacy-first solutions and hold providers accountable.
Sign below to support this initiative and demand responsible data practices. Together, we can ensure age verification does not become a gateway to mass identity risk.
29
Petition created on 13 November 2025