State attorneys general are reportedly probing OpenAI as part of a broader effort to understand how major AI providers operate across consumer-facing products and regulated, higher-stakes domains. According to the reporting, the inquiry is still in its early stages and it isn’t yet clear which specific states are involved. What is clear, however, is the breadth of the questions being raised—ranging from how OpenAI’s advertising-related practices work to how the company handles health-related data.
For OpenAI, the investigation lands at a moment when regulators are shifting from asking whether AI systems can be used responsibly to demanding proof that companies have built responsible systems into their day-to-day operations. The focus is no longer limited to model behavior in a vacuum. Instead, it extends to the surrounding ecosystem: what gets collected, how it’s used, what gets shown to users, and how companies explain those choices when something goes wrong.
And for consumers, the implications are straightforward even if the legal mechanics are complex. If state attorneys general are asking detailed questions about ad policies and health data handling, it suggests they’re trying to determine whether AI companies are meeting existing consumer protection and privacy expectations—especially when AI is embedded in services people rely on for information, decisions, and sometimes medical-adjacent guidance.
A probe that spans two worlds: marketing and medicine
One of the most striking aspects of the reported inquiry is the pairing of topics that, on the surface, seem unrelated: advertising policies and health-related data. That combination is not accidental. It reflects a regulatory reality that has been emerging for years: the same underlying data pipelines and decision systems that power personalization and content generation can also influence what people see, what people believe, and what people do.
Advertising is often treated as a “lower stakes” area compared with healthcare, but regulators increasingly view it as a high-impact domain because it shapes consumer behavior. In the AI era, ads aren’t just static messages. They can be targeted, optimized, and dynamically generated or selected based on user interactions. Even when an ad is not directly produced by a model, the systems around it—recommendation engines, ranking logic, and measurement tools—can be influenced by AI-driven analytics.
Health-related data, meanwhile, sits at the center of privacy and consumer protection concerns. Whether the data is explicitly medical or indirectly health-adjacent, regulators worry about how it’s collected, stored, shared, and used. They also worry about downstream effects: if sensitive information is mishandled, the harm can be long-lasting and difficult to reverse.
By asking about both areas, the investigation appears designed to map the full chain of responsibility. Not just “what does the model output,” but “what inputs were used, what policies governed them, and what safeguards were in place.”
Why state attorneys general are stepping in now
State attorneys general have historically played a major role in enforcing consumer protection laws, especially when federal oversight is slower or when issues touch multiple jurisdictions. In recent years, they’ve also become more active in technology investigations, particularly where there are plausible claims of misleading practices, unfairness, or privacy violations.
AI adds a new layer to that enforcement landscape. Traditional consumer protection cases often revolve around clear statements—what a company promised, what a user was told, and what happened next. With AI systems, the “promise” can be implicit. A product may not claim to provide medical advice, for example, but it might generate responses that users interpret as medically relevant. Similarly, an AI-enabled advertising system might not explicitly say it uses certain data for targeting, but the targeting itself can reveal that it does.
The reported inquiry suggests attorneys general want to understand whether OpenAI’s practices align with what users reasonably expect and what the law requires. That includes whether disclosures are adequate, whether consent mechanisms are meaningful, and whether internal policies match external behavior.
Ad policies: the question behind the questions
When regulators ask about ad policies, they’re rarely only interested in whether a company runs advertisements. They want to know how ads are selected, how targeting works, what data is used, and how the company prevents deceptive or harmful content from being promoted.
In an AI context, ad policy scrutiny can also extend to the boundary between organic content and sponsored content. Users may not always distinguish between recommendations, promotional material, and AI-generated text that resembles editorial content. If an AI system can produce persuasive language, regulators may worry that it could blur lines in ways that mislead consumers.
Another concern is whether AI systems amplify certain categories of content. Even if the ad itself is technically compliant, the system that decides who sees it—and when—can create disparate impacts. Regulators may look for evidence that companies have tested for bias, ensured appropriate controls, and maintained audit trails.
There’s also the question of transparency. Consumers generally expect that ads are labeled and that targeting is explained in plain language. But AI-driven personalization can make it harder to provide simple explanations. If a company can’t clearly describe why a user saw a particular ad, regulators may treat that as a compliance gap.
In the reported investigation, attorneys general are reportedly asking about OpenAI’s ad policies broadly. That likely includes internal governance: who approves ad-related changes, what rules govern targeting and content, how enforcement works when violations occur, and how the company measures whether its policies are effective.
Health-related data: privacy, consent, and the risk of “medical meaning”
Health-related data is one of the most sensitive categories of personal information. Even when a user doesn’t intend to share medical details, AI systems can invite disclosure. People ask questions about symptoms, medications, diagnoses, and treatment options. They may also share personal context—age, conditions, family history, lifestyle factors—that can be used to infer health status.
Regulators worry about two broad issues: privacy and misuse. Privacy concerns include whether health-related information is collected unnecessarily, retained too long, or shared with third parties without proper safeguards. Misuse concerns include whether the information is used in ways that go beyond what users would reasonably expect, or whether it’s used to train models without adequate notice and consent.
Another layer is the “interpretation problem.” Even if a company says it doesn’t provide medical advice, users may treat outputs as clinically meaningful. Regulators may therefore examine whether the company has implemented guardrails that reduce the risk of harmful guidance, and whether those guardrails are consistent and effective.
The reported inquiry specifically mentions health-related data handling. That suggests attorneys general may be looking at the company’s data lifecycle: how health-related inputs are detected or categorized, how they’re protected, and what happens to them after processing. They may also examine whether the company has separate policies for sensitive categories, whether it limits retention, and whether it restricts access internally.
If the investigation is broad, it could also include questions about whether OpenAI’s systems can inadvertently store or expose sensitive information through logs, analytics, or debugging processes. Many privacy failures in tech don’t come from a single dramatic breach; they come from routine operational practices that weren’t designed with sensitivity in mind.
A unique take on what this means: regulators are mapping “responsibility surfaces”
It’s tempting to think of AI regulation as a debate about model accuracy or safety. But the reported scope—ads and health data—points to something more structural. Regulators appear to be mapping what you might call “responsibility surfaces”: the places where a company’s choices become visible to users and where harm can occur.
In advertising, the responsibility surface is the user’s experience of persuasion and relevance. In health data, it’s the user’s expectation of privacy and the potential consequences of mishandling sensitive information.
Both surfaces depend on similar building blocks: data collection, data processing, policy enforcement, and transparency. That’s why the investigation can cover both domains without feeling scattered. It’s a way of testing whether the company’s governance is coherent across different types of risk.
If a company has strong privacy controls for health data but weak controls for ad targeting, regulators may see that as inconsistent governance. If a company has robust ad labeling but unclear data practices, regulators may see that as a consumer protection issue. The inquiry likely aims to determine whether the company’s internal systems are designed to prevent problems rather than merely respond to them after the fact.
What attorneys general can demand in practice
While the details of the requests aren’t fully known, investigations by state attorneys general typically involve document requests, interrogatories, and sworn statements. They may seek internal policies, training materials, compliance documentation, and records of how systems behave in real-world scenarios.
In an AI case, that can mean asking for:
1) Documentation of ad-related policies and how they’re enforced
2) Records of data usage for targeting and measurement
3) Information about how health-related data is handled, including retention and access controls
4) Evidence of safeguards, including how the company detects sensitive content and applies restrictions
5) Details about disclosures to users and how consent is obtained or managed
Even if the investigation doesn’t lead immediately to a lawsuit, the process itself can be revealing. Companies often discover that their internal understanding of “what we do” doesn’t match what regulators consider “what we can prove.” That gap—between operational reality and legal defensibility—is where many enforcement actions begin.
The broader regulatory signal: AI companies are expected to show their work
This investigation also fits into a larger pattern. Regulators are increasingly demanding not just assurances, but evidence. In other words, they want companies to show their work: how policies are implemented, how decisions are logged, and how risks are mitigated.
That expectation is especially important for AI because the technology can be opaque even to the companies deploying it. Models can generate outputs that are difficult to predict. Systems can behave differently depending on context. And data pipelines can evolve over time. Regulators therefore tend to focus on governance: what controls exist, how they’re monitored, and whether the company can demonstrate compliance consistently.
If attorneys general are asking about ad policies and health data handling, it suggests they want to understand whether OpenAI’s governance is robust enough to handle both everyday consumer experiences and sensitive personal