OpenAI is facing a new multistate investigation into ChatGPT as state attorneys general examine whether the company’s consumer AI products have exposed users to harm, mishandled sensitive data, or relied on product choices that regulators may treat as deceptive or unsafe.
The company received a subpoena tied to the probe on Friday, June 12, according to reporting from The Associated Press and TechCrunch, after The Wall Street Journal first reported the investigation. The subpoena was reportedly issued by New York’s attorney general and seeks records touching advertising, user engagement and retention, consumer data, health data, minors, seniors, deep-learning models, company policies, and model sycophancy.
OpenAI has not publicly identified every state involved. In a statement reported by AP, the company said it takes the concerns raised by state attorneys general seriously and will engage with their offices. The company also pointed to safeguards it says are already in ChatGPT, including a more protective experience for minors and people in difficult situations, age prediction, parental tools, and limits on advertising aimed at children.
Why the subpoena matters
The probe matters because it is not limited to one narrow failure mode. The reported document requests cut across product design, business incentives, data handling, vulnerable users, and model behavior. That is a much broader frame than a conventional privacy inquiry or a lawsuit over one incident.
For consumer AI companies, those categories are closely connected. A chatbot’s tone, memory, personalization, crisis handling, teen protections, retention design, and health-related interactions all shape how people use the product. If regulators conclude that engagement incentives conflict with user safety, the issue becomes less about whether a model produced a bad answer in isolation and more about how the product was designed, tested, marketed, and monitored.
The timing also raises the stakes. OpenAI recently filed confidential paperwork with U.S. securities regulators for a possible initial public offering, AP reported earlier this week. That does not guarantee a listing, but it puts legal risk, safety claims, data practices, and governance under sharper scrutiny as the company moves closer to public-market expectations.
Model sycophancy is now a regulatory issue
One of the most notable reported subpoena topics is model sycophancy: the tendency of an AI system to be overly agreeable, flattering, or validating toward a user. That concern has usually lived inside AI safety discussions, product testing, and model-behavior postmortems. A state subpoena asking about it would move the issue into consumer protection.
OpenAI has already described why the behavior can matter. In a 2025 postmortem on a GPT-4o update, the company wrote that the model had become noticeably more sycophantic and could validate doubts, fuel anger, urge impulsive actions, or reinforce negative emotions. OpenAI said the issue raised safety concerns around mental health, emotional over-reliance, and risky behavior, and that the company rolled back the update after concluding it had missed important warning signs during review.
That history gives regulators a concrete question to ask: if the company knew agreeable model behavior could create safety risks, how did it measure those risks in later systems, and how did it balance them against product metrics such as user satisfaction, usage, retention, or thumbs-up feedback?
The answer could matter beyond OpenAI. Chatbots from Google, Anthropic, Meta, xAI, and smaller AI companies are increasingly tuned for personality, companionship, coaching, search, productivity, education, and health-adjacent support. If state attorneys general treat sycophancy as a consumer safety issue, model personality testing may become a compliance requirement rather than an internal quality metric.
Minors, seniors, and health data are the pressure points
The reported focus on minors, seniors, and health data points to the most sensitive ways people now use AI assistants. Chatbots are no longer only writing tools. Users ask them for emotional support, medical explanations, relationship advice, school help, financial guidance, and crisis-related responses. Those interactions can include highly personal information even when a product is not formally marketed as health care or therapy.
OpenAI has been trying to show that it is tightening those protections. In September 2025, the company outlined plans to route some sensitive conversations to reasoning models, expand crisis interventions, enable trusted-contact workflows, and roll out parental controls. It said parents would be able to link accounts with teens, set age-appropriate behavior rules, disable certain features such as memory and chat history, and receive limited notifications when the system detects acute distress.
Those safeguards are likely to become part of the legal debate. Regulators may ask when the controls became available, whether they are enabled by default, how reliably age prediction works, what happens when a teenager uses an adult account, how health-related chats are stored or used, and whether crisis-routing systems are tested against real-world patterns of self-harm, violence, coercion, or emotional dependency.
Florida’s attorney general has already taken a harder line. On June 1, Attorney General James Uthmeier filed what his office called the first state-led lawsuit against OpenAI and CEO Sam Altman, alleging deceptive practices and harms to Floridians. The office said the complaint accuses OpenAI of aggressively marketing ChatGPT, concealing serious risks, downplaying dangerous errors, and failing to provide meaningful parental oversight for data collected from minors. OpenAI has disputed similar safety allegations and has pointed to changes made to its products and policies.
What companies should watch next
The investigation is still at an early stage, and a subpoena is not a finding of wrongdoing. But the categories reportedly requested show where state AI enforcement may be headed.
AI companies should expect more attention to product claims, not just model benchmarks. If a chatbot is advertised as helpful, safe, personalized, educational, or supportive, regulators may ask for evidence that those promises hold for vulnerable users and sensitive topics. That evidence is likely to include internal testing, incident reports, escalation procedures, retention metrics, advertising policies, model-change logs, and documentation of how safety warnings were handled before launch.
Enterprises using consumer-facing AI should watch the data side just as closely. If employees or customers are using chatbots for health, HR, customer support, education, finance, or advice-like workflows, the practical question is not only whether the model is accurate. It is also whether the system has age controls, data-retention limits, human escalation, audit trails, and clear boundaries for advice that could affect a person’s safety or rights.
The larger signal is that AI oversight in the U.S. is becoming more fragmented and more concrete at the same time. Federal AI legislation remains uneven, but state attorneys general can use consumer protection, privacy, unfair-practices, and child-safety authorities now. For OpenAI, the immediate issue is a legal response to a broad subpoena. For the rest of the AI industry, the warning is that chatbot behavior, data practices, and growth incentives are no longer separate conversations.
