AI chatbot privacy has a web tracking problem

Detailed Analysis

A recent academic paper published on arXiv (arxiv.org/abs/2604.27438) reveals a significant and underexamined privacy vulnerability in AI chatbot platforms: the pervasive third-party tracking infrastructure that underlies most modern web applications is being carried wholesale into the AI chatbot era, with consequences far more serious than those posed by traditional website tracking. Researchers tested 20 popular AI chatbots using a deliberately sensitive and personally revealing prompt — "pregnancy test near me" — and found that 17 of the 20 platforms transmitted some form of data to third parties. Fifteen of those chatbots shared chat URLs or conversation IDs with advertising, analytics, or social media tools, and in some cases, session replay software captured readable portions of both the user's prompt and the chatbot's response.

The findings expose a structural problem rooted in how AI chatbots are built and deployed. Because these systems are delivered as web applications, they inherit the full stack of third-party scripts that modern web development has normalized: analytics pixels, attribution trackers, customer support widgets, A/B testing tools, and session replay services from vendors like Hotjar or FullStory. On a retail or media website, these tools capture relatively innocuous behavioral signals — scroll depth, click patterns, page views. On an AI chatbot interface, that same infrastructure is now positioned to intercept something categorically different: the intimate, often vulnerable content of a private conversation. The gap between what users believe they are disclosing (a query to an AI assistant) and what is actually being transmitted (fragments of that query to a network of third-party services) represents a meaningful informed-consent failure.

The choice of test prompt is analytically significant. "Pregnancy test near me" is the kind of query a person is far more likely to type into a chatbot than to speak aloud, precisely because chatbots have cultivated a reputation for private, non-judgmental interaction. It sits at the intersection of health information, location sensitivity, and social stigma — exactly the category of data that privacy regulations like HIPAA, GDPR, and state-level laws such as Washington's My Health MY Data Act are designed to protect. The fact that conversation IDs and URLs are being passed to ad networks is particularly consequential: a conversation ID that links to a session containing sensitive health queries can, in the right data environment, be re-identified or matched against other behavioral profiles.

This research arrives at a moment when the AI industry is actively negotiating its relationship with user trust. Companies like Anthropic, OpenAI, and Google have made privacy a centerpiece of their public positioning, emphasizing data minimization, opt-out training controls, and enterprise confidentiality guarantees. However, the paper suggests that the privacy commitments most prominently advertised — typically centered on whether conversation data is used to train models — are addressing only one layer of a multi-layered exposure problem. The tracking layer, which operates at the browser and network level before data ever reaches a model training pipeline, has received comparatively little scrutiny from either regulators or the companies themselves.

Broader trends in AI deployment make this issue likely to intensify. As AI assistants become more deeply embedded in healthcare navigation, legal research, financial planning, and mental health support, the sensitivity of the queries they receive will continue to rise. The web-app delivery model, which has historically been the path of least resistance for reaching users at scale, bundles in tracking dependencies that were never designed with conversational AI in mind. Regulators in the EU, through the AI Act and GDPR enforcement, and in the US through the FTC's ongoing scrutiny of dark patterns and data brokers, will likely find this paper's methodology a useful template for future compliance investigations. Until AI platforms conduct systematic third-party audits of their own tracking footprints — and not merely their model training practices — the privacy guarantees they offer users will remain structurally incomplete.