When Anthropic changed its data policy in August 2025, users of its Free, Pro, and Max plans were required to decide whether their conversations could be used to train future AI models. Many chose to opt out. A clause in Anthropic’s updated privacy policy — published on 8 June 2026 and effective 7 July — makes clear that the opt-out has always had a ceiling: conversations that Anthropic’s systems flag for safety review can still be used to train its models, regardless of a user’s stated preference. Anthropic’s policy does not define what triggers a safety flag, nor does it commit to notifying users when one occurs.

How Did Anthropic’s Training Data Policy Change in 2025?

Anthropic built its early reputation in part on a straightforward privacy position: consumer conversations were not used to train its models, and data was deleted within 30 days. That position changed in August 2025, when the company announced updates to its Consumer Terms and Privacy Policy requiring users of its Free, Pro, and Max plans to actively opt out if they did not want their chats and coding sessions used for model training.

Users who opted in faced a significant data retention extension. Under the updated policy, data could be retained for up to five years for training purposes, compared to the previous 30-day standard. Users who opted out retained the 30-day deletion window. Existing users were given until late September 2025 to make their choice; new users were required to select a preference during sign-up.

Enterprise, education, and API accounts were explicitly excluded from the changes. The policy shift applied only to personal consumer accounts — but that category includes small businesses and independent professionals using Pro plans, a fact that drew limited attention at the time.

Why Did Critics Call the Opt-Out UI a Dark Pattern?

The mechanism Anthropic used to obtain consent drew immediate criticism from privacy researchers. The consent interface presented users with a prominent “Accept” button alongside a small toggle for data sharing that was pre-activated by default. Critics described the design as a dark pattern — an interface engineered to guide users toward a particular choice without making that choice explicit.

Independent legal analysis flagged the design as potentially unlawful under the General Data Protection Regulation, noting that pre-selected consent and interface friction placed the burden of refusal on users rather than Anthropic. As of June 2026, no regulatory enforcement action had been taken.

Anthropic was not alone in using this model. OpenAI had implemented a similar opt-out default for ChatGPT from the outset. The difference, as critics noted, was that Anthropic was changing an existing policy for a user base that had been told their data would not be used for training — making the threshold for valid consent higher under GDPR than it would be for a new service.

What Does the June 2026 Privacy Update Actually Say?

The clause that has received little attention sits within Anthropic’s section on model training. The updated policy states that even where a user has opted out, Anthropic retains the right to use inputs and outputs for model improvement when conversations are “flagged for safety review to improve our ability to detect harmful content, enforce our policies, or advance AI safety research,” or when content has been explicitly reported via feedback mechanisms.

In practical terms, this means the opt-out is conditional. A user who has chosen not to contribute to training data may still have conversations included in Anthropic’s training pipeline if Anthropic’s automated systems determine the content warrants safety review. The policy does not define the criteria that trigger a flag. Anthropic’s Privacy Centre does separately document retention periods that apply once a flag is raised: inputs and outputs from flagged conversations are retained for up to two years, and the associated trust and safety classification scores for up to seven years. The policy contains no provision committing Anthropic to notify a user when their conversation has been flagged.

Anthropic’s own user safety documentation confirms that automated detection models flag potentially harmful content based on its Usage Policy, and separately that classifiers scan active conversations for content such as potential suicidal ideation or discussions involving self-harm. What the company has not published is a comprehensive account of what categories of content trigger the safety-flagging that feeds the training carve-out.

What Are the Regulatory Implications in Southeast Asia?

The carve-out raises questions under several APAC data protection frameworks, though its legal status varies by jurisdiction.

In Singapore, the Personal Data Protection Act requires organisations to obtain consent before collecting, using, or disclosing personal data, unless a recognised exception applies. Singapore’s PDPA amendments introduced expanded exceptions to consent to support data-driven innovation, but the PDPC has also issued advisory guidelines encouraging the use of anonymised data wherever possible in AI development. Whether a blanket safety-flagging carve-out — applied without user notification — would satisfy Singapore’s transparency and accountability obligations has not been tested.

Under GDPR, the tension is between consent as a legal basis and legitimate interests. Anthropic’s September 2025 consent mechanism was flagged as problematic because the company was changing an existing policy, requiring active rather than implied consent. A safety-flagging exception applied to opted-out users would need to satisfy a legitimate interests test — and the absence of user notification would complicate that case.

South Korea presents a more concrete data point. Anthropic’s June 2026 privacy policy names a domestic representative in Seoul under South Korea’s Personal Information Protection Act — a structural compliance investment that signals the company is aware of APAC regulatory pressure, even if specific clauses like the training carve-out remain unaddressed by regulators.

What Can Users Actually Do?

Opting out remains worth doing. It limits the primary training data pipeline and reduces retention from five years to 30 days for standard conversations. Users can adjust the setting at any time via Privacy Settings on Claude.ai.

Anthropic also offers an Incognito mode, accessible via a ghost icon in the top-right corner of the interface. Incognito conversations are not used to improve Claude’s models, even if the main training toggle is switched on. It is a meaningful option for one-off sensitive queries, though it does not eliminate the safety-flagging carve-out entirely — Incognito chats flagged for usage policy violations are still subject to the standard two-year retention window.

There are further limits to what opting out achieves. It does not apply retroactively — conversations that were already part of a training run before a user opted out remain included. Users have no mechanism to query whether a specific conversation has been flagged, and Anthropic has not published aggregate data on flagging volumes or categories.

Users with genuine confidentiality requirements — legal professionals, healthcare workers, journalists — should note that enterprise and API accounts operate under separate commercial terms that explicitly exclude training data use. The consumer opt-out, with its carve-outs, is not equivalent to the protections available under an enterprise agreement.