Yes — the right ChatGPT plan for your business depends on your headcount, the sensitivity of the data you handle, and the legal obligations your industry carries. Most U.S. businesses land on ChatGPT Business or ChatGPT Enterprise, because both turn off training on your inputs by default and come with a signed Data Processing Addendum under the GDPR and the CCPA. Solo operators and two-person shops often do fine on ChatGPT Plus, while regulated industries like healthcare or finance usually need Enterprise to secure a Business Associate Agreement or a SOC 2 Type II report.
Picking the wrong tier is not a harmless mistake. Using a consumer plan on regulated data can trigger a HIPAA breach notification, a FTC Section 5 unfair-practice claim, or an SEC Regulation S-P enforcement action. The wrong plan also wastes money — a 2025 McKinsey survey found that 78% of companies now use AI in at least one business function, yet fewer than 1 in 4 track the ROI of their seat licenses.
By the end of this guide you will know exactly which plan fits your business.
- 🧭 How to map your headcount, budget, and industry to a specific ChatGPT tier
- ⚖️ Which plans carry the legal protections your regulator expects
- 💰 How per-seat pricing, annual commits, and hidden costs compare in 2026
- 🏥 How HIPAA, GDPR, CCPA, and state AI laws like the Colorado AI Act change the math
- 🧪 Three real-world scenarios and ten FAQs that answer the questions buyers ask most
The Quick Answer by Business Size
Before we unpack the details, here is a decision framework you can act on today. The guidance below assumes you are a U.S. business and that you plan to let employees use ChatGPT on work data, not just for recreation.
Solo founders, freelancers, and micro-teams of one to two people usually belong on ChatGPT Plus or the newer ChatGPT Go tier. Plus costs about $20 per month per user and gives you access to the flagship reasoning models, image generation, voice mode, and a generous usage cap. Plus does not come with a signed DPA or a BAA, so it is not appropriate for protected health information or regulated financial data.
Small businesses with three to 149 employees almost always land on ChatGPT Business. Business runs about $25 per seat per month on an annual plan, or $30 on a monthly plan. It includes an admin console, SAML single sign-on, a default no-training promise on your prompts, and a signed DPA. Business is the sweet spot for marketing agencies, law firms, accounting practices, and e-commerce shops that need security but do not want the complexity of an enterprise contract.
Mid-market and enterprise companies with 150 or more employees usually need ChatGPT Enterprise. Enterprise offers unlimited high-speed access to flagship models, a 128,000-token context window, a signed BAA for HIPAA-covered entities, SOC 2 Type II attestation, and custom data-retention windows. Enterprise is priced by negotiated contract and typically lands between $40 and $60 per seat per month at typical seat counts.
Developers who need to build AI into their own products should look at the OpenAI API rather than a ChatGPT seat. The API is pay-as-you-go, charges by tokens, and carries its own enterprise privacy commitments.
Schools, colleges, and universities should evaluate ChatGPT Edu, which is priced like Enterprise but tuned for higher-education governance and FERPA alignment.
How ChatGPT Plans Compare in 2026
OpenAI publishes its current tier list on the ChatGPT pricing page. The table below distills the features that drive most buying decisions in 2026.
| Plan | Best For |
|---|---|
| ChatGPT Free | Personal experimentation, not business use |
| ChatGPT Go (~$10/mo) | Budget-conscious solo users in low-risk roles |
| ChatGPT Plus ($20/mo) | Freelancers, consultants, and one-person shops |
| ChatGPT Business (~$25/seat/mo) | Small and mid-sized teams that need admin controls and a DPA |
| ChatGPT Pro ($200/mo) | Individual power users who need unlimited o-series reasoning |
| ChatGPT Enterprise (custom) | Regulated industries, 150+ employees, and buyers who need a BAA |
| ChatGPT Edu (custom) | K-12 and higher education institutions under FERPA |
| OpenAI API (usage-based) | Developers embedding AI into products or workflows |
Data Training and Retention
The single biggest legal difference between the consumer tiers and the business tiers is what happens to your prompts. On Free and Plus, OpenAI may use your conversations to train future models unless you manually turn training off. On Business, Enterprise, Edu, Team, and the API, training on customer data is off by default.
The consequence of confusing these defaults is real. In 2023, Samsung engineers reportedly pasted source code into ChatGPT and the company had to restrict the tool internally. A similar leak at a U.S. company could surface a competitor’s reverse-engineered trade secret in a later public response, which would be hard to claw back.
A real-world example drives this home. Priya, the head of IT at a 400-person fintech, rolled out ChatGPT Plus to her analysts in 2025 without reading the data-use terms. When she later audited her vendor list for SOC 2, her auditor flagged Plus as a non-contracted processor and she had to migrate to Enterprise mid-year to pass the report.
A common misconception is that turning off “Improve the model for everyone” in Plus is the legal equivalent of a signed DPA. It is not. A DPA creates contractual privity between your business and OpenAI, which is what most state privacy laws and the GDPR actually require.
Admin Controls and Single Sign-On
The business tiers include an admin console, SAML single sign-on, SCIM user provisioning, and domain-verified workspaces. Consumer plans do not.
The consequence of skipping SSO is a governance gap. If an employee leaves and you cannot disable their ChatGPT account from your identity provider, any work data they paste into their personal conversation history stays with them. That is a live exfiltration risk.
Devon owns a Shopify store that did $2.1 million in 2025. He let five contractors share a single Plus seat to save money, and when one contractor was terminated, she walked away with six months of customer-service transcripts. Devon had no audit log and no way to revoke access cleanly.
The misconception to watch for is that “small team” means “no governance.” Even a five-person company gains real risk reduction from SSO and a central admin console, and the cost difference between Plus and Business at five seats is about $25 per month.
Context Window and Model Access
Plus, Business, and Enterprise all offer the flagship reasoning models, but the context window and rate limits differ. Enterprise currently advertises a 128,000-token context window, which is roughly 300 pages of text in a single prompt.
The consequence of a shorter context is that long-document workflows break. A litigator who needs to feed a 200-page deposition into the model cannot do it on a standard Plus account without truncation.
Maria runs a 12-lawyer employment-litigation firm in Denver. She moved her team from Plus to Business in January 2026 after one of her associates had to split a summary-judgment brief into three separate prompts, which produced inconsistent citations and nearly sent a hallucinated case into a federal filing.
The misconception is that bigger context always means better answers. It does not — long prompts still need careful structuring, and a skilled user on Plus can outperform an unskilled user on Enterprise.
Three Real-World Buying Scenarios
The scenarios below are the three most common patterns we see when small and mid-sized U.S. businesses shop for ChatGPT in 2026.
Scenario 1 — The 10-Person Marketing Agency
| Decision Point | Recommended Path |
|---|---|
| Headcount and budget | 10 seats of ChatGPT Business at ~$25/seat/mo |
| Data sensitivity | Client briefs and draft copy — moderate |
| Required paperwork | Signed DPA, no BAA needed |
| Integration | Connect Google Drive and Slack via the Business workspace |
| Top risk to manage | FTC endorsement rules and client-owned IP |
The agency should pair its Business seats with a written AI-use policy that tells copywriters not to paste a client’s unreleased product launch into any outside tool until the account lead approves it. The FTC’s endorsement guides also apply when AI-generated testimonials are published.
Scenario 2 — The 40-Person Medical Billing Company
| Decision Point | Recommended Path |
|---|---|
| Headcount and budget | 40 seats of ChatGPT Enterprise, negotiated annually |
| Data sensitivity | Protected health information — very high |
| Required paperwork | Signed BAA and SOC 2 Type II report |
| Integration | SSO via Okta, SCIM provisioning, 30-day retention |
| Top risk to manage | HIPAA breach notification and state AG enforcement |
A medical billing company is a HIPAA business associate, which means any AI tool that touches PHI must sign a BAA. ChatGPT Business does not offer a BAA; Enterprise does.
Scenario 3 — The Solo Tax Preparer
| Decision Point | Recommended Path |
|---|---|
| Headcount and budget | 1 seat of ChatGPT Plus at $20/mo |
| Data sensitivity | Client tax data — high, but handled locally |
| Required paperwork | None required if PII stays out of prompts |
| Integration | None; standalone use |
| Top risk to manage | IRS Publication 4557 safeguards and state AG rules |
A solo tax preparer can stay on Plus as long as she never pastes Social Security numbers, client names, or full 1040s into the chat. The smarter workflow is to anonymize the fact pattern, ask ChatGPT the tax question, then apply the answer to the real return in her tax software.
Three Named Examples You Can Learn From
Maria — Denver employment lawyer, 12-person firm. Moved from Plus to Business after a near-miss with a hallucinated case citation. She now pays about $300 per month and runs Paralegal-reviewed prompts under a written AI policy.
Devon — Shopify merchant, $2.1M in annual revenue. Upgraded from shared Plus to five Business seats after losing a terminated contractor’s access. He now uses SSO and SCIM to turn off access the day someone leaves.
Priya — fintech IT director, 400 employees. Migrated to Enterprise mid-year to pass SOC 2. Her contract includes a 30-day zero-retention option, SAML SSO, and a negotiated indemnity for IP claims tied to model output.
Mistakes to Avoid When Choosing a Plan
Every paragraph below describes a real mistake we see buyers make, the specific consequence, and how to avoid it.
Using Free or Plus for regulated data. The consequence is that you lose the contractual protections your regulator expects, which can turn a routine audit into a breach report. Move to Business or Enterprise before letting employees type sensitive data.
Skipping the signed DPA. Several state privacy laws require a written contract with every processor. Without a DPA you cannot show a regulator that OpenAI is a contractual processor, and you may be treated as a joint controller.
Assuming Business includes a BAA. It does not. If you are a HIPAA-covered entity or a business associate, only Enterprise will execute a BAA.
Letting employees share a single seat. Shared seats break your audit trail, violate OpenAI’s usage policies, and make offboarding impossible. Each user needs their own seat tied to SSO.
Ignoring state AI laws. The Colorado AI Act and NYC Local Law 144 impose bias-audit and disclosure duties on employers who use AI in hiring. A wrong-tier deployment without audit logs makes compliance much harder.
Forgetting about retention settings. Enterprise lets you set a 30-day or even zero-day retention window. If you do not configure retention, the default can be longer than your own record-retention policy allows.
Buying too many seats too early. Paying for 200 seats when only 80 employees log in each month wastes money. Start with a pilot, measure adoption, and scale up.
Not training staff on prompt hygiene. Even the best plan cannot protect you from an employee who pastes a client’s merger memo into a prompt. Written policies and a 30-minute training session reduce that risk.
Confusing ChatGPT with the API. If your developers need to embed AI in a product, ChatGPT seats are the wrong SKU. The API is cheaper at scale and offers its own enterprise-grade privacy controls.
Relying on a single AI vendor. The NIST AI Risk Management Framework warns against single-vendor lock-in. Smart buyers keep at least one alternative like Claude for Work or Gemini for Workspace under evaluation.
Do’s and Don’ts for Business Buyers
Do read the current OpenAI enterprise privacy page before signing, because the commitments change as the product evolves.
Do map every AI use case to a data-classification label — public, internal, confidential, or regulated — before choosing a tier.
Do run a 30-day pilot with 10 percent of your eventual seat count so you can measure actual adoption and ROI.
Do require SSO on day one, even for a 5-seat deployment, because the offboarding risk is the same at every size.
Do document your governance decisions in a short written AI-use policy, because regulators increasingly expect one.
Don’t let employees use personal ChatGPT accounts for work, because you lose the DPA, the audit log, and the no-training guarantee.
Don’t assume the consumer “training off” toggle is the same as a contractual no-training clause, because it is not.
Don’t pay for Pro seats across an entire team when Business seats cost less and include governance.
Don’t store long-lived copies of chat histories outside your own systems, because retention in ChatGPT is not a substitute for your records-management policy.
Don’t ignore the EU AI Act if you sell into Europe, because some provisions reach U.S. providers whose outputs affect EU users.
Pros and Cons of Each Tier
ChatGPT Plus — Pros: cheap, fast to deploy, full access to flagship models, good for solo work.
ChatGPT Plus — Cons: no DPA, no BAA, no admin console, training-off is a user toggle, not a contract.
ChatGPT Business — Pros: signed DPA, SSO, admin controls, moderate price, no-training default, fits 3-149 employees.
ChatGPT Business — Cons: no BAA, limited context compared to Enterprise, no negotiated indemnities.
ChatGPT Enterprise — Pros: BAA available, SOC 2 Type II, 128k context, custom retention, negotiated indemnity, SAML SSO, SCIM, domain verification.
ChatGPT Enterprise — Cons: custom-priced, sales cycle takes weeks, typically needs 150+ seats to negotiate well.
OpenAI API — Pros: pay only for what you use, embeddable, enterprise privacy commitments, flexible models.
OpenAI API — Cons: requires developer talent, token costs can surprise finance teams, not a turnkey chat UI.
ChatGPT Edu — Pros: FERPA-aligned, designed for student data, priced for institutions.
ChatGPT Edu — Cons: only available to qualifying educational institutions, not a fit for commercial businesses.
Legal and Regulatory Angles You Must Consider
Federal law sets the floor, and state law often goes further. Start at the federal level, then layer state rules on top.
HIPAA and Protected Health Information
HIPAA applies if you are a covered entity or a business associate. HIPAA requires a written BAA with every vendor that processes PHI on your behalf.
The consequence of using a non-BAA plan with PHI is an automatic breach under the HIPAA Breach Notification Rule. Civil penalties range from $137 to $68,928 per violation in 2026, with an annual cap north of $2 million per category.
A real-world mini-scenario: a 50-person physical-therapy chain pastes patient discharge summaries into ChatGPT Plus to draft referral letters. The practice never signed a BAA, so every summary is an unpermitted disclosure. A common misconception is that de-identified data escapes HIPAA; under the Safe Harbor method, 18 identifiers must be removed before the data leaves covered-entity control.
GDPR, CCPA, and State Privacy Laws
The GDPR and the CCPA both require a written contract between a controller and its processors. California, Colorado, Connecticut, Virginia, Utah, Texas, Oregon, and a dozen more states now have comprehensive privacy laws on the books.
The consequence of skipping the DPA is regulatory exposure. The California Privacy Protection Agency issued its first enforcement actions in 2024, and similar agencies in Colorado and Texas have followed.
Example: a Texas-based SaaS company uses Plus to draft privacy-policy updates. Because Plus does not come with a DPA, the company’s outside counsel recommends a move to Business before the next Texas Data Privacy and Security Act audit cycle.
FTC Section 5 and AI Marketing Claims
The FTC’s 2023 guidance warns companies not to exaggerate what their AI tools can do. Misrepresenting ChatGPT’s output as human-authored or overstating its accuracy can draw a Section 5 unfair-or-deceptive-practices claim.
The consequence is a consent order that can last 20 years, plus civil penalties for future violations. A common misconception is that internal use avoids FTC scrutiny; customer-facing output generated by AI is covered whether or not the company discloses its AI origin.
SEC Regulation S-P and Financial Services
Regulation S-P — updated in 2024 — requires broker-dealers, investment advisers, and investment companies to adopt written incident-response programs and to notify customers within 30 days of a data breach.
Financial firms using Plus for client data risk an S-P violation if a breach occurs and the firm cannot show a contractual relationship with the AI processor. The SEC’s 2024 enforcement sweep on AI-washing also targeted firms that overstated their AI capabilities.
State AI Laws and Employment Use
The Colorado AI Act takes full effect in 2026 and requires developers and deployers of high-risk AI systems to conduct impact assessments and notify consumers of adverse decisions. NYC Local Law 144 requires annual bias audits for automated employment-decision tools used on NYC-based candidates.
The consequence of a missed audit under Local Law 144 is a civil penalty of $500 to $1,500 per violation, per day. Many employers using ChatGPT to screen résumés do not realize the law covers them, which is the most common misconception in this area.
Attorney-Client Privilege and Work Product
Lawyers using ChatGPT Plus on client matters risk waiving privilege if the conversation is deemed a third-party disclosure. The ABA Formal Opinion 512 published in 2024 outlines the duties of competence, confidentiality, and supervision that apply to generative AI.
A court in the Mata v. Avianca sanctions order fined two New York lawyers who filed a brief with hallucinated citations. The lesson is that any lawyer using AI must verify every cite and every quote before filing.
How to Run a 30-Day Pilot
A structured pilot is the cheapest way to pick the right plan. Start by choosing 10 percent of your eventual seat count, pick three concrete use cases, and measure time saved per week per user.
Write a one-page AI-use policy that tells pilot users which data classifications they may paste, which they may not, and what to do if they are unsure. Require pilot users to log their prompts in a shared sheet for the first two weeks so you can spot misuse early.
At the end of the pilot, compare the Business and Enterprise quotes side by side with your measured adoption rate. If fewer than 60 percent of pilot users log in weekly, you will waste money on a full rollout. If more than 80 percent log in weekly and you handle regulated data, Enterprise almost always pencils out.
Frequently Asked Questions
Is ChatGPT Plus enough for a small business?
No — Plus has no signed DPA, no admin console, and no no-training contract. It is fine for a solo operator but unsafe for any team that handles client or employee data.
Does ChatGPT Business include a BAA for HIPAA?
No — only ChatGPT Enterprise offers a signed Business Associate Agreement. Covered entities and business associates must choose Enterprise for any workflow that touches PHI.
Can I switch from Business to Enterprise later?
Yes — OpenAI supports upgrades mid-contract. Expect a new MSA, a new DPA, and a short migration window to move users and settings.
Is my data used to train models on ChatGPT Business?
No — Business, Enterprise, Edu, Team, and the API all default to no training on customer data, which is confirmed in OpenAI’s enterprise privacy commitments.
Do I need ChatGPT Enterprise to comply with the GDPR?
No — Business also includes a signed DPA that satisfies GDPR Article 28, although Enterprise adds extra controls like custom retention and SAML SSO.
Can my law firm use ChatGPT without waiving privilege?
Yes — but only if you use Business or Enterprise, apply a written AI policy, and verify every citation before filing, consistent with ABA Formal Opinion 512.
Is ChatGPT Pro worth $200 per month for a business?
No — Pro is tuned for individual power users who need unlimited o-series reasoning. Teams get better governance and lower cost per user on Business.
Does the OpenAI API replace a ChatGPT seat?
No — the API is for developers embedding AI into products. Non-developers still need a ChatGPT seat for day-to-day work.
Can I use ChatGPT for hiring decisions in New York City?
Yes — but NYC Local Law 144 requires an annual bias audit and candidate notice. Skipping either step creates per-day civil penalties.
Is ChatGPT Edu available to private businesses?
No — Edu is limited to qualifying K-12 and higher-education institutions. Private companies should buy Business or Enterprise.
How long does OpenAI keep my Business chats?
Yes — OpenAI retains Business chats per the workspace’s retention setting, which admins can configure. Enterprise customers can negotiate shorter windows, including zero retention.
Do I need a written AI-use policy even with a great plan?
Yes — every plan depends on users following good prompt hygiene. A short written policy is the lowest-cost, highest-impact control you can add.