Can Lawyers Use ChatGPT? Confidentiality, Privilege, and AI in 2026

Short answer: Yes, lawyers can use ChatGPT — and many do — but doing so without violating the duty of confidentiality, attorney-client privilege, or your jurisdiction's competence rules requires a deliberate workflow. As of 2026, multiple state bar associations have issued ethics opinions making clear that pasting client information into a consumer AI tool can be a discipline-eligible breach. The good news: with the right product tier, the right contractual terms, and a habit of redacting at the source, generative AI is genuinely useful in the practice of law.

This guide explains the rules that matter, the specific risks unique to legal work, and the workflow patterns that let lawyers benefit from AI without exposing the firm or the client.

What the rules actually say

The American Bar Association's Model Rules of Professional Conduct, which most US jurisdictions track closely, are explicit on three obligations that apply directly to AI use:

• Rule 1.1 — Competence. A lawyer must provide competent representation, including "the benefits and risks associated with relevant technology." Comment 8 (the "duty of technological competence") has been adopted in 40+ US jurisdictions.
• Rule 1.6 — Confidentiality. A lawyer "shall not reveal information relating to the representation of a client unless the client gives informed consent." Comment 18 requires "reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to," client information.
• Rule 5.3 — Responsibilities Regarding Nonlawyer Assistance. Lawyers have a duty to make reasonable efforts to ensure that nonlawyer assistants — which includes vendors and software — conform to the lawyer's professional obligations.

In 2024 the ABA's Standing Committee on Ethics and Professional Responsibility issued Formal Opinion 512, "Generative Artificial Intelligence Tools," confirming that all three rules apply to GenAI use. Several states have followed with their own opinions: California (2023), Florida (2024), New York (2024), New Jersey (2024), and Pennsylvania (2024) among them. The opinions are not identical, but they consistently say:

• Confidential client information may not be entered into a generative AI tool without informed client consent unless the lawyer takes reasonable measures to ensure that the information will not be disclosed or used to train a model accessible to others.
• Lawyers must understand the tool well enough to advise the client about it (Rule 1.1).
• Outputs must be independently verified for accuracy (Rule 1.1, with several courts now sanctioning lawyers for unverified AI-generated citations).
• Fee arrangements should account for AI use (Rules 1.5, 1.5(a)).

The phrase "reasonable measures" is doing real work here. It is the same standard that applies to email, cloud storage, and outsourced document review — and the bar opinions explicitly draw the analogy.

Why legal work is harder than the average AI use case

Three properties of legal work make casual AI use riskier than it looks:

1. Privilege is binary. Attorney-client privilege protects confidential communications between lawyer and client made for the purpose of legal advice. Disclosure to a third party — including, potentially, an AI vendor with broad rights to your input — can waive the privilege for the entire subject matter. Unlike confidentiality (which can sometimes be repaired), privilege waiver is hard to undo.
2. The work product doctrine is fact-sensitive. Materials prepared in anticipation of litigation receive separate protection. Disclosure to an AI tool creates an argument that the materials are no longer "kept confidential" in the way the doctrine assumes.
3. Conflict checks rely on metadata. Pasting a brief or a client list into a consumer AI service is, among other things, an uncontrolled export of conflict-relevant information. Future engagements at the firm — and any audit of the conflict-check process — depend on knowing where that information has been.

Compare a doctor pasting a patient name into ChatGPT to a lawyer pasting an opposing-party draft motion. The doctor faces HIPAA exposure; the lawyer faces HIPAA-equivalent confidentiality duties plus the possibility of waiving privilege in pending litigation.

The product-tier question

For lawyers, the consumer-versus-enterprise distinction is more than a billing matter. As of April 2026, the relevant defaults are:

• ChatGPT Free / Plus / Pro / Team (consumer tier) — May retain prompts for abuse monitoring; may use prompts to train future models unless the user opts out; not covered by an enterprise data-processing addendum (DPA).
• ChatGPT Enterprise / Edu — Zero retention available; not used to train models; covered by an enterprise agreement; SOC 2 Type II.
• OpenAI API — Excluded from training by default; 30-day retention by default; zero-retention available for eligible customers; enterprise DPA available.
• Anthropic Claude (claude.ai and API) — Excluded from training by default; enterprise DPAs and zero-retention agreements available for eligible customers.
• Google Gemini (consumer) — May retain and human-review prompts on the free tier; Workspace and Vertex AI are governed by separate enterprise terms.
• Microsoft 365 Copilot (Commercial Data Protection) — Prompts not used for training when signed in to an eligible commercial account.

A reasonable measure under Rule 1.6 is much easier to demonstrate on a properly configured enterprise tier than on a consumer plan. Most state bar opinions stop short of saying consumer tools are categorically off-limits, but several note that the burden of proving "reasonable measures" rises sharply when a free or personal-paid account is involved.

A workflow that works in practice

Below is a pattern several mid-sized firms have adopted in 2025–2026 to use AI broadly without case-by-case client consent:

1. Tier selection. Use a contracted enterprise plan (ChatGPT Enterprise, Claude for Work, Microsoft 365 Copilot, or comparable) under a DPA and zero-retention configuration. Block consumer endpoints at the firm's network or via an identity policy.
2. Local redaction at the browser layer. Deploy a local-first tool such as Sonomos to every device used for client work. The tool detects names, addresses, account numbers, and other identifiers in the browser and replaces them with reversible tokens before the prompt leaves the device. The model sees a coherent document; the client's identifying information does not leave the firm.
3. Document the policy. Update the engagement letter, the firm's information-security policy, and the conflict-check procedure to reflect AI use. ABA Formal Opinion 512 specifically references engagement-letter language as a way to obtain (or document the boundary of) client consent.
4. Verify outputs. Treat every AI-generated citation, quotation, and rule statement as an unverified claim from a junior researcher. Multiple courts in 2023–2025 have sanctioned attorneys for filing briefs with hallucinated cases; the verification step is no longer optional.
5. Train and audit. Annual training, plus periodic walk-throughs of representative matters, tends to catch process drift faster than self-reporting alone.

Examples: what is and is not safe

| Scenario | Acceptable? | Why | | --- | --- | --- | | Paste a client's NDA into ChatGPT Plus to "make it more readable" | Risky | Consumer tier, no DPA, no client consent | | Paste the same NDA after replacing names and amounts with placeholders into ChatGPT Plus | Acceptable | No identifiable client information leaves the device | | Use ChatGPT Enterprise (BAA + DPA + ZDR) to summarize a deposition transcript with the client's name in it | Acceptable, with caveats | Reasonable measures are in place; verify output | | Use a local-first redaction tool that masks client identifiers, then paste into Claude for Work | Acceptable | Identifying data never leaves the device | | Use any tool to draft a brief and file it without verifying citations | Not acceptable | Rule 1.1 violation regardless of tier | | Discuss strategy in a public ChatGPT thread that may be indexed | Not acceptable | Public chat URLs are explicitly addressed in several state opinions |

Frequently asked questions

Does using ChatGPT waive attorney-client privilege?

The risk is real but situation-dependent. A consumer ChatGPT account, where the prompt may be retained, reviewed by the provider's staff, or used for training, is the riskiest case. An enterprise tier under a confidentiality DPA, with zero retention, is the closest analogue to using outside vendors for traditional document review — generally accepted as not waiving privilege provided the vendor is bound to confidentiality. The Sedona Conference and several state opinions have begun to address this directly; expect more guidance in 2026.

Do I need to obtain informed client consent every time I use AI?

ABA Formal Opinion 512 and most state opinions distinguish between cases where the lawyer has taken "reasonable measures" (no per-matter consent typically required, but a baseline disclosure in the engagement letter is recommended) and cases where the lawyer has not (consent required, scope of consent depends on what is actually being shared). The cleanest path is a baseline disclosure plus reasonable measures — including local-first redaction.

Are there any AI uses that don't implicate Rule 1.6 at all?

Yes, when the input contains no information relating to the representation of a client. Drafting marketing copy, brainstorming research questions in the abstract, summarizing public statutes — all generally fine. Once the prompt includes any information the client expects to be confidential, the rule attaches.

Has anyone been disciplined for AI use yet?

Yes, and the trend is rising. The early discipline cases focused on Rule 1.1 — specifically, attorneys who filed pleadings citing hallucinated cases. The next wave, beginning to surface in 2025, focuses on Rule 1.6 disclosures via free or personal AI accounts. Plan for both failure modes.

Is "I redacted by hand before pasting" a defensible position?

Better than nothing, but not durable. Manual redaction misses entries under deadline pressure and creates an audit trail of "I was careful most of the time." Automated, local-first redaction with a deterministic detector and reversible tokenization is both more reliable and easier to demonstrate as a "reasonable measure" under Rule 1.6.

What about discovery and litigation holds?

If client information has been pasted into a third-party AI tool, that tool's records may now be in scope for discovery and for any litigation hold the firm must implement. The firm's policy should include a procedure for preserving and producing AI-related records when applicable, and for confirming with the AI vendor what records exist and for how long.

A short checklist for legal teams

• Adopt an AI policy. Specify which products are approved, which are blocked, and the consent requirements for each matter type.
• Choose enterprise-tier products with DPAs and zero retention; block consumer endpoints.
• Deploy local-first redaction to every device. The cost is low; the protection covers the moments when policy slips.
• Update engagement letters and the firm's information-security policy.
• Train every lawyer and paralegal on Rule 1.1, Rule 1.6, and the firm's specific policy.
• Verify every AI-generated citation and every legal proposition before relying on it.
• Audit annually and after any new product or feature is rolled out.

The bottom line

For lawyers, AI is a competence question, a confidentiality question, and a workflow question all at once. The rules in 2026 are clear enough to act on: choose tools whose configuration you can demonstrate as "reasonable measures," remove client identifiers before the prompt leaves the device, document what you do, and verify what comes back. Done well, AI saves real time on the work clients pay for. Done casually, it is a discipline case waiting to happen.

For the specific research tools — Harvey, Westlaw AI, Lexis+ AI, and CoCounsel — and the hallucination risks to know about, see AI Tools for Legal Research in 2026.