Skip to content
PrivateAI
← Back to Home
guide

Can Accountants Use ChatGPT? AI Privacy for CPAs Handling Client Tax Data

10 min read min readBy PrivateAI Team

_Last updated: 2026-07-05_

Pasting a client's 1040, K-1, or bank statement into ChatGPT to "summarize this" or "check my math" is not just a privacy shortcut — for paid preparers, it can trigger IRC Section 7216, a federal statute that makes unauthorized disclosure or use of tax return information a criminal misdemeanor, punishable by up to a year in prison and a $1,000 fine per violation.

That is the short version. Here is why it applies to AI tools specifically, and what a compliant workflow actually looks like.

Section 7216 was written decades before generative AI existed, but the IRS has been explicit that it applies to any disclosure of return information to a third party without the taxpayer's written consent — and a consumer AI chatbot is a third party. When you upload a client's Schedule C or a stack of 1099s to a general-purpose AI tool to draft a summary or check a calculation, that data is transmitted to, and potentially retained by, a company that is not your firm and has no engagement letter with your client. The AICPA's Code of Professional Conduct (Section 1.700.001, Confidential Client Information Rule) layers an independent ethics obligation on top of the statute. State boards of accountancy enforce both.

None of this means CPAs and bookkeepers can't use AI. It means the tool has to keep client data off vendor servers entirely. This guide covers what the actual exposure is, which tools close it, and how to build a tax-season-ready AI workflow that doesn't require a compliance sign-off every time you use it.


What Section 7216 Actually Covers

IRC 7216 applies specifically to paid tax return preparers and restricts disclosure or use of "tax return information" — which is defined broadly enough to include not just the return itself but any information a taxpayer provides in connection with preparing it: W-2s, 1099s, bank statements, business ledgers, prior-year returns, and the notes you take during a client interview.

The rule requires written taxpayer consent before that information is disclosed to a third party, with specific, IRS-prescribed language for what the consent must say. A blanket engagement letter clause does not satisfy it. And critically, the rule doesn't distinguish between "disclosure to a person" and "disclosure to a server" — sending client data to an AI vendor's infrastructure for processing is a disclosure under the statute's plain language, regardless of whether a human ever reads it.

This is a narrower rule than attorney-client privilege in one sense (it applies specifically to tax return preparation, not all accounting work), but it carries actual criminal exposure rather than just civil liability or an ethics complaint. For a firm using AI to speed up return prep — draft cover letters, summarize a client's financial documents, reconcile a ledger, answer a tax question with client-specific numbers — the compliance bar is not "be careful." It's "don't disclose without consent, and don't rely on a consumer AI vendor's terms of service to protect you."

Bookkeeping and general accounting work outside of tax preparation isn't covered by 7216, but it's still bound by the AICPA confidentiality rule and, in most cases, explicit confidentiality clauses in client engagement letters. The practical fix is the same either way.


The Three Places Client Financial Data Actually Leaks

1. The AI inference layer. The model itself. Does the vendor log your input? Train on it? What happens when you type a client's SSN, EIN, or account balance into a chat box?

2. The document storage layer. Where do client files sit before and after you touch them with AI? If tax documents live in a standard Google Drive or Dropbox folder, that platform's staff and systems can access them, and they're subject to subpoena and breach risk independent of anything you do with AI.

3. The client communications layer. How do W-2s, bank statements, and signed consent forms move between you and the client? Standard email is not encrypted end to end, and an intercepted or breached inbox exposes exactly the data 7216 is meant to protect.

Closing the AI layer without closing the other two leaves a firm exposed. Here's how to close all three.


Layer 1: An AI Setup That Never Transmits Client Data

Local Models for Anything Touching Client Numbers

The only way to guarantee tax return information never reaches a third-party server is to run the model on hardware you control. Ollama installs in under ten minutes on Mac, Windows, or Linux and runs models like Llama 4 70B, Mistral Large 2, or Qwen 2.5 72B entirely offline after the initial download.

For a firm's actual use cases — summarizing a client's financial documents, drafting plain-English explanations of a K-1 or a Schedule E, reconciling categorized transactions against a ledger, flagging inconsistencies across a set of 1099s — a local model handles the work at a quality level that's indistinguishable from a cloud chatbot for these tasks, because the tasks are pattern-matching and summarization, not frontier reasoning. A mid-range machine (an M4 Mac Mini or a Windows desktop with 32GB RAM) runs this comfortably.

The one thing a local model can't do is pull current information from the web — which matters for tax law, because the tax code changes every year and IRS guidance updates throughout filing season.

Perplexity Pro for Tax Law Research (Not Client Data)

Tax research — "what's the current Section 179 deduction limit," "has the IRS issued guidance on this credit for 2026," "what's the safe harbor threshold for this election" — is exactly the kind of query that should go to a research tool, not a local model, because it needs current, cited sources.

Perplexity Pro is built for this and sits in a meaningfully different risk category than general AI chatbots: Perplexity's Pro-tier policy is that subscriber queries aren't used for model training, and the tool's entire interaction model is built around asking about publicly available information with citations attached, not uploading private documents. The discipline this enforces is useful on its own: you ask Perplexity about the tax code in the abstract ("what is the 2026 QBI phase-out threshold for married filing jointly"), never about a specific client's return. The moment a query would require you to type a client's name, income figure, or business details, it belongs in the local-model workflow instead.

Affiliate Disclosure: This article may contain affiliate links. If you make a purchase through these links, we may earn a small commission at no extra cost to you. We only recommend products we genuinely believe in. This helps support our work and allows us to continue providing free content.


Layer 3: Secure Client Communication During Filing Season

Tax season runs on email — clients forwarding W-2s, firms sending draft returns for review, back-and-forth on missing documents. Standard email is not encrypted end to end, which means every attachment passes through your provider's and the client's provider's infrastructure in a form that's technically readable.

Proton Mail provides end-to-end encryption for messages between Proton users and PGP-based encryption for messages to non-Proton recipients, along with a custom domain option so client-facing email still reads as yourfirm.com rather than yourname@proton.me. For a firm that wants a lighter lift, Proton's approach also works well paired with a client portal: use Proton for the sensitive back-and-forth (signed 7216 consent forms, draft returns, anything with SSNs) and standard email for scheduling and general coordination.

The reasonable rollout for most small and mid-size firms is not "migrate every client to encrypted email." It's onboarding the workflow for documents that actually contain return information — W-2s, 1099s, signed consent forms, completed returns — while leaving low-sensitivity coordination on whatever email the firm already uses.

Affiliate Disclosure: This article may contain affiliate links. If you make a purchase through these links, we may earn a small commission at no extra cost to you. We only recommend products we genuinely believe in. This helps support our work and allows us to continue providing free content.


The Practical Tax-Season AI Workflow

Putting the three layers together:

Tax law research: Perplexity Pro for current-year thresholds, deduction limits, IRS guidance, and state-specific rules. Queries stay abstract — no client names, numbers, or documents.

Document intake: Clients upload W-2s, 1099s, and bank statements through a Tresorit encrypted link rather than emailing attachments.

Document analysis and drafting: Files pulled to a local machine running Ollama with a capable model for summarization, reconciliation, and drafting client-facing explanations. Nothing leaves the machine.

Client consent and correspondence: Signed 7216 consent forms, draft returns, and anything containing return information sent through Proton Mail. Scheduling and general questions stay on standard email.

Final storage: Completed work pushed back to Tresorit's encrypted folders, with the access log serving as a record of who handled each client's file.

This is not a slower workflow than pasting documents into ChatGPT — it's roughly the same number of steps, with the transmission risk designed out.


Due Diligence Checklist Before Adding Any AI Tool

Run any new AI tool through these questions before it touches client financial data:

  1. Where does inference happen? On your own hardware (safe by default) or a vendor's servers (requires a signed 7216 consent and a vendor data processing agreement)?
  2. Does the vendor log or retain your input? For how long, and under what legal process could it be produced?
  3. Does the vendor train future models on your queries? Most consumer-tier tools do or reserve the right to in their terms.
  4. Is there a written client consent on file that specifically names this tool and satisfies the IRS's required 7216 consent language?
  5. Where does the source document live before and after the AI touches it — and is that storage zero-knowledge encrypted?
  6. Would you be comfortable explaining this workflow to a state board of accountancy examiner? If the honest answer is no, the workflow needs to change before the next return goes through it.

If any answer is "I'm not sure," resolve it before the tool touches a client file — not after.


The Trend Is Toward More Scrutiny, Not Less

State boards of accountancy and the IRS have both signaled increasing attention to how AI intersects with tax return confidentiality, and the AICPA has issued member guidance on AI use that reinforces the existing confidentiality rule rather than carving out an exception for it. No regulator has said accountants can't use AI. Every one that has addressed it has said, in effect: know where the data goes, get consent when the law requires it, and don't treat a vendor's terms of service as a substitute for actual data control.

A local model, encrypted document storage, and encrypted client correspondence gets a firm to "yes" on all three without giving up the speed AI provides during the busiest weeks of the year.


Stay Ahead of Tax-Season AI Compliance

Guidance on AI use for tax preparers is still evolving, and it's changing faster than most CPE credit hours can track. If you want tested, practitioner-relevant workflow updates when the rules shift — not vendor hype — the PrivateAI newsletter covers this specifically.

No sponsored placements. Just what changed and what it means for your practice.

Subscribe below to get the next issue directly.


_Running a private AI workflow for tax prep or bookkeeping that's held up under a state board review? Let us know — we test and publish practitioner-sourced stacks regularly._