Can Lawyers Use ChatGPT? AI Privacy for Attorneys Without the Privilege Risk
_Last updated: 2026-06-29_
Using ChatGPT with a client's case files is not just a privacy choice — it may be an ethics violation, a privilege waiver, and in some jurisdictions, grounds for disciplinary action.
That is the short version. Here is why it matters and what to do instead.
Dozens of state bars have now issued formal ethics opinions on attorney AI use. The American Bar Association's formal guidance makes clear that lawyers have duties of competence, confidentiality, and supervision that apply directly to AI tools. Pasting client communications, case strategy memos, or privileged documents into a general-purpose AI chatbot almost certainly constitutes a disclosure to a third party — and most privilege doctrines do not protect you when you voluntarily hand information to a third party, even a software vendor.
Courts have noticed. Judges have sanctioned attorneys for submitting AI-generated briefs with fabricated citations. Bar associations are actively issuing guidance. And the underlying data risk is real: when you paste a client's deposition summary into ChatGPT, that text is processed on OpenAI's servers, potentially logged, and subject to whatever legal demands or security incidents hit those servers going forward.
The good news is that practical, high-quality AI is available today in configurations that give you near-frontier capability without exposing client data at all. This guide covers what the risk actually is, which tools are safe, and how to build a legal AI workflow you can use without a compliance headache.
What "Privilege Waiver" Actually Means for AI Tools
Attorney-client privilege protects communications between a lawyer and client made for the purpose of obtaining legal advice. The privilege belongs to the client, but the attorney has an obligation to protect it.
Privilege is waived when confidential information is disclosed to a third party without necessity. Courts apply a variety of tests — some require intentional disclosure, others apply strict liability — but the common thread is this: sending client data to an outside system is the kind of thing that creates waiver risk.
AI vendors are third parties. Their servers are not your servers. Their terms of service are not your engagement letter. When you paste a client's communication into a general AI assistant, you have disclosed it to that vendor's infrastructure, their employees with system access, their security incident surface, and any government demand directed at their logs.
This is not a hypothetical. The Samsung leak in 2023 — where employees uploaded confidential chip design data to ChatGPT and that data became part of training — established the pattern. Legal matters are higher-stakes than chip specs.
What the ethics rules say: ABA Model Rule 1.6 requires lawyers to make reasonable efforts to prevent the inadvertent disclosure of client information. Model Rule 1.1 requires competence, which the ABA commentary has extended to understanding the benefits and risks of relevant technology. Many state bars have issued specific guidance saying that using AI tools with client data requires vendor agreements that meet confidentiality standards — agreements that consumer-tier ChatGPT, Claude, and Gemini do not offer.
Enterprise tiers with data processing agreements are different. But most attorneys are not using enterprise tiers.
The Three Layers of Risk
Legal AI privacy has three distinct exposure surfaces. Closing one without addressing the others leaves you exposed.
1. The inference layer: The AI tool itself. What happens to your input during and after processing? Is it logged? Does it train future models? What is the vendor's subpoena posture? This is the most discussed risk and the easiest to address.
2. The document storage layer: Where do client files live before you feed them to AI? If your documents sit in Google Drive, Dropbox, or a Microsoft OneDrive-connected system, those platforms hold your encryption keys. They can read your files. They surface content to law enforcement under subpoena. They perform content scanning. A local AI model does nothing to protect documents stored in plaintext on a cloud platform you do not control.
3. The communications layer: How does client data move between the attorney, the client, and any AI-augmented workflow? Standard email is not encrypted end to end. A client forwarding you documents over Gmail gives Google visibility into those communications. The chain of custody for confidential data matters.
Layer 1: AI Tools That Are Actually Safe for Legal Work
Local Models: Zero-Disclosure by Design
The cleanest solution is running an AI model entirely on your own hardware. When inference happens locally, no data leaves your machine — there is nothing to log, subpoena, or breach at a vendor.
Ollama is the most practical entry point. It runs on Mac (Apple Silicon or Intel), Windows, and Linux, and exposes a local API compatible with dozens of front-end clients. A Mac Mini M4 Pro or a Windows workstation with 32GB of RAM can run Llama 4 70B, Mistral Large 2, or Qwen 2.5 72B — models that handle document summarization, clause extraction, argument drafting, and legal research at professional quality. Installation takes under ten minutes.
What local models cannot do is browse the web in real time. For case law research, regulatory lookups, and anything requiring current information, you need a different tool.
Perplexity Pro: The Research Layer That Protects Your Prompts
For legal research specifically — "what is the current federal circuit split on X," "summarize recent NLRB guidance on Y," "what courts have applied the economic realities test to gig workers" — a web-connected AI assistant is substantially faster than a local model and produces better-cited output.
Perplexity Pro sits in a materially different risk category than general-purpose AI chatbots. Perplexity's explicit policy for Pro subscribers is that queries are not used to train models. The search-first format means your interaction pattern is research questions rather than document uploads — you are asking about the law, not pasting client files. And Perplexity's output format includes citations to primary sources, which is exactly what legal research requires.
The practical division: use Perplexity for legal research, statutes, and case law exploration. Use a local model for anything involving actual client documents, case strategy, or privileged communications.
Affiliate Disclosure: This article may contain affiliate links. If you make a purchase through these links, we may earn a small commission at no extra cost to you. We only recommend products we genuinely believe in. This helps support our work and allows us to continue providing free content.
For local documents you access via your AI workflow, the pattern is: client files in Tresorit or Proton Drive, mounted or downloaded to a local working directory, processed by a local LLM, with outputs that return to encrypted storage before any external sharing.
Layer 3: Encrypted Client Communications
This one is frequently skipped and frequently consequential. If your client sends you privileged communications over standard email — Gmail, Outlook without S/MIME, any standard IMAP/SMTP flow — those communications have been disclosed to a third party (Google, Microsoft) during transmission and storage.
Proton Mail provides end-to-end encrypted email when both parties use Proton addresses. For clients who do not use Proton, you can send password-protected encrypted messages to any email address. This is not as seamless as standard email, but for highly sensitive matters — communications that would be deeply damaging if disclosed — the operational friction is worth it.
The practical approach for most firms is to onboard high-value or high-risk clients onto Proton for privileged communications while using standard email for lower-sensitivity coordination. Proton's custom domain support means your clients see your@firm.com rather than your@proton.me.
Affiliate Disclosure: This article may contain affiliate links. If you make a purchase through these links, we may earn a small commission at no extra cost to you. We only recommend products we genuinely believe in. This helps support our work and allows us to continue providing free content.
The Practical Legal AI Workflow
Here is how these layers combine into a working setup:
Research and case law: Perplexity Pro for all legal research, regulatory lookups, and anything requiring current case citations. You are asking about the law in the abstract, not about your client. No client data touches Perplexity.
Document analysis: Client files pulled from Tresorit to a local working directory. Ollama with a capable local model (Llama 4 70B or Mistral Large 2) for summarization, clause extraction, issue spotting, and drafting. Outputs reviewed and refined before returning to encrypted storage.
Drafting assistance: Local model for first drafts of briefs, memos, and correspondence using only facts you explicitly provide. No document upload to a hosted service.
Client communications: Proton Mail for privileged correspondence, particularly on high-sensitivity matters. Standard email for scheduling and low-risk coordination.
File sharing with clients and co-counsel: Tresorit shared folders with defined access controls and audit logs.
This stack eliminates vendor exposure at every layer where client confidentiality is at risk.
Due Diligence Checklist Before Using Any AI Tool with Client Data
Before adding an AI tool to your legal workflow, work through these six questions:
- Where does inference happen? On-device (safe) or on vendor servers (requires vendor agreement)?
- What does the vendor log? Does your input persist after the inference session? For how long?
- Does the vendor train on subscriber data? Most consumer-tier tools do or reserve the right to.
- What is the vendor's response to legal process? Do they challenge demands or comply by default?
- What data processing agreement is available? Enterprise tiers typically offer DPAs. Free and consumer tiers typically do not.
- Where do your documents live before and after AI processing? Is that storage zero-knowledge encrypted?
If any answer is "I don't know," find out before using the tool with confidential data. Not because the risk is certain, but because competence requires knowing the answer.
The Bar Association Position Is Evolving — In One Direction
As of mid-2026, more than thirty state bars have issued AI guidance, and the trend is uniform: attorneys have existing confidentiality, competence, and supervisory duties that apply to AI tools, and using AI in ways that create unauthorized disclosure risk is a potential ethics violation.
No bar has banned AI use. Every bar that has weighed in has said something like: use AI responsibly, understand what it does with your data, and do not expose client information to unauthorized third parties.
That is exactly what a local model plus zero-knowledge storage accomplishes. You are not prohibited from being efficient. You are required to be thoughtful about where data goes.
Stay Ahead of Legal AI Compliance
The bar association guidance is updating faster than most CLE programs can track it. If you want to stay current on AI tools that meet professional confidentiality standards — and get tested workflow recommendations when the landscape shifts — the PrivateAI newsletter covers this specifically.
No vendor promotion. No fluff. Just what changed and what it means for your practice.
Subscribe below to get the next issue directly.
_Have a tool or workflow you've vetted for legal use? Let us know — we test and publish practitioner-sourced stacks regularly._