# Is ChatGPT Confidential for Lawyers? ABA 512

> Consumer AI is not confidential by default. What ABA Opinion 512 requires before you put client information into any AI tool, explained for your firm.

[Home](https://rankshieldlegal.com/) / [Blog](https://rankshieldlegal.com/blog/) / AI Confidentiality AI Confidentiality
# Is ChatGPT Confidential for Lawyers? What ABA Opinion 512 Requires
No, consumer ChatGPT is not confidential for lawyers by default. Before inputting client information into a self-learning generative AI tool, ABA Formal Opinion 512 says you must understand how the tool uses and retains data and obtain the client's informed consent. An "enterprise" tier can reduce confidentiality risk, but it does not create attorney-client privilege. These are two separate legal concepts.

By [Jamie Kloncz](https://rankshieldlegal.com/about/), Founder, RankShield ** 17 min read ** Published July 8, 2026

No, consumer ChatGPT is not confidential for lawyers by default. Before inputting client information into a self-learning generative AI tool, ABA Formal Opinion 512 says you must understand how the tool uses and retains data and obtain the client's informed consent. An "enterprise" tier can reduce confidentiality risk, but it does not create attorney-client privilege. These are two separate legal concepts.
This article is written for practicing lawyers who are being pushed, by clients, colleagues, and their own workload, to adopt generative AI quickly. It walks through what ABA Formal Opinion 512 actually asks of you, why the consumer and enterprise versions of the same tool carry different confidentiality risk, and why neither version does anything to create evidentiary privilege. The aim is to give you a defensible way to think about the technology before you paste a single client fact into a prompt window. It is general information about professional-responsibility concepts and is not legal advice for your specific matter or jurisdiction.

## Consumer ChatGPT is not confidential by default
The default posture of a self-learning consumer tool is retention and possible reuse of your inputs. Your default posture under Model Rule 1.6 is protection of everything relating to the representation. Those two defaults point in opposite directions, which is why the burden is on you to reconcile them before you use the tool.
Consumer ChatGPT is not confidential for lawyers in the way client communications are. By default, self-learning tools may use and retain the data you enter, which can conflict with your [ethical duty of confidentiality under Model Rule 1.6](https://rankshieldlegal.com/client-confidentiality-ai/). That duty covers all information relating to the representation, not just what a client marks as secret [[4]](#ref-4).
The scope of that rule is what trips people up. Lawyers often picture confidentiality as protecting the dramatic secret, the admission, the number that would swing a negotiation. Model Rule 1.6 is far broader than that. It reaches information relating to the representation regardless of the source, regardless of whether disclosure would embarrass or harm the client, and regardless of whether the information is otherwise available in public records. A client name paired with the fact that you represent them on a particular kind of matter is already information relating to the representation [[4]](#ref-4). That means the threshold for a confidentiality concern is much lower than most intuitions suggest, and it is crossed long before you type anything a layperson would call a secret.
The practical risk is disclosure of client information to a third party you do not control. When you paste client facts into a public AI tool, you may be handing that data to a vendor whose retention and training practices you have not verified. ABA Opinion 512 frames this as a competence-and-confidentiality problem: a lawyer must understand the technology before using it on a client matter [[4]](#ref-4).
Turning off chat history or choosing a business plan changes the risk profile, but it does not automatically satisfy your ethical duty. You still have to know how the specific tool handles your data before the first prompt. The setting reduces one exposure; it does not answer the underlying question the rule asks, which is whether you understand, well enough to explain it, what happens to the information after you send it.

## What ABA Opinion 512 requires: informed consent, not boilerplate
ABA Formal Opinion 512, issued July 29, 2024, sets a clear sequence. Before inputting client information into a self-learning generative AI tool, a lawyer must, under Model Rule 1.6, understand how the tool uses and retains data and obtain the client's informed consent. Critically, boilerplate consent buried in an engagement letter is not enough [[4]](#ref-4).
Informed consent means the client understands what you are proposing and agrees to it. For AI, that means explaining, in plain terms, that client information may be entered into a specific tool, how that tool handles the data, and the risks involved. A generic "we may use technology vendors" clause does not meet this bar [[4]](#ref-4).
It helps to see why boilerplate fails on its own terms. Consent is only meaningful if the person giving it grasps what they are agreeing to. A clause that says the firm reserves the right to use unspecified technology vendors tells the client almost nothing: not which tool, not what the tool does with their information, not what could go wrong. A client who signs that has not made an informed choice about AI because AI was never actually put in front of them as a choice. Opinion 512 treats the disclosure and the consent as two halves of the same obligation, and a disclosure vague enough to be forgettable cannot support consent specific enough to be real [[4]](#ref-4).
One important caveat: ABA opinions are guidance, not law. Opinion 512 is non-binding, and states adopt or adapt ABA guidance variably. Check your own jurisdiction's rules and any state bar opinions, because your specific obligations may differ from the ABA's framework [[4]](#ref-4).
The sequence in Opinion 512 is ordered for a reason. Understanding the tool comes before consent, because you cannot describe to a client a data practice you have not yet examined yourself. If you find you cannot explain in a sentence what the tool does with an input, you are not ready to ask the client to agree to it [[4]](#ref-4).

Source: ABA Formal Opinion 512 Download SVG

## Why an "enterprise" tier is not the same as privilege
An enterprise or no-training AI tier reduces confidentiality risk. It does not create attorney-client privilege. This is one of the most common and dangerous misconceptions among lawyers evaluating AI tools, so it is worth stating plainly: paying for a business plan changes a vendor's data practices, not the law of privilege.
Enterprise tiers typically promise that your inputs will not be used to train the vendor's models and may offer stronger retention controls. That is genuinely useful for meeting your Rule 1.6 confidentiality duty, because it narrows the risk of client information leaking to a third party [[4]](#ref-4). But confidentiality controls and evidentiary privilege are governed by different bodies of law.
The mistake is understandable because the marketing language sits close to the language of privilege. A tier that promises your data stays private, is not used for training, and is deleted on a schedule sounds like it is protecting the same thing privilege protects. It is not. A vendor can only make promises about its own conduct: how it stores, uses, and retains what you send. Privilege is not a promise a vendor can make. It is a doctrine courts apply to certain communications, and no contractual term in a subscription agreement can extend it to material a court would otherwise treat as discoverable.
Privilege protects certain communications from compelled disclosure in litigation. A vendor's marketing tier cannot confer it. In fact, reporting on United States v. Heppner (S.D.N.Y. 2026) indicates that AI-generated documents were treated as not privileged and not work product, a reminder that running content through an AI tool can undercut, not strengthen, a privilege claim [[9]](#ref-9).
Two separate bodies of law: confidentiality controls that a vendor can contract for, and evidentiary privilege that only a court can recognize

## Confidentiality versus privilege: two different duties
Confidentiality and privilege are frequently conflated, but they are distinct. Confidentiality is an ethical duty you owe your client under Model Rule 1.6, covering essentially all information relating to the representation. Privilege is an evidentiary rule that protects specific attorney-client communications from being compelled in court. Satisfying one does not guarantee the other [[4]](#ref-4).
You can breach confidentiality without ever litigating a privilege question, for example by pasting client facts into a tool that retains and trains on them. Conversely, a communication can be confidential yet still be found unprivileged if a court concludes the privilege elements were not met, or that privilege was waived [[9]](#ref-9).
This matters for AI because vendors market confidentiality features, not privilege. As reporting on Heppner suggests, courts may view AI-generated material as outside privilege and work-product protection entirely [[9]](#ref-9). Treat AI outputs as potentially discoverable, and never assume a confidentiality setting substitutes for a privilege analysis.
Dimension Confidentiality (Model Rule 1.6) Attorney-client privilege
What it is An ethical duty you owe the client An evidentiary rule applied by courts
What it covers Essentially all information relating to the representation Specific attorney-client communications
Who controls it The lawyer, through professional conduct The court, through the law of evidence
Can a vendor tier affect it Yes, by limiting how data is used and retained No, a subscription tier cannot confer it

## How to read a tool's data handling before the first prompt
Opinion 512 asks you to understand how a tool uses and retains data before you enter client information [[4]](#ref-4). In practice, that means treating the tool's own terms as the thing you have to be able to explain, not the marketing page and not a colleague's summary. The obligation is to understand the specific tool you are actually using, in the tier you are actually paying for, because those details are what change the risk.
A useful way to structure the review is to ask a small set of concrete questions and require yourself to answer each one in a plain sentence. If you cannot answer, you have not finished the review, and you are not yet in a position to describe the tool to a client. The point is not to become an engineer. The point is to know enough that your Rule 1.6 explanation to the client is accurate rather than hopeful [[4]](#ref-4).

- Does this tier use my inputs to train or improve the vendor's models, and can I point to the term that says so
- How long are inputs retained, and is there a setting that shortens or disables retention
- Who at the vendor, or among its subprocessors, can access what I enter
- Does the version I am about to use match the version whose terms I just read, or am I relying on terms for a different tier
- Can I restate each of these answers to a client in a single plain sentence
The goal of the review is not a perfect technical audit. It is a defensible, accurate account of the tool's data handling that you can stand behind if a client, a court, or a bar committee later asks what you understood at the time [[4]](#ref-4).

## What informed consent actually sounds like
Informed consent under Opinion 512 is measured by what the client understood, not by what a form recited. If the client could not have described, in their own words, what you were proposing to do with their information, the consent was probably not informed [[4]](#ref-4).
Because Opinion 512 rejects boilerplate, [the consent conversation](https://rankshieldlegal.com/blog/tell-client-you-used-ai-aba-512/) has to be specific enough that the client is agreeing to something real [[4]](#ref-4). That does not require legalese. It requires naming the tool, describing in plain terms what happens to their information, and stating the risk honestly, then giving the client a genuine chance to say no.
The difference between adequate and inadequate consent is mostly the difference between the general and the specific. "We use technology to work efficiently" is general and tells the client nothing to agree to. "I would like to use a specific AI tool to help draft parts of your matter, it may retain what I enter, here is how I am limiting that, and here is the risk" is specific enough to consent to or decline. Informed consent is a conversation with a real choice at the end of it, not a signature on a clause the client will never read [[4]](#ref-4).
Two habits make the consent more durable. First, keep the disclosure tool-specific and current, so that if you change tools or tiers you revisit the conversation rather than assuming old consent still fits. Second, minimize the client-identifying detail you enter regardless of consent, so that the consent is a second layer of protection rather than the only one.

## The verification duty: a perfect citation proves nothing
Confidentiality is the first AI risk. Fabricated authority is the second, and it lives in the same tools. A Stanford RegLab study found that leading legal AI research tools hallucinate on one in six or more queries [[1]](#ref-1). That figure is about tools built specifically for legal research, not a general chatbot, which is precisely why it should be sobering: the error rate is measured on the category of product marketed as reliable for law.
The trap is that [a hallucinated citation looks exactly like a real one](https://rankshieldlegal.com/ai-hallucination-legal-filings/). Hallucinations reproduce perfect citation format, complete with plausible reporters, page numbers, and party names. A correctly formatted citation is not proof that a case exists, that it says what the summary claims, or that it is still good law. The formatting is generated by the same process that generated the error, so the polish of the output carries no information about its truth [[1]](#ref-1).
The competence response is verification, treated as non-optional. Independently confirm every quotation, holding, and citation against a primary source before you rely on it or file it. This is not a step you skip when the tool seems confident, because confidence is exactly what a hallucination presents. The rate reported by the study, one in six or more, is high enough that unverified reliance is not a calculated risk, it is an unmanaged one [[1]](#ref-1).
1 in 6 or more queries on which leading legal AI research tools hallucinated, per the Stanford RegLab study [1]

## A confidentiality-safe way to use AI on client matters
You can use AI on client matters responsibly by controlling what goes in, controlling the tool, and verifying what comes out. The goal is to meet your Rule 1.6 duty first, then guard against the second AI risk: fabricated authority.
Start with the ABA 512 sequence: understand the specific tool's data handling, then obtain the client's informed consent, tool-specific rather than boilerplate, before entering client information [[4]](#ref-4). Prefer tools with contractual no-training and defined retention terms, and [minimize the client-identifying detail you input](https://rankshieldlegal.com/blog/prove-privileged-data-never-reached-ai/) where you can.
Then verify every output. A Stanford RegLab study found that leading legal AI research tools hallucinate on one in six or more queries [[1]](#ref-1). A correctly formatted citation is not proof a case exists; hallucinations reproduce perfect citation format. Independently confirm every quotation, holding, and citation against a primary source before you rely on it or file it.

- **Understand the tool** Read the actual terms for the exact tier you will use, and confirm you can describe its retention and training practices in plain language before any client data goes in [[4]](#ref-4).
- **Obtain tool-specific consent** Have a real conversation, name the tool, explain the handling and the risk, and let the client genuinely agree or decline. Skip the boilerplate clause [[4]](#ref-4).
- **Minimize the input** Enter as little client-identifying detail as the task allows, so consent is a second layer of protection rather than the only one.
- **Verify every output** Confirm each quotation, holding, and citation against a primary source before you rely on it or file it, treating polished formatting as no evidence of accuracy [[1]](#ref-1).
- **Separate confidentiality from privilege** Treat AI outputs as potentially discoverable, and never let a confidentiality setting stand in for a privilege analysis in litigation [[9]](#ref-9).

## Misconceptions worth retiring
A few beliefs recur often enough to be worth naming and setting aside directly, because each one, left unexamined, leads a careful lawyer into an uncareful decision. None of these shortcuts survives contact with what Opinion 512 actually requires [[4]](#ref-4).
The first is that turning off chat history makes a consumer tool safe for client work. It changes one exposure, but it does not by itself satisfy the duty to understand the tool and obtain consent, and it does nothing about privilege [[4]](#ref-4). The second is that paying for an enterprise tier is the same as making the work privileged. It is not; a vendor tier is a set of promises about data handling, and privilege is a doctrine only a court can apply [[9]](#ref-9). The third is that a well-formatted answer from a legal AI tool can be trusted on its face. The reported hallucination rate of one in six or more, on tools built for legal research, is the reason that belief is unsafe [[1]](#ref-1).
Retiring these three beliefs does most of the work. What remains is a disciplined habit: understand the tool, get real consent, minimize what you enter, verify what you get back, and keep confidentiality and privilege in separate mental boxes. That is a workable way to get the benefit of these tools without trading away the duties that define the practice.

- Disabling history is a setting, not compliance; the duty to understand the tool and obtain consent still applies [[4]](#ref-4)
- An enterprise tier is a data-handling promise, not a grant of privilege [[9]](#ref-9)
- A perfectly formatted citation is not evidence the authority exists; verify against a primary source [[1]](#ref-1)
- Confidentiality can be breached with no litigation in sight; privilege can fail even when a communication was confidential [[4]](#ref-4) [[9]](#ref-9)

Test yourself
## Confidentiality and AI: a quick self-test
Four questions on what ABA Opinion 512 asks before you use a consumer AI tool.

- 1 Does an enterprise or no-training AI tier create attorney-client privilege? Yes, it converts confidentiality into privilege No, it can reduce confidentiality risk but cannot confer privilege Only if the vendor signs a data-processing agreement **Answer:** No, it can reduce confidentiality risk but cannot confer privilege An enterprise tier reduces confidentiality risk under Model Rule 1.6, but privilege is an evidentiary doctrine only a court can apply. Reporting on United States v. Heppner indicates AI-generated documents were treated as not privileged.
- 2 Under ABA Opinion 512, what must a lawyer do before entering client information into a self-learning AI tool? Add a boilerplate technology-vendor clause to the engagement letter Understand how the tool uses and retains data and obtain the client's informed consent Nothing, provided chat history is turned off **Answer:** Understand how the tool uses and retains data and obtain the client's informed consent Opinion 512 requires understanding the specific tool's data practices and obtaining tool-specific informed consent. Boilerplate consent buried in an engagement letter is not enough.
- 3 A legal AI tool returns a perfectly formatted citation. What does that formatting prove? The case exists and is good law Nothing about whether the case is real; verify it against a primary source That the tool did not hallucinate **Answer:** Nothing about whether the case is real; verify it against a primary source Hallucinations reproduce perfect citation format. A Stanford RegLab study found leading legal AI tools hallucinate on one in six or more queries, so every citation must be independently confirmed.
- 4 Is disabling chat history enough to make consumer ChatGPT safe for client work? Yes, it satisfies the ethical duty No, you still must understand the tool and obtain informed consent Yes, if you also pay for a business plan **Answer:** No, you still must understand the tool and obtain informed consent Turning off history changes one exposure but does not satisfy the duty to understand the tool and obtain consent, and it does nothing to create privilege.
Honest self-check. There is no sign-up, and nothing is stored.

Questions answered
## Straight answers to the common questions
The questions readers ask about this topic, answered directly. **No forms, no sales pitch.**

JAMIE KLONCZ · SEO AGENCY NAPLES ************** ONLINE
Pick a question on the left, or search above. You will get the direct answer, the way an answer engine would give it.

← PREV NEXT → [REQUEST ACCESS →](https://rankshieldlegal.com/contact/)

- **Is it legal for lawyers to use ChatGPT?** Using AI tools is not itself prohibited, but you remain bound by your ethical duties. ABA Formal Opinion 512 directs that, before inputting client information into a self-learning generative AI tool, you must understand how the tool uses and retains data and obtain the client's informed consent under Model Rule 1.6. You also owe a duty of competence, which includes verifying AI outputs; a Stanford RegLab study found leading legal AI tools hallucinate on one in six or more queries. Because Opinion 512 is non-binding guidance adopted variably by states, check your own jurisdiction's rules for your specific obligations.
- **Does enterprise ChatGPT give privilege?** No. An enterprise or no-training tier can reduce confidentiality risk by limiting how a vendor uses and retains your data, which helps with your Model Rule 1.6 duty. But it does not create attorney-client privilege, which is a separate evidentiary concept governed by different law. Reporting on United States v. Heppner (S.D.N.Y. 2026) indicates AI-generated documents were treated as not privileged and not work product. A vendor's subscription tier cannot confer privilege; do not treat a confidentiality setting as a substitute for a privilege analysis in litigation.
- **Do I need client consent to use AI?** Under ABA Formal Opinion 512, before inputting client information into a self-learning generative AI tool, you must obtain the client's informed consent, and boilerplate consent in an engagement letter is insufficient. Informed consent means explaining, in plain terms, the specific tool, how it handles client data, and the risks, so the client can genuinely agree. Because ABA opinions are non-binding and states adopt them variably, confirm your jurisdiction's requirements. When in doubt, obtain tool-specific written consent and minimize the client information you enter.
- **What is the difference between confidentiality and privilege?** They are distinct duties. Confidentiality is an ethical obligation you owe the client under Model Rule 1.6, and it covers essentially all information relating to the representation, whatever its source. Attorney-client privilege is a narrower evidentiary rule that protects specific attorney-client communications from being compelled in court. Satisfying one does not guarantee the other. You can breach confidentiality without any litigation by mishandling client data, and a communication can be confidential yet still found unprivileged if a court concludes the elements were not met or privilege was waived. For AI, this matters because vendors market confidentiality features, not privilege.
- **Why do I have to verify AI research if the tool is built for lawyers?** Because the error rate is measured on exactly those tools. A Stanford RegLab study found that leading legal AI research tools hallucinate on one in six or more queries. Hallucinations reproduce perfect citation format, so a correctly formatted citation is not proof that a case exists, says what the summary claims, or remains good law. The polish of an output tells you nothing about its accuracy, because the same process generates both. Your duty of competence means independently confirming every quotation, holding, and citation against a primary source before you rely on it or file it.
- **Is disabling chat history enough to use a consumer AI tool for client work?** No. Turning off chat history or choosing a business plan changes the risk profile, but it does not automatically satisfy your ethical duty. Under ABA Formal Opinion 512 you still have to understand how the specific tool uses and retains data and obtain the client's informed consent before entering client information. A single setting addresses one exposure; it does not answer whether you understand the tool well enough to explain it to a client, and it does nothing to create privilege. Treat the setting as one layer of protection, not as compliance on its own.

## References

- Stanford RegLab (Magesh, Surani, Dahl, Suzgun, Manning, Ho). Hallucination-Free? Assessing the Reliability of Leading AI Legal Research Tools. Journal of Empirical Legal Studies, 2025 (preprint May 2024). https://hai. stanford. edu/news/ai-trial-legal-models-hallucinate-1-out-6-or-more-benchmarking-queries.
- ABA Standing Committee on Ethics & Prof'l Responsibility. Formal Opinion 512: Generative Artificial Intelligence Tools. July 29, 2024. https://www. americanbar. org/news/abanews/aba-news-archives/2024/07/aba-issues-first-ethics-guidance-ai-tools/.
- Reporting on United States v. Heppner (S. D. N. Y. 2026). https://www. dlapiper. com/en-us/insights/publications/2026/02/are-ai-generated-documents-privileged-key-takeaways-from-heppner.

Written by
## [Jamie Kloncz](https://rankshieldlegal.com/about/)
Founder, RankShield
Jamie Kloncz is the founder of RankShield, the verifiable AI and quantum security platform behind RankShield Legal. An engineer by training, he built RankShield after his own devices and business were attacked, including an AI voice-cloning scam that targeted his family, on one conviction: unverifiable security is the real danger, so every consequential action should leave a receipt anyone can independently check.
[More about Jamie →](https://rankshieldlegal.com/about/)

Try it · Free
## Check a citation against live case-law
Paste a citation from an AI-drafted brief and see whether the case actually exists, resolved against live case-law. Free, no sign-up. Then request early access to certify a full filing.
[Try the citation checker](https://rankshieldlegal.com/ai-legal-citation-checker/)

Keep reading
## Related guides
[AI Confidentiality Do You Have to Tell Your Client You Used AI? An Informed-Consent Walkthrough Under ABA Opinion 512 Read guide →](https://rankshieldlegal.com/blog/tell-client-you-used-ai-aba-512/)[AI Confidentiality Document Review With AI Without Waiving Privilege Read guide →](https://rankshieldlegal.com/blog/document-review-ai-privilege/)[AI Confidentiality How to Prove Privileged Data Never Reached a Third-Party AI Model Read guide →](https://rankshieldlegal.com/blog/prove-privileged-data-never-reached-ai/)
