Can I Upload Client Documents to ChatGPT? What Rule 1.6 Actually Requires
The most common AI question lawyers actually face isn't about research — it's whether the deposition transcript can go into the chatbot. Here's the confidentiality analysis: what Rule 1.6 and ABA Formal Opinion 512 require, the four questions to ask any AI tool, and what a privilege-grade architecture looks like.
The direct answer: uploading client documents to a consumer AI chatbot is a Rule 1.6 problem — the free and standard tiers of general-purpose tools may retain your conversations, use them to improve models, and expose them to vendor review, which is exactly the "unauthorized disclosure" the rule requires reasonable efforts to prevent. The same task on a tool with contractual confidentiality guarantees and real tenant isolation is a different analysis entirely. The line isn't "AI or no AI." It's where the data goes.
That distinction is the whole article, so let's make it precise.
What the rules actually require
Rule 1.6 obligates lawyers to make "reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation." Note the breadth: not just privileged communications — anything relating to the representation, which includes the deposition transcript, the demand letter, and the client's messy fact pattern you're tempted to paste in for a summary.
ABA Formal Opinion 512 (July 2024) applies that duty to generative AI directly: before client information touches a tool, the lawyer must understand the tool's data practices — whether inputs are retained, whether they train models, who can see them — and must obtain informed client consent before using tools that may expose information relating to the representation. "I didn't know the terms of service" is a competence failure (Rule 1.1), not a defense.
State authorities add their own layers — Utah's, including a statutory disclosure duty when clients interact with AI directly, are mapped in our guide to what governs Utah lawyers using AI. The national ethics picture is in can lawyers use AI for legal research.
Why the consumer tier is the trap
Consumer chatbot tiers are built for a bargain lawyers can't make: your conversations may be retained and reviewed to improve the service, and by default may become training signal. Business and enterprise tiers usually reverse those defaults contractually — which is precisely why they exist. The split isn't specific to ChatGPT: Claude, the other consumer assistant lawyers reach for, draws the same line between its consumer plans and its no-training commercial API. The privilege question sharpens the point: disclosure to a third party can waive privilege, and while courts haven't settled how AI vendors fit the doctrine, the defensible posture is the one law firms already use for every other vendor — processing under confidentiality obligations, not donation to a training corpus. Nobody wants to be the test case that finds the line.
The practical failure mode isn't the firm that adopted a legal AI platform. It's the associate with a personal ChatGPT account and a deadline — pasting the client's facts into the free tier because it's right there. A one-page firm AI policy exists to catch exactly that. (The verification half of that policy — no AI-touched citation reaches a filing unchecked — has its own free tool.)
The four questions that sort every tool
Ask these of any AI product before client data touches it:
- Training: Is my data used to train or improve models? Is that a contract term, or a settings toggle that a product update can move?
- Isolation: Is my firm's data segregated from other customers', or is it rows in a shared database with access rules on top?
- Deletion: When I delete a client's file, does the derived data go too — embeddings, search indexes, cached chunks — or just the file?
- Location: Can documents stay in storage the firm already controls?
| Question | A passing answer | Walk away when you hear |
|---|---|---|
| Training | "Never, by contract" | "You can opt out in settings" |
| Isolation | "Each firm's data is structurally separate" | "Protected by access controls" |
| Deletion | "Files, embeddings, and indexes, on demand" | "We delete the documents" |
| Location | "Your Drive/OneDrive, or a vault you control" | "Our secure cloud" (unspecified) |
Most tools flunk question 2 quietly: "your data is protected by access controls" means everyone's data is in the same place with rules about who can look. That's a policy. Architecture is when the mixing never happens.
What privilege-grade architecture looks like
This is the standard we built CaseRead against, and it doubles as a checklist for evaluating anyone, including us:
- Per-firm isolation at the schema level — each firm's documents and search indexes live in their own database schema, not as filtered rows in a shared one. Firm A's data isn't hidden from Firm B by a rule; it's structurally elsewhere.
- Bring-your-own-storage — documents can stay in the firm's own Google Drive or OneDrive, or the built-in vault; the firm keeps custody either way.
- Deletion that means it — purging a client removes vectors, indexes, and metadata, not just files, because "right to be forgotten" includes the derived data.
- Sharing controls inside the firm — firm-wide versus lawyer-private documents, because confidentiality has internal walls too.
The full picture is on our features page. But apply the four questions to every vendor — they pair with the three research-quality filters as a complete evaluation. A tool that answers them well is usable under Opinion 512 with a clean conscience; a tool that answers vaguely is a consumer chatbot wearing a suit.
The bottom line
"Can I upload client documents to AI?" is really "where does this tool put my client's information, and could I explain that answer to the client — or a disciplinary panel?" Consumer tiers fail that explanation. Purpose-built tools with contractual guarantees and isolation-first architecture pass it. Know which one you're typing into before the paste.
Frequently asked questions
Can lawyers upload client documents to ChatGPT? Not to a consumer tier without serious risk. Rule 1.6 requires reasonable efforts to prevent unauthorized disclosure of client information, and ABA Formal Opinion 512 says lawyers must understand where AI-input data goes before client information touches a tool. Consumer chatbot tiers may retain conversations, use them to improve models, and expose them to vendor personnel — conditions that are hard to square with confidentiality duties absent informed client consent. Business or enterprise tiers with contractual no-training commitments, or purpose-built legal tools with isolation guarantees, change the analysis.
Does using AI waive attorney-client privilege? Privilege turns on confidentiality, and disclosure to a third party can waive it. Courts haven't settled how AI vendors fit that doctrine, but the safe analysis treats an AI tool like any other vendor: processing under contractual confidentiality obligations, as with a copy service or e-discovery vendor, is the defensible posture; feeding privileged material into a consumer tool whose terms allow retention and training is the fact pattern nobody wants to litigate first. Until courts speak, use tools whose terms would survive that argument.
What should I ask an AI vendor before sharing client data? Four questions. Is my data used to train or improve models — and is that commitment contractual, not a settings toggle? Who can access it — is firm data isolated from other customers or mixed in shared infrastructure? Can I delete it completely — including derived data like embeddings, on demand? And where does it live — can the firm keep documents in storage it controls? A vendor that can't answer all four crisply hasn't built for legal work.
Do I need client consent to use AI tools? It depends on the tool and the use. ABA Formal Opinion 512 requires informed consent before inputting information relating to the representation into a tool that may expose it — the consumer-chatbot scenario. Using a tool with genuine confidentiality protections for internal work generally doesn't require consent, though disclosure in engagement letters is an emerging best practice, and some states layer their own requirements, like Utah's AI Policy Act disclosure duty when clients interact with AI directly.
What does a confidentiality-safe legal AI architecture look like? Isolation as architecture, not policy: each firm's documents stored and indexed separately from every other customer's, no training on client data as a contractual term, deletion that removes derived data (embeddings and indexes, not just files), and ideally documents remaining in storage the firm already controls, like its own Drive or OneDrive. Access rules bolted onto shared infrastructure are weaker than infrastructure that never mixes firms in the first place.
CaseRead Team
AI-powered legal research built for practicing attorneys.