Client Confidentiality and AI: What You Can and Cannot Put Into ChatGPT

The question underneath the question

“Can I put client information into ChatGPT” is really “where does this information go when I hit enter.” Rule 1.6 prohibits revealing information relating to a representation, and a generative AI tool is, depending entirely on its terms, either a confidential extension of your own desk or a third party with a long memory. The ethics instruments differ on thresholds but share one analysis: you cannot answer the confidentiality question without reading the tool’s terms, and most lawyers have never read them.

Three questions decide which kind of tool you are holding. Does it train on inputs? A model that learns from your prompts can, in principle, surface what it learned to other users, and its vendor’s employees may review conversations. Who can access prompt history, and for how long is it retained? Retained history is discoverable, breachable, and subpoenable. And what security and contractual commitments back those answers? D.C.’s Opinion 388 frames this as asking whether the tool exposes inputs to third parties or trains on them before any confidence goes in; the ABA’s Opinion 512 requires informed client consent where exposure risk remains.

Oregon’s distinction is the one to operationalize

Oregon’s Formal Opinion 2025-205 gives firms the cleanest working rule in the country: distinguish open from closed models. Open models (consumer tools that may train on or retain inputs) require the client’s informed consent before information relating to the representation goes in. Closed models (enterprise deployments with training disabled, retention controlled, and access restricted) can be used with reasonable diligence on the vendor’s commitments. The same product often exists in both forms, which is why a firm’s approved-tools register should record tiers and settings, not product names. “We use ChatGPT” is not a confidentiality posture; “we use an enterprise tier with training disabled, retention off, and these documented terms” is.

Anonymization, done honestly

California’s guidance and several successors recommend anonymizing inputs, and it is good practice with a known failure mode: New Mexico’s Opinion 2024-004 warns that removing names is not always enough, because combinations of facts identify clients. A wrongful termination by a named-industry employer in a small town identifies the client to anyone who knows the town. The honest standard is whether someone with public information could re-identify the matter, not whether a name appears. Where the answer is yes, anonymization alone does not clear the input; the tool’s terms or the client’s consent must do the work.

The consent spectrum, state by state

On consent, jurisdictions occupy four positions. At one end, Virginia’s State Bar guidance and New Jersey’s Supreme Court guidelines find no per se duty to inform clients of AI use, with disclosure triggered by client request, agreement, or elevated risk. In the middle, the ABA and Florida recommend or require informed consent specifically where confidential information will be exposed to the tool. Oregon conditions open-model use on informed consent categorically. And at the strict end, West Virginia’s LEO 24-01 requires client consent to generative AI use that is informed and confirmed in writing, the strongest stated position in the country. Multi-state firms should write their policy to the strictest state they practice in; the consent language in the policy template is built to be set jurisdiction by jurisdiction.

Engagement letters are where this becomes administrable. A standing AI clause (what categories of tools the firm uses, under what protections, with an invitation to discuss) satisfies the communication duty for routine use and reserves matter-specific consent for genuinely sensitive inputs, which is roughly where NYC Bar Opinion 2024-5 lands by exempting routine embedded AI from disclosure while requiring care for open systems.

Two extensions firms miss

Chat histories are client records. D.C.’s Opinion 388 directs lawyers to preserve relevant AI interactions in the client file, which cuts both ways: retain interactions that are work product, and disable history where retention serves no one. And conversations are inputs too: NYC Bar Opinion 2025-6 extends the whole analysis to AI meeting recorders and transcription assistants, requiring informed consent before client conversations are recorded, vendor vetting, and transcript accuracy checks. The same Rule 1.6 analysis that governs a pasted document governs a listening bot in your client call.

The defensible workflow

Vet the tool and document its terms; prefer closed deployments; anonymize to the re-identification standard, not the name standard; obtain consent at your state’s threshold and put standing language in engagement letters; manage histories deliberately; and train everyone who touches client information, because supervision duties make their inputs your responsibility.