Skip to main content

JournalPrivacy & Compliance

Privacy & ComplianceMay 5, 2026·6 min read

Why your law firm should never use ChatGPT with client data

Every prompt you send to ChatGPT is transmitted to and processed by OpenAI. That includes client names, case details, and privileged communications you paste in.

Every prompt you send to ChatGPT is transmitted to and processed by OpenAI. That includes client names, case details, and privileged communications you paste in. This isn't a speculation — it's how the technology works.

When you type into a cloud AI interface — ChatGPT, Claude.ai, Gemini — your text travels over the internet to a data center you don't control, gets processed by infrastructure you don't own, and may be retained under terms that are written to protect the AI provider, not you or your clients.

For lawyers, that's a problem with very specific legal contours.

The actual data path

When you paste a client's name and case summary into ChatGPT and ask it to help draft a motion, that text travels to OpenAI's servers, is processed by their infrastructure, may be logged for safety review, and is retained under data policies that can change. OpenAI's enterprise offerings include provisions that limit training on customer data — but "enterprise" means a separate contract, separate pricing, and separate terms, not the ChatGPT Plus subscription most people are actually using.

Even with enterprise protections, you're still trusting a third party with client data. The question for attorneys is whether that's acceptable under your professional obligations.

What bar associations are saying

Bar associations across the country have begun issuing formal guidance on AI use in legal practice. The consistent thread: attorneys have existing professional responsibility obligations that apply to AI tools, and cloud-based AI creates data handling risks worth taking seriously.

New York, Florida, and California have all published guidance noting that attorneys using AI must understand where client data goes and take reasonable precautions to protect it. The ABA's Model Rules on competence have long required understanding the technology you use — the AI era hasn't changed that obligation, it's just made it harder to satisfy with cloud tools.

Whether pasting client information into ChatGPT constitutes a privilege waiver, a confidentiality breach, or a professional responsibility violation depends on your jurisdiction, the nature of the information, and your clients' expectations. These are legal questions you're better positioned to answer than we are.

With local AI, your text never leaves your office. There's no third party to trust, no terms of service to review, no data retention policy to audit.

The local AI alternative

Local AI means the model runs on hardware in your office. When you type into it, your text is processed by software running on that machine. It doesn't travel to any third-party server. The difference is categorical, not a matter of degree.

For legal work specifically, we configure AnythingLLM — a document analysis framework that lets you upload case files, contracts, and deposition transcripts and ask questions about them. Those files are indexed and stored locally on your hardware. Nothing is sent to OpenAI, Anthropic, or anyone else.

What attorneys actually use it for

The practical use cases are immediate:

  • Drafting motions and correspondence from your own notes, without pasting client details anywhere
  • Uploading a contract and asking "what are the key obligations in Section 4?" — the document stays on your machine
  • Summarizing a 200-page deposition by feeding it to a local model that never transmits it externally
  • Asking follow-up questions about case files you've uploaded, building institutional memory about each matter

The models we install — Qwen 3 32B, Phi-4 14B — handle complex legal text well. They won't replace your judgment, but they make the mechanical parts of legal work faster without the data risk of cloud alternatives. See the lawyers use case guide for specific workflow examples.

The honest framing

We're not going to tell you that local AI is fully compliant with your specific bar obligations, because we don't know your jurisdiction, your practice area, or the specifics of your client agreements. That determination is yours to make.

What we can tell you: the data handling model is fundamentally different. Cloud AI requires trusting a third party. Local AI runs on hardware you own and control. Your client data doesn't leave your building. Whether that matters for your practice — and how much — is a question worth taking seriously.

Related

Cost Analysis8 min read

Is a Mac Mini cheaper than API credits? The 24-month math

Setup Guides6 min read

What is OpenClaw and why does it matter for local AI?

Get started

Want this running on your Mac?

Book a consultation. We'll assess your workflow, recommend the right setup, and configure it on your hardware.

Book a Consultation →