AI Waives Privilege
Confidentiality and Work Product After the 2026 Decisions
You are already drafting with AI. Your clients are drafting with AI. Your opposing counsel is drafting with AI. And in six months, three federal courts have told us — in opinions that journalists, clients, and trial judges are now reading — exactly when that work stays privileged and when opposing counsel gets to read it on the morning of the deposition.
Privilege did not die in 2026. But the doctrine that survives is recognizably stricter than the one the bar carried into the year. The three cases — United States v. Heppner in the Southern District of New York, Warner v. Gilbarco, Inc. in the Eastern District of Michigan, and Morgan v. V2X, Inc. in the District of Colorado — have, between them, done more to map the privilege analysis of generative AI in six months than commentary did in the preceding three years. And they have made four variables outcome-determinative: the platform's terms of service, whether counsel directed the use, whether the protective order anticipated AI, and whether the work product was characterized as belonging to a party or merely a client communicating with a non-lawyer third party.
Your AI History is Discoverable
A. Heppner — The Bench-Slap That Started It
On February 10, 2026, Judge Jed S. Rakoff of the Southern District of New York ruled from the bench that documents a criminal fraud defendant generated using Anthropic's consumer Claude product were protected by neither attorney-client privilege nor the work-product doctrine. A written opinion followed on February 17. United States v. Heppner, No. 25 Cr. 503 (JSR), 2026 WL 436479 (S.D.N.Y. Feb. 17, 2026). Judge Rakoff framed the question as one "of first impression nationwide: whether, when a user communicates with a publicly available AI platform in connection with a pending criminal investigation, are the AI user's communications protected by attorney-client privilege or the work product doctrine? For the reasons that follow, the answer is no."
The privilege analysis turned on three independently dispositive defects.
First, the AI is not a lawyer.
"[T]he AI Documents are not communications between Heppner and his counsel. Heppner does not, and indeed could not, maintain that Claude is an attorney. 'In the absence of an attorney-client relationship, the discussion of legal issues between two non-attorneys is not protected by attorney-client privilege.'"
Second, the communications were not confidential. This is the holding that should keep general counsel awake. The court reasoned that
"the written privacy policy to which users of Claude consent provides that Anthropic collects data on both users' 'inputs' and Claude's 'outputs,' that it uses such data to 'train' Claude, and that Anthropic reserves the right to disclose such data to a host of 'third parties,' including governmental regulatory authorities."
Because Anthropic's policy
"clearly puts Claude's users on notice that Anthropic, even in the absence of a subpoena compelling it to do so, may 'disclose personal data to third parties in connection with claims, disputes[,] or litigation,'" the defendant "could have had no 'reasonable expectation of confidentiality in his communications' with Claude."
Third, the communications were not made for the purpose of obtaining legal advice from a lawyer. This is the "closer call," and the gap the better-resourced bar will need to close. Heppner's counsel argued he had used Claude for the "express purpose of talking to counsel." Judge Rakoff was unmoved: counsel had conceded that he "did not direct [Heppner] to run Claude searches." Then — in a single sentence the next two cases would build entire arguments around — the court added:
"Had counsel directed Heppner to use Claude, Claude might arguably be said to have functioned in a manner akin to a highly trained professional who may act as a lawyer's agent within the protection of the attorney-client privilege,"
citing the Kovel doctrine.
That sentence is the only door left open after Heppner. Counsel-directed AI use, on an enterprise platform, with a reasonable expectation of confidentiality, may still get inside the privilege wall. Client-initiated AI use does not.
The work-product analysis was shorter and even less sympathetic. Even assuming the AI documents were prepared "in anticipation of litigation," they were "not 'prepared by or at the behest of counsel,' nor did they reflect defense counsel's strategy." Heppner's counsel conceded the documents "were prepared by the defendant on his own volition." Judge Rakoff declined to follow the contrary magistrate decision in Shih v. Petal Card, Inc., reasoning that extending work-product protection to materials prepared without attorney direction "undermines the policy animating the work product doctrine," which is "to protect lawyers' mental processes."
And then the footnote — footnote 3 — that should be tattooed on the wrist of every in-house counsel handing employees a Claude login:
"even if certain information that Heppner input into Claude was privileged, he waived the privilege by sharing that information with Claude and Anthropic, just as if he had shared it with any other third party."
Pasting privileged attorney correspondence into a consumer chatbot waives the underlying privilege. Not the chatbot's output. The underlying communication.
B. Warner — The Same Day, the Opposite Result
Seven hours' drive from Manhattan, on the same February 10, 2026, Magistrate Judge Anthony Patti of the Eastern District of Michigan reached the opposite result on work product. Warner v. Gilbarco, Inc., No. 2:24-cv-12333, 2026 WL 373043 (E.D. Mich. Feb. 10, 2026). The plaintiff was a pro se civil litigant who had used ChatGPT to assist with her filings. The defendant moved to compel her prompts and outputs on the theory that voluntary disclosure to a third-party AI platform had waived any protection. Judge Patti disagreed.
Two doctrinal moves did the work. First, a pro se litigant is simultaneously the client and the lawyer; her own mental impressions, drafts, and litigation strategy are work product when prepared in anticipation of litigation. Second — and this is the rule that gives every represented lawyer leverage — work-product waiver is not coextensive with attorney-client waiver. Attorney-client privilege is waived by voluntary disclosure to any third party outside the privileged relationship. Work product is waived only by disclosure to an adversary, or in a manner that substantially increases the likelihood that the materials will reach an adversary.
Uploading work to ChatGPT, Judge Patti held, is not disclosure to an adversary. It is disclosure to a software tool — what the court called "tools, not persons." The court protected the materials and denied the motion to compel; the question of whether to amend the protective order to address AI platforms would be answered by a different court, seven weeks later, in Morgan.
C. Morgan — The Decision That Built the Protective Order Lawyers Will Now Be Negotiating
On March 30, 2026, Magistrate Judge Maritza Dominguez Braswell of the District of Colorado picked up Heppner and Warner and built the synthesis. Morgan v. V2X, Inc., No. 25-cv-01991-SKC-MDB, 2026 WL 864223 (D. Colo. Mar. 30, 2026). She also took up the question neither earlier case had reached: what should a federal protective order actually require of any AI platform a party uses on confidential discovery materials?
Judge Dominguez Braswell distinguished Heppner on two grounds that every civil litigator should commit to memory.
"First, Heppner was a criminal matter; this is a civil case governed by the Federal Rules of Civil Procedure, and the text of Rule 26(b)(3) broadly protects the work product of a party, not merely counsel. Second, in Heppner, there was a gap between the party and the attorney because the defendant acted entirely apart from his lawyer. No such gap exists in the pro se context. A pro se litigant is simultaneously the party and the advocate."
She then explained, in language already being cited across the country, why disclosure to AI is not disclosure to an adversary:
"even though AI use technically 'discloses' information to a third party, it is highly unlikely the information will fall into the hands of an adversary absent some legal process to compel it. Thus, AI interactions do not automatically compromise work product protections."
But the heart of Morgan is the protective order itself. Judge Dominguez Braswell amended the Protective Order to forbid any party from uploading CONFIDENTIAL material into any AI platform unless the AI provider was contractually prohibited from "(1) storing or using inputs to train or improve its model; and (2) disclosing inputs to any third party except where such disclosure is essential to facilitating delivery of the service" — and was contractually required to delete confidential information on request. She acknowledged the practical effect openly:
"this provision will (at least for now) bar the parties from using most, if not all, mainstream low-to-no-cost AI to process Confidential Information."
That sentence is the answer to the question every general counsel has been asking since Heppner came down. Consumer ChatGPT. Consumer Claude. Consumer Gemini. Consumer Copilot. Standard Perplexity. None of them, as of this writing, meets the Morgan contractual standard for confidential discovery material. The enterprise tiers can. The consumer tiers cannot. And opposing counsel now has a federal magistrate's order to wave in your face when they ask which tool you used.
II. The Platform Walk-Through
The pattern across the major vendors is now consistent enough to summarize. Consumer products train on user data by default (sometimes by very recent default) and offer 30-day-to-five-year retention. Enterprise products, by contract, do not train on customer data, retain only what the customer instructs them to, and come with the kind of Data Processing Addendum that a federal magistrate is willing to credit. The privilege analysis follows the contract, not the brand on the chat window.
A. OpenAI — ChatGPT (Consumer) vs. ChatGPT Enterprise / Team / Edu / API
OpenAI's enterprise privacy page commits, in plain language, that "We do not train our models on your data by default" for ChatGPT Business, ChatGPT Enterprise, ChatGPT for Healthcare, ChatGPT Edu, ChatGPT for Teachers, and the API platform. Customers "own and control" their data, "own [their] inputs and outputs (where allowed by law)," and "control how long [their] data is retained" on the Enterprise, Healthcare, and Edu tiers. The product offers SAML SSO, AES-256 at-rest encryption, TLS 1.2+ in transit, SOC 2 audit coverage, and a Data Processing Addendum.
Free ChatGPT, ChatGPT Plus, and ChatGPT Pro — the consumer tiers — do not carry these contractual guarantees. They train on user inputs unless the user has affirmatively disabled "Chat History & Training" in settings, and even then OpenAI retains conversations for up to 30 days for abuse monitoring. This is the Heppner fact pattern, with the brand name swapped.
B. Anthropic — Claude Commercial vs. Claude Free/Pro/Max
Anthropic's commercial-customer privacy page is direct: "By default, we will not use your inputs or outputs from our commercial products (e.g. Claude for Work, Anthropic API, Claude Gov, etc.) to train our models." Feedback submitted via the thumbs-up/down button is retained for up to five years and de-linked from user identifiers.
The consumer side is where the trap is. As of September 28, 2025 — five months before Heppner — Anthropic flipped the default on Claude Free, Pro, Max, and Claude Code consumer accounts. Conversations are now used to train Claude unless the user opts out, and retention extends to five years for those who do not. The opt-out toggle was, by widespread reporting, pre-checked "On" with a prominent "Accept" button next to small print, and many users clicked through without reading. Engineers, paralegals, and clients who used consumer Claude after September 2025 with default settings have transcripts sitting in Anthropic's training pipeline until 2030.
This is the platform Heppner used. The privacy policy Judge Rakoff quoted is, in material respects, the policy still in force.
C. Google — Gemini (Consumer) vs. Gemini for Workspace / Cloud / Enterprise
Google Workspace's enterprise documentation is similarly clear: "Enterprise data used within Gemini for Workspace and Gemini for Cloud is not used for model training and is not reviewed by humans." Workspace prompts, outputs, and uploads are excluded from the datasets used to train any future Gemini model. The administrator-level controls — including the toggle to enable or disable Gemini features across Gmail, Drive, and Docs — sit in the Workspace Admin Console. There is no human review and no model training on Workspace content covered by the Workspace Terms of Service.
The consumer Gemini app — the one logged into a free Gmail account — operates under the Gemini Apps Privacy Notice. Conversations may be reviewed by human reviewers and used to improve Google's products, services, and machine-learning technologies.
D. Microsoft — Copilot for Microsoft 365 vs. Free Copilot
Microsoft 365 Copilot's enterprise data protection commitment is precise: "Microsoft 365 Copilot Chat uses the user's context to create relevant responses. Microsoft 365 Copilot also uses Microsoft Graph data. Consistent with our other Copilot offers, the prompts, responses, and data accessed through Microsoft Graph aren't used to train foundation models." Microsoft acts as a data processor under the Microsoft Products and Services Data Protection Addendum. The product supports GDPR, the EU Data Boundary (with explicit exceptions for Anthropic-model routing and Bing web queries), ISO/IEC 27018, and a HIPAA BAA "for properly configured implementations."
The consumer Copilot app — and the free web-based Copilot, and Copilot.microsoft.com signed in with a personal account — are governed by the Microsoft Services Agreement and Microsoft Privacy Statement, which are not the same documents.
E. Perplexity — Enterprise Pro vs. Pro / Free
Perplexity is the cautionary case in the list because the default is the trap. Perplexity Enterprise Pro is SOC 2 Type II certified, contractually guarantees that enterprise data is never used to train its own systems or the underlying third-party models (its agreements with OpenAI and Anthropic carry the no-training restriction through), and offers a zero-data-retention configuration via the Sonar API. The free and Pro consumer tiers, however, train on user data by default, and the toggle ("AI Data Retention" in account settings) is on by default. Lawyers using Perplexity Pro without flipping that switch are, on the Heppner logic, inside the third-party-disclosure problem.
F. The Legal-Specific Vendors
Harvey, CoCounsel, Spellbook, and Casetext-Plus build on top of OpenAI, Anthropic, or Google models — typically on the enterprise tier — and add their own contractual layer of no-training, no-retention, and SOC 2/ISO commitments. The privilege analysis for these products turns less on the foundation model and more on the wrapper vendor's DPA, retention defaults, and audit posture. Read the DPA. Negotiate the deletion-on-request clause. Confirm that the underlying model API call is on the enterprise tier with no-training enforced contractually. Then put a copy of the DPA in the file your Morgan-order opponent will demand.
III. The Governance Playbook
The lawyers who survive the next twelve months will be the ones who built this infrastructure before they needed it. The playbook has seven layers.
1. Platform tiering. Three buckets: green (enterprise tier, no training, no retention beyond instruction, DPA in place, deletion-on-request available); yellow (enterprise tier without all three guarantees, or consumer tier with documented opt-outs and a paper trail); red (consumer tier, default settings, or any product whose DPA cannot be produced on demand). Confidential discovery material goes on green only. Privileged communications go on green only, with counsel direction documented in the prompt itself.
2. Counsel-direction documentation. Every AI session that touches a client matter should open with a documented instruction from counsel. The instruction can live in the system prompt, in a saved project, in a privilege-log-ready memo to the client, or in all three. Heppner left the Kovel-agent door open. Walk through it deliberately. PROMPT: There is no magic phrasing the federal courts have endorsed, but the elements the Kovel line of cases looks for — counsel direction, matter identification, anticipation of litigation — should all be present in the prompt and be contemporaneous.
3. The "do not paste" rule. Privileged attorney correspondence does not go into the prompt. Not the consumer prompt, not the enterprise prompt. Footnote 3 of Heppner is the reason. The privilege analysis for the prompt content is independent of the privilege analysis for the AI output. Pasting privileged material into any platform — even an enterprise one — creates an additional disclosure event whose protection depends on the platform's contract and the user's expectation of confidentiality at the moment of the paste. Use the AI to draft questions about the matter. Do not use it as a paste-bin for everything.
4. The labeling regime. Materials prepared with AI assistance, at counsel's direction, should be labeled as privileged or work-product on creation. Labels are not dispositive — every court since Upjohn has said so — but they create the contemporaneous record a magistrate judge will want to see when opposing counsel moves to compel.
5. The Rule 502(d) order. Consider negotiating it at the Rule 26(f) conference. The order should expressly anticipate AI-assisted work product and AI-assisted communications. It should track Morgan's contractual requirements (no training, no third-party disclosure absent service-essential routing, deletion on request, written documentation of the contractual protections retained by the party). And it should include a clawback provision that survives AI-related inadvertent disclosure under Federal Rule of Evidence 502(b).
6. The vendor file. For every AI platform your firm or your client uses on a covered matter, keep the DPA, the privacy policy version in force at the time of use, the SOC 2 report, the HIPAA BAA (if applicable), and the screenshot of the relevant administrative settings on the date of use. When opposing counsel propounds an interrogatory under Morgan about which AI tools were used and how, your file is the answer.
7. The incident-response plan. Treat a privilege-bearing AI exposure the way you would treat any other privilege breach: clawback letter under Rule 502(b), preservation of metadata, prompt notice to the client, and a documented analysis of whether the disclosure substantially increases the likelihood of the materials reaching an adversary. The work-product standard, after Warner and Morgan, is friendly. The attorney-client standard, after Heppner, is not.
IV. Sample Rule 502(d) and Protective-Order Language
The following clauses, drawn from Morgan and adapted for your civiil practice, could be the starting point, but only after your (attorney's) own research and legal analysis. They are not the ending point. Negotiate, tailor, and run them past your e-discovery counsel.
AI-Use Restriction. No party or authorized recipient shall input, upload, or submit any material designated CONFIDENTIAL or ATTORNEYS' EYES ONLY under this Order into any generative, analytical, or large-language-model-based artificial intelligence platform unless the AI provider is contractually prohibited from (1) storing or using inputs to train or improve its model, and (2) disclosing inputs to any third party except where such disclosure is essential to facilitating delivery of the service. Where disclosure to a third party is essential to service delivery, any such third party shall be bound by obligations no less protective than those required by this Order. The AI provider shall be contractually obligated to remove or delete all CONFIDENTIAL information upon request. A party intending to use AI that it contends meets these requirements shall retain written documentation of these contractual protections and shall produce that documentation upon request from any other party.
Disclosure of AI Use. A party that uses any AI platform to upload, submit, process, review, analyze, organize, or store information designated CONFIDENTIAL or ATTORNEYS' EYES ONLY under this Order shall identify the platform on request from any other party, by name and version, within ten business days. This obligation does not require disclosure of the party's prompts, queries, or outputs, which remain subject to applicable claims of privilege or work-product protection.
Rule 502(d) Non-Waiver Request. The production or disclosure of any documents or information in this litigation, including any production or disclosure incidental to a party's use of an AI platform consistent with this Order, shall not constitute a waiver of the attorney-client privilege or work-product protection in this or any other federal or state proceeding. This Order is entered pursuant to Federal Rule of Evidence 502(d). The parties expressly invoke its protections.
V. The Closing: The tools just got faster, and the privacy policies got longer
The bar's instinct, when a new technology threatens to scramble doctrine, is to either ban the tool or to use it in secret. Both responses fail. Banning the tool is a competitive own-goal in a market where clients increasingly arrive at the engagement letter having already drafted half the matter inside a chatbot. Using the tool in secret is malpractice waiting for a magistrate judge to find it.
The third response — the response Heppner, Warner, and Morgan together demand — is to use the tool deliberately, on the right tier, at counsel's direction, with the protective order written to anticipate it, and with the contracts in the file before anyone moves to compel. The doctrine survives. So does the privilege. So, for that matter, does the client.
It is, in the end, what privilege practice has always been. Discipline at the moment of communication. Documentation at the moment of decision. And the willingness to read the platform's terms of service before you sign the engagement letter, not after the deposition. The tools just got faster, and the privacy policies got longer.
DISCLAIMER: This is journalism and commentary, not legal advice, and reading it does not create an attorney-client relationship. Do your own analysis if you are an attorney or seek advise of your counsel.