Full profile
The privilege problem usually starts in a harmless-looking way. A lawyer opens a client video meeting, an AI notetaker joins, the red recording indicator appears, and everyone keeps talking because the calendar is full and somebody needs a usable record. The tool records, transcribes, summarizes, stores, and perhaps syncs the result into a cloud account before anyone in the meeting has read the privacy policy, the data-processing terms, or the model-training language.
That is the center of AI voice transcription privilege concerns in 2026. The danger is not that transcription is modern, or that lawyers should still be typing notes by hand. The danger is that a tool experienced by the user as a private assistant may look, in privilege analysis, like a third-party recipient of confidential legal communications. Once the audio or transcript leaves the lawyer-client circle, the next question is no longer whether the notes were useful. It is whether confidentiality was still objectively reasonable.

As of Q3 2026, the answer is unsettled but no longer theoretical. Consumer-grade cloud AI transcription can create a real waiver risk. Enterprise contracts, business associate agreements, data-processing addenda, and client consent improve the position, but they do not erase jurisdictional uncertainty. The safest architecture, on the materials now available, is still the least dramatic one: transcription that runs on the lawyer’s own hardware and does not transmit audio or client content to a vendor cloud.
The Privilege Question Turns On Where The Conversation Went
Attorney-client privilege does not protect a conversation because it felt private. It protects confidential communications made for the purpose of seeking or giving legal advice. AI transcription changes the analysis when it changes the audience, the storage location, or the vendor’s right to use the content.
For a law firm, the first privilege question is therefore architectural and contractual before it is ethical or technological. Did the tool merely process audio locally? Did it send audio to a third-party server? Did the vendor retain the transcript? Could vendor personnel review it for support, abuse monitoring, or quality control? Could the vendor use it to train or improve models? Was the tool deployed under a negotiated enterprise agreement, a BAA, or a DPA? Did the client consent before the recording began?
Those details are easy to dismiss when a transcript arrives neatly formatted five minutes after a meeting. They are harder to dismiss when a subpoena, privilege log, discovery dispute, malpractice claim, or disciplinary inquiry asks who received the communication and under what terms.
| Configuration | Privilege Posture | Key Questions |
|---|---|---|
| Consumer cloud AI notetaker | Highest waiver risk | Does the vendor retain content, use it for model improvement, share it with third parties, or allow staff access? |
| Enterprise cloud tool | Improved but still fact-dependent | Does the agreement prohibit training, restrict retention, impose confidentiality, and define security and audit rights? |
| Firm-approved internal infrastructure | Lower risk if properly controlled | Is access limited to firm personnel and systems already covered by confidentiality controls? |
| On-device transcription | Architecturally safest on current materials | Does audio stay on the lawyer’s hardware, and is no content transmitted to the vendor? |
Heppner Is The Warning Case, Not A National Rule
The decision that now sits at the center of this risk analysis is United States v. Heppner, a February 2026 Southern District of New York ruling discussed by Ogletree Deakins and Gibson Dunn. The court held that 31 AI-generated documents were not privileged because the user submitted information to a consumer AI platform whose privacy policy disclosed data collection, use for training, and third-party sharing. On those facts, the court found no reasonable expectation of confidentiality.[1][2]
Heppner matters because it does not treat AI as a magic category. It treats the vendor terms as legally consequential. If the platform’s terms permit collection, retention, training use, or third-party sharing, the user’s belief that the exchange was private may not carry much weight. That is the part law firms should take seriously before they invite a generic notetaker into a client meeting.
The court also rejected an attempted Kovel-style argument. Under United States v. Kovel, certain third-party specialists can fall within the privilege when they are necessary to help counsel provide legal advice. Heppner did not extend that logic to the consumer AI vendor, reasoning that the vendor was not a necessary agent for legal representation and owed no fiduciary duty to the client or lawyer.[1][2]
That point should make litigation lawyers pause. A court may be willing to protect an interpreter, accountant, consultant, litigation vendor, or technical specialist when that person or entity is brought in under circumstances that preserve confidentiality and assist legal representation. A mass-market AI platform with broad consumer terms is a different evidentiary animal. The fact that a transcript helps the lawyer remember what happened does not, by itself, make the vendor necessary to the legal advice.
Still, Heppner should not be oversold. It is one federal district court decision, not a uniform national rule. It is also not a holding that every AI-assisted legal document or transcript is automatically unprivileged. Its force comes from the fit between the facts and the privilege doctrine: consumer terms, vendor access or use rights, lack of fiduciary duty, and no adequate basis to treat the vendor as a protected legal agent.
Ethics Guidance Has Moved From Caution To Operations
NYC Bar Formal Opinion 2025-6, issued December 22, 2025, is not binding law, but it is one of the clearest operational statements for lawyers using AI to record, transcribe, and summarize client conversations. It requires client consent before recording, evaluation of vendor data storage and training practices, and independent lawyer review of AI-generated transcripts for accuracy.[3]
The opinion is useful because it does not stop at the familiar instruction to “maintain confidentiality.” It asks lawyers to look at the actual workflow. A lawyer who uses an AI notetaker must know whether the system records audio, where the recording goes, how long the vendor keeps it, whether it is used to train models, and whether humans at the vendor can see it. That is not an IT preference. It is part of the lawyer’s duty analysis.
The independent-review requirement also deserves attention. A transcript may be confidential and still be wrong. Names, dates, admissions, settlement positions, medical conditions, and litigation strategy can be distorted in a way that looks official once copied into a file. If the transcript later appears in a chronology, demand letter, investigation memo, or witness outline, the lawyer owns the consequences of relying on it.
The Boston Bar Association’s December 2024 guidance frames the same problem through four practical factors: consent, security, confidentiality and privilege, and file retention. It specifically points lawyers toward wiretap compliance in all-party-consent states, encryption and licensing, DPAs, keeping AI inputs and outputs on the lawyer’s own devices or clouds rather than disclosing them to third parties, and deciding how the resulting files will be retained.[4]
Illinois-focused guidance from 2Civility and the ARDC in May 2026 adds a useful sequence: classify the sensitivity of the information, identify whether the tool is internal or third-party, and evaluate vendor retention, training, and staff-access practices. It also flags the Illinois Biometric Information Privacy Act, because voiceprints can qualify as biometric identifiers requiring strict notice and consent.[5]

Consent Is Not A Cleanup Tool
Client consent helps. It may be required. It is not a universal solvent for privilege risk.
Before recording begins, lawyers must deal with recording law. AI notetakers that automatically join meetings and capture audio implicate state wiretap and eavesdropping rules, especially in all-party-consent jurisdictions. The research materials identify California, Connecticut, Delaware, Florida, Illinois, Maryland, Massachusetts, Michigan, Montana, New Hampshire, Oregon, Pennsylvania, and Washington among the jurisdictions that require heightened attention before recording. The Boston Bar guidance specifically warns lawyers to evaluate wiretap compliance before using AI notetakers in client conversations.[4]
The consent needed for recording is not necessarily the same as the consent needed for confidential data handling. A client may agree that the lawyer can record a meeting for note-taking. That does not mean the client knowingly agreed that the recording may be uploaded to a vendor cloud, retained for a period defined in consumer terms, accessed by vendor personnel, or used for model improvement. The more sensitive the matter, the less defensible it becomes to bury that distinction in a generic meeting notice.
A defensible consent process should tell the client what will be recorded, why it is being recorded, what tool or system will process it, whether any third-party vendor receives the audio or transcript, whether the vendor may retain or use the content, who can access the transcript, and how the client can decline. That explanation need not be theatrical. It does need to be accurate.
The Current Case Law Does Not Point In One Direction
Heppner is the cleanest warning for consumer AI use, but it is not the only 2026 authority practitioners have to read. Gray Reed’s discussion of Warner v. Gilbarco and Morgan v. V2X describes two federal decisions that declined to follow Heppner’s path in the work-product context. Warner, from the Eastern District of Michigan in February 2026, treated AI tools as “non-persons” and held that work product protection survived AI assistance. Morgan, from the District of Colorado in March 2026, rejected Heppner’s reasoning on work product.[6]
That split should narrow, not broaden, the advice. The safer reading is not that AI tools are always protected or always fatal. The safer reading is that courts are sorting different doctrines, different facts, and different tool configurations. Work product is not identical to attorney-client privilege. Counsel-directed use is not identical to a client or lawyer pasting material into consumer terms. Enterprise protections are not identical to a free or individual account.
For privilege logs and discovery fights, that means the factual record matters. A firm that can show a vetted enterprise deployment, contractual confidentiality, no model training, limited retention, restricted access, security controls, and informed client consent is in a different position from a firm that allowed staff to invite a consumer bot into client meetings because it made summaries convenient. The law may be unsettled, but the evidentiary posture is not random.
Brewer Shows Why Vendor Conduct Is No Longer Hypothetical
Brewer v. Otter.ai, filed in the Northern District of California in August 2025, is a class action alleging that Otter.ai secretly records and transmits user communications, including privileged attorney-client conversations, to third parties and uses content for model training without consent. The claims described in practitioner analyses include allegations under the Electronic Communications Privacy Act, the Computer Fraud and Abuse Act, and the California Invasion of Privacy Act.[7][8]
Those are allegations, not findings. Brewer should not be cited as proof that Otter.ai or any other vendor did what the complaint alleges. Its value for risk analysis is more modest and more practical: plaintiffs are now pleading vendor-side AI notetaker behavior as the basis for privacy, consent, and confidentiality claims. That alone changes the diligence conversation inside law firms.
A partner approving a transcription tool should assume that the vendor’s marketing page will not be the document quoted in a later dispute. The privacy policy, product-specific AI terms, security addendum, support-access policy, retention schedule, subprocessors list, and model-training disclosures are more likely to matter. If those documents are inconsistent, vague, or subject to unilateral change, the firm should treat that as a legal risk, not a procurement annoyance.
Four Deployment Patterns, Four Different Risk Profiles
Consumer Cloud
Consumer cloud is the configuration most exposed by Heppner. The risk is highest when the tool is adopted by individual lawyers or staff without firm review, uses standard consumer terms, permits vendor retention or model improvement, allows broad support access, or fails to provide a meaningful confidentiality commitment. The tool may be excellent at summarizing meetings and still be poorly suited to privileged legal communications.
This is also where convenience most often outruns governance. A lawyer under deadline sees a button that says “record,” a calendar integration that says “auto-join,” or a meeting summary that arrives before the next call. Nobody intends to waive anything. But privilege waiver rarely requires bad intent. It often turns on disclosure inconsistent with confidentiality.
Enterprise Cloud
Enterprise cloud is not the same risk category. A negotiated enterprise agreement may prohibit training on customer content, impose confidentiality obligations, limit retention, restrict human access, define subprocessors, require encryption, support audit rights, and provide a DPA or BAA where appropriate. Those facts do not guarantee privilege, but they directly address the points that made consumer use dangerous in Heppner and in ethics guidance.
The mistake is to treat “enterprise” as a label rather than a set of enforceable terms. Some enterprise AI features are off by default; others are on unless disabled. Some tools separate meeting transcripts from model-training pipelines; others use broad product-improvement language. Some agreements bind affiliates and subprocessors tightly; others leave important access questions to documentation that changes over time. The review has to reach the actual product configuration used by the firm.
Internal Firm Infrastructure
A firm-approved internal system lowers risk when audio and transcripts remain inside environments already governed by the firm’s confidentiality, access-control, retention, and security policies. This may include private cloud infrastructure or approved legal technology platforms configured so that client content is not disclosed to a vendor for independent use.
Internal does not mean informal. The firm still needs access limits, matter-level permissions, retention rules, auditability, and a process for correcting or discarding inaccurate transcripts. A transcript of a privileged meeting is still a privileged record, and in some matters it may be more sensitive than the lawyer’s handwritten notes because it captures more of the client’s raw speech.
On-Device Transcription
On-device transcription has the strongest architectural argument because it avoids the pivotal disclosure event. If the audio is processed locally on the lawyer’s hardware and is not transmitted to a vendor, the lawyer has fewer facts to explain in a privilege dispute. There may still be consent, retention, accuracy, and security issues, but the third-party cloud-recipient problem is materially reduced.
That conclusion should be kept separate from any vendor’s sales pitch. “On-device” is safer only if it means what it says: no audio upload, no transcript upload, no model-training feed, no support-copy exposure, and no hidden cloud fallback. If the product silently transmits snippets for processing, diagnostics, or quality improvement, the privilege analysis changes.
The Due Diligence Questions That Actually Matter
Law firms do not need a philosophical debate before every recorded meeting. They need a short, repeatable review that separates tolerable tools from tools that should never hear privileged speech.
- Data flow: Does audio, video, chat, transcript text, or summary content leave the lawyer’s device or firm-controlled environment?
- Retention: How long does the vendor keep recordings, transcripts, summaries, prompts, metadata, and logs?
- Model training: Are customer content excluded from model training and product improvement by enforceable contract, not just settings text?
- Human access: Can vendor support, trust-and-safety, engineering, contractors, or subprocessors review meeting content?
- Contractual protections: Is there a DPA, BAA where needed, confidentiality language, subprocessor control, breach notice, deletion right, and audit or certification evidence?
- Client consent: Has the client been told that the meeting will be recorded and, if applicable, processed by a third-party AI vendor?
A firm that cannot answer those questions should not use the tool for client meetings, witness preparation, settlement discussions, board advice, internal investigations, criminal defense strategy, medical facts, employment allegations, trade secrets, or any conversation likely to appear on a privilege log.
Transcripts Create Records, Not Just Convenience
AI transcription also increases the volume and discoverability profile of records. A lawyer’s rough notes may once have captured themes and action items. A full transcript may capture hesitation, speculation, settlement appetite, witness uncertainty, or a client’s unfiltered description of disputed events. That can be valuable for lawyering. It can also become a document set that must be reviewed, logged, preserved, corrected, or defended.
Fortis Advisors v. Krafton, a Delaware Chancery matter discussed in March 2026 commentary, illustrates the broader point that AI-generated content can become litigation evidence. The case involved a CEO’s ChatGPT logs being admitted as trial evidence of bad faith in a $250 million earnout dispute.[9]
Fortis was not an AI transcription privilege case. It should not be stretched into one. Its lesson is narrower: once AI interactions create stored content, litigants may try to use that content. For law firms, the practical result is that transcript retention cannot be an afterthought. Someone must decide whether recordings are kept, for how long, in which matter file, under whose access rights, and under what litigation-hold process.
A Defensible Mid-2026 Risk Framework
For client meetings, the safest default is to classify AI transcription tools by disclosure risk before classifying them by features. Accuracy, speaker labels, summaries, CRM integrations, and action-item extraction matter only after the firm knows whether privileged speech is leaving protected channels.
- Do not use consumer-grade cloud notetakers for privileged client communications unless the firm has reviewed and accepted the waiver risk in that specific jurisdiction and matter.
- Prefer on-device transcription when the meeting involves privileged, highly sensitive, regulated, or litigation-significant information.
- If using enterprise cloud transcription, require enforceable no-training terms, retention limits, confidentiality obligations, restricted staff access, security controls, and appropriate DPA or BAA coverage.
- Obtain consent before recording and make the consent specific enough to cover any third-party AI processing.
- Review AI transcripts before relying on them, filing them, sending them to clients, or incorporating them into legal work product.
- Treat transcripts, summaries, recordings, and AI logs as records subject to matter-level retention, litigation hold, and privilege-review procedures.
This framework leaves room for the reasons lawyers use transcription in the first place. Accurate notes help overloaded teams. Transcripts can support accessibility, continuity, supervision, and better follow-through. A lawyer who cannot hear every speaker clearly, a paralegal managing a dense factual interview, or a small firm juggling back-to-back consultations may have sound reasons to want technological help.
The privilege question is whether the chosen tool makes that help too expensive. In mid-2026, consumer cloud AI transcription carries the sharpest waiver risk because it can introduce a third-party vendor under terms that do not preserve confidentiality. Enterprise agreements and informed consent can improve the record, especially where they prohibit training and control retention and access. They do not eliminate all uncertainty across jurisdictions. On-device transcription that keeps audio and transcripts off vendor systems remains the strongest architecture when the conversation is one the lawyer may later have to defend.
References
- The Intersection of AI and Attorney-Client Privilege: A Cautionary Tale, Ogletree Deakins, link
- AI Privilege Waivers: SDNY Rules Against Privilege Protection for Consumer AI Outputs, Gibson Dunn, link
- Formal Opinion 2025-6: Ethical Issues Affecting Use of AI to Record, Transcribe and Summarize Conversations with Clients, New York City Bar Association, Dec. 22, 2025, link
- AI Notetakers: What Must Lawyers Do to Use Them?, Boston Bar Association, Dec. 2024, link
- When AI Notetakers Enter Your Client Meetings: Ethical Duties and Risks for Lawyers, 2Civility, May 2026, link
- Differing Federal Court Rulings on AI-Generated Documents: Application of Work Product Privilege, Gray Reed, link
- New Lawsuit Highlights Concerns About AI Notetakers, Fisher Phillips, link
- We Get AI for Work: Analyzing Brewer v. Otter.ai as a Case Study in Legal Risks of AI Note-Takers, Jackson Lewis, link
- When Your AI Tool Becomes a Witness: AI Tools, Privilege Waiver, and the Hidden Risks of Generative AI Technology, Hinckley Allen, link
Comments
Join the discussion with an anonymous comment.