New Jersey's RPC 1.6 Is Not a Suggestion: What AI Tools Actually Do With Your Client Data
Photo by Camille Brodard on Unsplash
6 min readApril 20, 2026

New Jersey's RPC 1.6 Is Not a Suggestion: What AI Tools Actually Do With Your Client Data

Legal AI ComplianceNew Jersey EthicsData Governance

There's a pattern I see constantly with solo attorneys and small firms in New Jersey: they adopt an AI tool on a Tuesday, write their first AI-assisted brief by Thursday, and somewhere in between, never once open the vendor's data processing agreement.

I don't say that to be harsh. I say it because the gap between enthusiasm and due diligence is exactly where confidentiality violations are born.

Let's be specific about what's at stake under New Jersey law—and what you can actually do about it.

What RPC 1.6 Demands in the Age of AI

New Jersey Rule of Professional Conduct 1.6 prohibits a lawyer from revealing information relating to the representation of a client unless the client gives informed consent. This is not a novel concept. What is novel is that "revealing" now includes silently transmitting client facts, case details, and litigation strategy to a third-party AI platform's servers for processing—potentially for model training.

The NJ Supreme Court's Committee on Attorney Advertising and the Office of Attorney Ethics have not yet issued a dedicated formal opinion on generative AI (as of mid-2025). But the analytical framework is already there. NJ Ethics Opinion 701 on cloud computing, issued years ago, established a clear principle: technology doesn't create an exception to RPC 1.6, it creates a new vector for violating it. The same logic applies here. You are responsible for understanding where your client's data goes.

The Three Questions Every NJ Attorney Must Ask Before Using Any AI Tool

Most vendors won't volunteer this information upfront. You have to ask directly—and get answers in writing.

1. Does the vendor use my input data to train or fine-tune its models?

This is the critical one. Several popular consumer-grade AI tools (including some widely used by lawyers who should know better) default to using conversation data for training unless you opt out—or unless you're on a paid enterprise tier. If a client's settlement posture, medical history, or immigration status ends up improving a public model, you have a serious RPC 1.6 problem.

2. Where is the data stored, and who can access it?

Acceptable answers involve specific geographic data residency (ideally U.S.-based), SOC 2 Type II certification, and clearly defined employee access controls. "We take security seriously" is not an answer.

3. What does the BAA or DPA actually say?

A Business Associate Agreement matters most in healthcare-adjacent matters (HIPAA). But for any client data, review the Data Processing Agreement carefully. Look for clauses that grant the vendor broad rights to "improve services"—that language often means your data is fair game.

A Practical Compliance Baseline for NJ Small Firms

You don't need a dedicated compliance officer. You need a 30-minute intake process for any new AI tool:

  • Create a one-page AI Vendor Checklist that documents your answers to the three questions above. Keep it in your matter management system.
  • Disable data sharing by default. On tools like ChatGPT, navigate to Settings → Data Controls and turn off "Improve the model for everyone." For Microsoft Copilot in a 365 Business environment, confirm your tenant is configured to exclude data from Microsoft's training pipeline.
  • Use anonymization as a habit, not a backup. When you must use a tool whose data practices you haven't fully vetted, strip identifying information from your prompts. Replace client names with placeholders. Describe facts generically. This isn't paranoia—it's professionalism.
  • Document your reasonable measures. NJ RPC 1.6(c) requires "reasonable efforts" to prevent unauthorized disclosure. Documented efforts are defensible efforts.

The Bigger Picture: This Is a Competitive Advantage, Not Just Risk Mitigation

Here's the reframe most consultants miss: clients—especially corporate clients, healthcare providers, and sophisticated individuals—are starting to ask their attorneys about data security. A solo practitioner in Bergen County who can hand a new client a one-page "How We Protect Your Information When Using AI" summary is not just compliant. They're differentiated.

Your competitors are clicking "I Agree" on Terms of Service without reading them. You don't have to.

The New Jersey Rules of Professional Conduct were written to protect clients. AI doesn't change that obligation. It just makes honoring it require more deliberate effort—and more deliberate effort is exactly what separates good lawyers from great ones.

Adam Elias is the founder of Elias Advisory LLC, helping solo attorneys and small law firms adopt AI responsibly and operate more efficiently. Have a question about AI compliance for your NJ practice? Get in touch.

Get the weekly roundup

New AI Sidebar articles delivered to your inbox. No spam, unsubscribe anytime.