
The Heppner Ruling and the 20-Million-Log Order: Why AI Chat Privacy Is a Legal Fiction
Two federal court decisions in early 2026 settled a question most founders were ignoring: your AI chat logs carry no special privacy protection. They are ordinary discoverable records, subject to subpoena, compelled production, and privilege waiver analysis just like email, Slack messages, or any other business document you generate on someone else's infrastructure. If you have been treating your AI conversations as a private diary, the Southern District of New York has corrected you.
Key Takeaways
- A federal judge affirmed an order requiring production of 20 million chat logs in copyright litigation, rejecting the argument that user privacy interests blocked discovery.
- In United States v. Heppner, Judge Jed Rakoff ruled that documents generated using a consumer AI chatbot are not protected by attorney-client privilege, because the chatbot is not an attorney and the platform's data-sharing policies negate confidentiality.
- Courts relied on the "voluntary submission" doctrine: you chose to send your data to a third-party platform that retains it, so your privacy interest is diminished as a matter of law.
- The rulings are fact-dependent, not sweeping new law. But the specific facts they turn on (default data retention, no enterprise agreement, no counsel direction) describe how most people actually use AI tools right now.
- Architecture matters more than policy. If a product is built so the vendor cannot retain or read your content, the factual premise underlying "voluntary disclosure to a third party" weakens substantially.
What Happened in the 20-Million-Log Order?
A group of news organizations, including the New York Times and Chicago Tribune, sued OpenAI for copyright infringement. During discovery, plaintiffs sought access to user chat logs to demonstrate what the model was outputting. OpenAI proposed running a keyword search instead of producing full logs, arguing that user privacy made bulk production inappropriate. Magistrate Judge Ona Wang rejected that proposal. On January 5, 2026, District Judge Sidney Stein affirmed her order.
The numbers are worth sitting with. OpenAI retains tens of billions of chat logs in the ordinary course of business. Plaintiffs initially sought 120 million. The parties negotiated down to 20 million. The court treated 20 million as the compromise, not the ceiling.
The court acknowledged that users have "sincere" privacy interests in their conversations. Then it found those interests adequately addressed by three measures: reducing the sample from tens of billions to 20 million, de-identifying personal information, and enforcing the existing protective order. That was enough. The logs went to plaintiffs' counsel.
Why Did the Court Say Users Have a "Diminished Privacy Interest"?
Because users voluntarily submitted their communications to a third party. The court distinguished the situation from a securities case involving wiretapped calls, noting that chatbot users, unlike wiretap subjects, chose to send their messages to a platform that stores them. This is the third-party doctrine applied to AI. You typed it into someone else's system. They kept it. A court can order them to hand it over.
The legal reasoning here is not novel. The third-party doctrine has been around since Smith v. Maryland in 1979. What is new is its application to AI chat, where the conversational format creates a false sense of intimacy. You feel like you are talking to something. You are typing into a database.
What Did Judge Rakoff Decide in Heppner?
On February 10, 2026, Judge Jed Rakoff of the Southern District of New York ruled from the bench that documents a criminal defendant generated using a consumer-grade AI chatbot were not protected by attorney-client privilege or work-product doctrine. He issued a full written opinion on February 17, 2026.
The defendant, Heppner, had used Anthropic's Claude to process information related to his criminal case. He argued the resulting documents were privileged. The court rejected that claim on four independent grounds:
- An AI chatbot is not an attorney, so communications with it cannot be attorney-client communications.
- The communications were not confidential, because the platform's privacy policy permits collecting and sharing user data.
- Heppner did not use the chatbot at his counsel's direction.
- The outputs did not reflect defense counsel's strategy or constitute work product.
Each of those grounds would have been sufficient on its own. Together, they constitute a fairly thorough rejection of the idea that consumer AI chat logs enjoy any special legal protection.
Does Heppner Mean All AI-Generated Work Is Discoverable?
No. The ruling is narrower than the headlines suggest, and some legal commentators have pushed back on the "everything is discoverable" framing. Judge Rakoff reportedly indicated he did not consider the decision a new finding of law. His reasoning turned on specific facts: Heppner used a free consumer tool, not at his attorney's direction, on a platform whose terms permit data sharing.
A contrasting case illustrates the boundaries. In Morgan v. V2X, Inc. (D. Colo., March 30, 2026), a pro se litigant was compelled to disclose which AI tool he used (the court identified it as Google Gemini), but the work product itself was found likely privileged. Different facts, different result.
The discovery landscape for AI-generated materials is fact-dependent. But the specific facts that triggered exposure in Heppner (default data retention, consumer-tier terms, no attorney involvement, a privacy policy that allows sharing) describe the default state of how most people use AI chatbots today. The exception requires deliberate action to create.
What About the Privilege Waiver Problem?
This is the part that should concern you most if you use AI tools anywhere near legal matters. Heppner had fed information from his attorneys into the chatbot. The government argued, and Judge Rakoff agreed, that sharing privileged attorney-client communications with a third-party AI platform may waive privilege over the original communications themselves.
Read that again. You receive privileged advice from your lawyer. You paste it into a consumer chatbot. You may have just waived privilege not only over the chatbot session but over the original attorney communication. The waiver cascades backward.
Law firms are responding operationally. Firms including Sher Tremonte are updating engagement terms to add contract clauses stating that sharing lawyer communications with an AI could waive privilege. This is not theoretical guidance. It is showing up in retainer agreements right now.
What Are the Actual Risk Factors a Founder Should Track?
If you strip out the alarm and look at what the courts actually relied on, a short list of concrete risk factors emerges. These are the levers that determine whether your AI chat logs are exposed or protected:
- Data retention defaults. Does the platform store your inputs and outputs? If yes, those records exist to be subpoenaed. The 20-million-log order was possible because the provider retained tens of billions of logs.
- Privacy policy terms. Does the terms of service permit the provider to collect, use, or share your data? In Heppner, the platform's policy negated any claim of confidentiality. The court did not have to reach the question of whether the data was actually shared. The permission to share was enough.
- Consumer vs. enterprise tier. Consumer terms typically include broad data-use rights. Enterprise agreements can restrict retention and use. The tier you are on matters legally, not just operationally.
- Attorney direction. Was the AI use directed by counsel as part of legal work? In Heppner, it was not, and that was one of four independent grounds for rejecting privilege.
- Content of inputs. Did you paste in privileged material? If you did, the waiver analysis applies to the source material, not just the chatbot output.
Legal advisors are now recommending that organizations prohibit the use of unapproved AI tools for privileged materials and never input attorney advice, work product, or case strategy into consumer AI platforms. Others are advising organizations to evaluate whether AI vendors offer modes that prevent storage of inputs and outputs, content filtering to detect sensitive information before processing, and redaction mechanisms at ingest.
Is This Only a Legal Problem, or an Operational One Too?
It is both. The legal exposure created by these rulings is downstream of an operational reality: people paste sensitive material into AI tools without thinking about where it goes.
A recent incident illustrates the gap. A contractor working for a New South Wales government department uploaded a spreadsheet containing thousands of rows of sensitive flood victim data directly into a consumer chatbot. This was not a sophisticated attack. It was someone trying to get work done. The data left the organization's control because nothing in the architecture prevented it.
This is the "shadow AI" problem. Your employees, contractors, and co-founders are using AI tools you have not approved and may not know about. The data they enter is retained under consumer terms. That data is now, per the logic of these rulings, a discoverable record sitting on someone else's infrastructure.
Why Does Architecture Matter More Than Policy Here?
The courts' reasoning in both cases rested on factual predicates about how the technology works. Users "voluntarily submitted" communications to a platform that retains them. The platform's policy permits data sharing. The data is not confidential because the platform can access it.
Each of those predicates is a design choice, not a law of physics. If a product is architected so the vendor cannot retain or read your content, the factual basis for the court's reasoning changes. The "voluntary disclosure to a third party" argument weakens when the third party cannot access what was disclosed.
We think about this constantly at Selina because our memory system is encrypted at rest. A practical consequence: when we debug issues, a content column in the database can read as empty and still decrypt to valid data through the application's own decrypt path. You cannot just query a table and read what a user said. You have to trace through the application's decryption on the specific rows under investigation. This is not a feature we advertise for convenience. It is just the operational reality of building on encrypted storage. It makes debugging slower. It also means a raw database dump, the kind of thing a discovery order might target, does not produce readable content without the decryption layer.
To be clear about what we do and do not claim: Selina's memory is NOT end-to-end encrypted. A slice of each request reaches a frontier provider at inference time, because that is how inference works. Files and transfers through SelinaSEND are zero-knowledge encrypted. Memory is not. We keep non-content operational metadata for a short retention window. The account itself is protected, not encrypted. We are specific about these boundaries because vague claims about "privacy" are exactly what the courts found insufficient in both Heppner and the 20-million-log order.
What Should Founders Actually Do Right Now?
Start with an audit of what AI tools your team uses and what data flows into them. This is not a compliance exercise you can defer. The 20-million-log order was affirmed in January 2026. Heppner was decided in February 2026. These are current law.
Concrete steps, ordered by immediacy:
- Inventory your AI tool usage. Consumer-tier accounts with default retention are your highest exposure. Every conversation stored under consumer terms is a discoverable record.
- Review the privacy policies of every AI vendor you use. The Heppner court did not care whether data was actually shared. It cared that the policy permitted sharing. Read the terms you agreed to.
- Establish a policy on privileged material. No attorney advice, work product, or case strategy goes into any AI tool unless counsel has specifically approved that tool and that use. The privilege waiver risk cascades backward to the original communication.
- Evaluate vendor architecture, not just vendor promises. A terms-of-service promise not to access your data is worth less, legally, than an architecture that makes access technically impossible. The court in the 20-million-log case weighed "what safeguards exist," and treated de-identification and a protective order as sufficient. Stronger technical safeguards change that calculus.
- Document your AI governance decisions. If you later face discovery, you want a record showing you made deliberate choices about which tools were approved and what data could flow into them. The absence of any policy is itself a fact a court can weigh.
Is State Legislation Adding Pressure Beyond Discovery?
Yes. State lawmakers in Oregon, Utah, Virginia, and Washington are advancing chatbot-specific legislation, with Utah's Companion Chatbot Safety Act progressing through its legislature. The EU's AI Act adds a separate regulatory layer for companies operating in European markets. These are not yet discovery rules, but they create additional compliance surfaces and additional records requirements that compound the exposure created by the federal rulings.
The trend line is clear. Regulatory and judicial attention to AI chat data is increasing on multiple fronts simultaneously. The window during which AI conversations existed in a legal gray zone is closing.
What Is the Honest Takeaway?
The Heppner ruling and the 20-million-log order did not create sweeping new law. They applied existing doctrines (third-party doctrine, voluntary disclosure, privilege waiver) to a new technology and found, unsurprisingly, that the existing doctrines work the same way they always have. If you voluntarily send data to a platform that retains it under terms permitting data use, you have a diminished privacy interest in that data and no privilege claim over it.
The reason these decisions matter for founders is not that they changed the law. It is that they confirmed what the law was all along, and most people were building and behaving as if it were otherwise. Every AI chat your team has had on a consumer-tier platform is a discoverable record. It has been a discoverable record since the moment it was typed. The courts just said so out loud.
You can treat this as a reason to panic, or you can treat it as a design constraint. We treat it as a design constraint.
Start a free 7-day trial, no card required.
Frequently Asked Questions
What did the 20-million-log order require?
A federal court affirmed an order requiring a major AI chatbot provider to produce 20 million user chat logs in copyright litigation, rejecting the company's proposal to run a keyword search instead. The court found that reducing the sample size, de-identifying personal information, and enforcing the existing protective order adequately addressed users' privacy interests.
Why did the court say users have a 'diminished privacy interest' in their chat logs?
The court applied the third-party doctrine, reasoning that users voluntarily submitted their messages to a platform that stores them, unlike parties to a wiretapped call. Because the data was knowingly sent to and retained by a third party, the court found the users' privacy interest reduced as a matter of law.
What did the Heppner ruling decide about attorney-client privilege and AI chatbots?
Judge Rakoff ruled that documents a criminal defendant generated using a consumer-grade AI chatbot were not protected by attorney-client privilege or work-product doctrine. The court gave four independent grounds: the chatbot is not an attorney, the platform's privacy policy permitted data sharing so communications weren't confidential, the defendant didn't use the tool at counsel's direction, and the output didn't reflect defense strategy.
Does this mean all AI-generated legal work is now discoverable?
No, the ruling is fact-dependent rather than a sweeping new rule, and a contrasting case (Morgan v. V2X) found similar AI-assisted work product likely privileged under different facts. The exposure in Heppner stemmed from specific circumstances, consumer-tier terms, no attorney direction, default data retention, that happen to describe how most people currently use AI tools.
What is the privilege waiver risk when using AI chatbots?
If someone pastes privileged attorney-client communications into a consumer AI chatbot, sharing that information with a third-party platform may waive privilege not just over the chatbot session but over the original attorney communication itself. Some law firms are now updating engagement terms to warn clients that sharing lawyer communications with an AI tool could waive privilege.
Sources & References
- United States v. Heppner and AI Discovery: Confidentiality and Privilege Concerns
- Can ChatGPT Be Used Against You in a Pennsylvania Divorce or Custody Case? - Leech Tishman: Legal Services
- US court rules AI chat logs not protected by attorney-client privilege | Insurance Business
- Your AI Conversations Are Not Privileged: What a New SDNY Ruling Means for Every Lawyer and Client | Jones Walker LLP
- No, Using AI Doesn't Make Your Business an Open Book
- AI, Privilege, and Discovery in View of "Heppner" and "Morgan" | Sterne Kessler
- AI Tools, Legal Advice and the Limits of Attorney-Client Privilege | Williams Mullen
- Court Ruling Exposes AI Chats As Discoverable Evidence | Let's Data Science
- In a First, Court Finds AI-Generated Documents Not Protected by Attorney-Client Privilege
- OpenAI Must Turn Over 20 Million ChatGPT Logs, Judge Affirms
- OpenAI Loses Privacy Gambit: 20 Million ChatGPT Logs Likely Headed to Copyright Plaintiffs | Jones Walker LLP
- OpenAI Loses Privacy Gambit: 20 Million ChatGPT Logs Likely Headed to Copyright Plaintiffs
- ChatGPT creator must turn over 20M chat logs in copyright litigation, federal judge says
- When Chats Become Evidence: Court Affirms Order Requiring OpenAI to Produce 20 Million De-Identified ChatGPT Logs
- 20 Million ChatGPT Conversations | Shelly Palmer
- Court ruling against OpenAI: 20 million ChatGPT logs must be disclosed - NotebookCheck.net News
- AI Chatbot Compliance: Key Legal Risks and Regulatory Considerations for Businesses in 2026 | News & Insights | Arnall Golden Gregory LLP
- AI Privacy Rules: GDPR, EU AI Act, and U.S. Law
- AI Regulation News | July, 2026 (STARTUP EDITION)
- Business Risk: Can AI Chats Be Subpoenaed? - Novatech
- AI Act | Shaping Europe's digital future - European Union
- AI Chatbot Compliance: Key Legal Risks and Regulatory Considerations for Businesses in 2026 | Arnall Golden Gregory LLP - JDSupra
- 2026 Operational Guide to Cybersecurity, AI Governance & Emerging Risks | Corporate Compliance Insights
- AI Governance Weekly - July 10, 2026: AI Governance Regulation & Policy Roundup | AI Governance Institute
- Data Privacy Day 2026: Privacy as the Foundation of Responsible AI Governance | Jones Walker LLP
- Top 10 Privacy, AI & Cybersecurity Issues for 2026 | Workplace Privacy, Data Management & Security Report
