A chatbot on your homepage can boost conversions—and quietly knock you out of your next marquee engagement. Under ABA Model Rule 1.18, a visitor who shares matter details with an AI intake tool can become a “prospective client.”

That triggers confidentiality duties, potential conflicts, and even firmwide disqualification if the bot collects “significantly harmful” info. The risk only grows in 2025 as firms roll chat across practice groups and multiple jurisdictions.

Here’s the practical version: when AI intake creates duties, how clickwrap and disclaimers shape expectations, and what “reasonable measures” and Rule 1.18(d) screening actually look like day to day. We’ll cover conflict‑first intake (minimal facts before any storytelling), confidentiality and vendor oversight under Rules 1.6 and 5.3, advice-avoidance guardrails, security and short retention for unretained prospects, jurisdiction quirks, and a step‑by‑step rollout.

And yes—how to do all of this in LegalSoul with real-time conflict checks, ethical gating, automated screens and notices, and audit‑ready logs so you can move fast without stepping on a rake.

Key Points

• AI intake can create duties to “prospective clients” under Rule 1.18 when the bot invites matter facts. Don’t lean on fine print alone—use a mandatory clickwrap gate before any free text or uploads.
• Conflicts first. Ask for names, opposing parties, matter type, and jurisdiction, run checks, then allow narrative. If “significantly harmful” info slips through, use Rule 1.18(d): show reasonable measures, screen fast, send written notice.
• Treat intake data like sensitive client info: vet vendors, require no training on your data, encrypt everything, keep access tight, purge unretained records on a short timer, and defend against prompt injection and “conflict‑out” abuse.
• Build for compliance and conversion. Add advice-avoidance guardrails, adapt disclaimers by jurisdiction, and document what you do. LegalSoul bakes this in—ethical gating, conflict‑aware AI, one‑click screens/notices, and clean audit trails.

Why this matters in 2025

Clients expect instant replies. Ethics rules still expect discipline. The 2023 ABA Legal Technology Survey Report shows more firms adopting chat, SMS, and AI assistants—and 29% reported a security incident. That combo should make you pause.

Two realities: first contacts are often high value, and early disclosures can knock you out of future work. Also, malpractice carriers now ask pointed questions about AI intake, logs, and screening. If insurers care, you should too.

Modern marketing stacks add risk: ads, landing pages, chat widgets, analytics—all new doors where “prospective client” status can attach, sometimes before your standard disclaimer appears. Treat intake like e‑discovery. Limit what you collect, label it right away, and route it with tracking you can defend.

Tiny UX choices—placing a free‑text box, allowing uploads too early, a friendly “tell me what happened”—decide whether you capture a lead or inherit a conflict.

The short answer and risk snapshot

Short version: yes. If someone consults about representation and shares info you invited or reasonably should expect to be confidential, Rule 1.18 duties kick in. That includes a firm‑run chatbot acting on your behalf.

• Conflicts can be imputed if “significantly harmful” info is collected.
• You can lose lateral or future matters after a single bad interaction.
• Privacy and breach exposure grows when intake data sprawls across vendors.
• UPL and advertising issues pop up if the bot drifts into advice.

Rule 1.18(d) gives a path if you designed for it: take reasonable measures to limit exposure, screen promptly, send written notice. The trick with AI is timing—put the gate at the beginning. Ask just enough to run a conflict check. Hold narrative until you’re in the clear.

Who is a “prospective client” under ABA Model Rule 1.18?

Anyone who consults with a lawyer about possible representation. Your bot counts as your agent. The test is the person’s reasonable expectation, which you shape with what the bot says and how it behaves.

If it asks, “Tell me what happened,” you invited facts. If it shows “no attorney‑client relationship” language and blocks free text until consent and a conflicts mini‑form, expectations shift.

Courts looking at online assent focus on clarity and conspicuousness (think Meyer v. Uber; Nguyen v. Barnes & Noble). Not ethics cases, but the same UX principles help show reasonableness. Use plain language, a required checkbox, and put the notice before any sensitive field.

Also plan for adversarial contacts. A rival or opposing party can try to plant a conflict. Collect only what you need for screening—names, matter type, jurisdiction—then route to a safe declination if you see a red flag. Don’t invite a long narrative you don’t need and can’t un‑read.

How AI chatbots can trigger Rule 1.18 duties

Your bot can easily attract protected disclosures. Watch for these:

• Free‑text prompts before any conflict triage.
• “Upload your documents” on the first screen.
• Marketing lines that sound like legal triage (“I can assess your case in minutes”).
• No disclaimer or consent gate before input.

Once a transcript exists, it’s a vault of confidential info. Even if you never take the matter, Rule 1.6 expects you to safeguard it. Formal Opinion 491 highlights “significantly harmful” nuggets like admissions, settlement ceilings, and strategy—exactly what a helpful bot might pull out.

Fix the flow: start with structured fields—party names, matter type, jurisdiction. Run a conflict check. Only then unlock narrative. If a potential conflict appears, freeze the chat, give a polite message, and hand it to a conflicts team with limited access. Treat uploads as a second phase and only after explicit consent.

Disclaimers and “reasonable measures” to limit exposure

Disclaimers help, but design carries the weight. Use a mandatory, plain‑language clickwrap before any free text or uploads. Say: no attorney‑client relationship yet, don’t send confidential or time‑sensitive info, and consent to limited use of data for conflicts and follow‑up.

Courts regularly enforce clear clickwrap; “browsewrap” links buried in footers fare poorly (see Meyer; Nguyen). Not ethics law, but the factors overlap: prominence and assent. Also test on mobile—many first contacts happen on phones, and chat launchers can hide notices.

One more thing: adapt the gate. If a visitor arrives from a “free consultation” ad, show a stricter notice and delay narrative prompts. If it’s a known referral partner, preload a conflicts mini‑form. Log which disclaimer version appeared and the consent captured. That metadata can save you later.

Conflicts: “significantly harmful” information and imputation

“Significantly harmful” means info that could materially hurt the prospective client—admissions, settlement limits, strategy, or privileged third‑party material. If your bot gathers that, you (and possibly the firm) can be disqualified in an adverse matter. At scale, this snowballs.

Rule 1.18(d) lets you proceed adverse if you:

1. Took reasonable measures to avoid more exposure than needed,
2. Implemented a timely screen, and
3. Sent written notice to the prospective client.

“Timely” means right away. “Reasonable” means your intake starts with party names, pauses before narrative, and routes appropriately. The notice should describe the screen without revealing the adverse client or any strategy, and confirm the screened lawyer has no role or access.

Also, expect bad‑faith attempts. Rate‑limit submissions, throttle pasted walls of text, and watch for obvious “poison pill” dumps. The best move is prevention—don’t collect harmful detail until you’re sure you should.

Confidentiality and vendor management (Rules 1.6, 5.3)

Rule 1.6 says protect info. Rule 5.3 says supervise nonlawyers, which includes AI vendors. Formal Opinion 477R pushes encryption and risk‑based safeguards; Formal Opinion 498 covers virtual practice duties.

Do real vendor diligence: SOC 2/ISO 27001, no training on your data, subprocessor approval, breach notice terms, and ongoing monitoring. Keep a short retention schedule for unretained prospects (think 30–90 days), and honor deletion requests when the law allows. Intake data sitting in a chat vendor’s cloud is an easy target.

Don’t forget model changes. If your vendor swaps models or tweaks prompts, your risk changes. Require change notices. Red‑team your bot regularly. Lock API keys to least privilege and region‑limit data. Keep prospect transcripts separate from client records with different access and retention. And make sure your privacy notice matches what you actually do.

Avoiding inadvertent legal advice and UPL concerns

Your bot should not sound like a lawyer. Keep it informational. No “You have a strong case.” No jurisdiction‑specific commands. Escalate anything that smells like strategy to a human.

• Refuse hypotheticals: “I can’t assess merits here—let’s connect you with an attorney.”
• Geo‑filters so you don’t drift outside licensed areas.
• Escalation triggers for terms like “deadline,” “statute,” “settlement.”
• Neutral, helpful templates paired with scheduling links.

Regulators worry when automated tools mislead consumers. Even if your bar hasn’t acted yet, other sectors have drawn heat. A quick test: ask nonlawyers on your team to poke holes and see if the bot gives advice. If they can pry it loose, so can the public—and opposing counsel. Build a refusal vocabulary and log it.

Intake design blueprint: conflicts-first, minimal-data collection

Treat intake like triage. Collect in this order:

• Names of the inquirer and known opposing parties,
• Matter type with a categorical description,
• Jurisdiction and key dates (no narrative),
• Contact info to schedule a call.

Run the conflict check. Only then allow narrative or uploads. Keep attachments off by default and enable them after clearance with a reminder about scope. Add automatic PII masking so SSNs, account numbers, and medical IDs don’t end up in plain text.

Tips that help in real life:

• Deduplicate names against your CRM to reduce false positives.
• Use entity resolution for organizations with multiple aliases.
• Geo‑fence the bot to licensed areas and give alternatives when out of bounds.
• Add a “stop” state: on a potential conflict, halt, send a respectful declination, and block further disclosures.

Bonus: this also improves conversion. People want a clear path to a human after a quick screening—not a long essay box.

Security, resilience, and auditability

LLM systems come with new attack surfaces. OWASP’s LLM Top 10 (2023/2024) calls out prompt injection, data exfiltration, and supply chain issues. For legal bots, you need firm guardrails: advice‑refusal system prompts, content filters, length limits, and an isolation layer so the model can’t wander through internal systems.

• Immutable logs capturing consent, prompts, outputs, and routing choices.
• Role‑based access with MFA; only intake/conflicts teams should see transcripts.
• Rate limits and abuse detection to blunt “conflict‑out” stunts.
• Incident playbooks designed for intake data and pre‑approved notice templates.

Monitor for real. Alert on sensitive words slipping past guardrails. Rotate API keys. Pin model versions. Require vendor change notices. Run quarterly red‑team drills aimed at forcing advice or collecting excess data.

Also rehearse your declinations and ethical screens. People freeze in the moment. Practice keeps you compliant when it counts.

Documentation insurers and regulators expect

Underwriting has caught up to AI. Auditors and carriers now ask for:

• A written intake and screening policy aligned to Rules 1.18 and 1.6.
• Vendor due diligence and contracts (no training, encryption, subprocessor lists).
• Security testing (pen tests, red‑team outcomes) and control summaries.
• A retention schedule for unretained prospects, plus purge reports.
• Ethical screen procedures with notice templates and approval steps.
• Training materials and completion records.
• DPIAs or TIAs if GDPR/CCPA apply to your intake flows.

Tell a clear story. Why is the gate where it is? Why that field order? How do triggers limit exposure? Keep a changelog for prompts and model versions. If your jurisdiction issues guidance on chat or prospective clients, cite it in your policy and note how you comply.

That paper trail often decides whether a close call stays a close call—or becomes a claim.

Jurisdictional variations and advertising rules

Your bot is a “communication about a lawyer’s services,” so Rules 7.1/7.2 (and state variations) apply. Some states require specific website disclosures. Others have filing or retention rules for ads. Make sure the chat surface includes what’s required—for example, specialist disclaimers where relevant—and avoid promises that create unjustified expectations.

International traffic brings privacy rules. Under GDPR/CCPA, disclose your purposes, legal basis, retention, and sharing, and honor rights requests. For EU visitors, consider a minimal path that captures only conflicts data until you form a relationship, relying on legitimate interests with an easy opt‑out. If you work in sensitive areas (health, immigration, etc.), check whether intake collects special category data and tune your lawful basis and consent.

Simple approach: geolocate and adapt. Show jurisdiction‑specific advertising and privacy notices dynamically. If you can’t serve that location, say so and offer a bar referral link. People appreciate the honesty.

What to do if you already collected disqualifying information

Move fast:

• Pause any adverse work and alert GC/conflicts counsel.
• Isolate the transcript and screen any exposed lawyers and staff.
• Assess whether the info is “significantly harmful.” If you’re unsure, treat it as if it is.
• Send written notice under Rule 1.18(d) explaining the screen without revealing the adverse client or any strategy.

Stabilize the data. Minimize access, tighten permissions, and set a deletion timer consistent with policy and legal holds. If a vendor holds a copy, trigger deletion and get written confirmation.

Then fix the cause. Was the gate missing? Did narrative open too soon? Were uploads on by default? Patch the config and note the change in your log. If it looks like an adversarial conflict‑out attempt, tweak rate limits and abuse detection.

The goal is twofold: clean up the incident and show that your measures were reasonable and your screen was timely and complete.

Implementation roadmap for a mid-size firm

Phase 1: Policy and vendor selection

• Write an intake/gating policy aligned to Rules 1.18, 1.6, and 5.3.
• Pick a vendor with SOC 2, no training on your data, and conflict‑check integrations.
• Map data flows; run a DPIA if needed.

Phase 2: Configure workflow

• Build a plain‑language clickwrap gate.
• Set the sequence: names → matter type → jurisdiction → triage → narrative.
• Keep uploads off until cleared; enable PII masking.

Phase 3: Security and testing

• Pin model versions, add rate limits, and apply prompt‑injection defenses.
• Red‑team for advice leakage and conflict‑out attempts.
• Train staff; run drills for screens and declinations.

Go‑live and KPIs

• Track time‑to‑clear, conflict hit rate, declination rate, screen speed, purge compliance.
• Review at 30/60/90 days; refine prompts and gating copy.

One cultural tweak: create an “intake guild” with BD, conflicts, security, and a partner from each major practice. They own prompts, fields, and escalation rules. Intake isn’t just marketing—it’s risk control at the front door.

How LegalSoul supports compliant AI intake

LegalSoul builds ethics into intake from the first click. The experience starts with a mandatory clickwrap gate and clear, human‑readable language, then walks prospects through a conflicts‑first flow—party names, matter type, and jurisdiction before any storytelling.

Our conflict‑aware AI checks your DMS/CRM and trusted datasets in real time. If a potential conflict appears, the bot pauses and kicks off a one‑click screen and notice letter aligned with Rule 1.18(d). Uploads are off by default until clearance; when enabled, we auto‑redact PII to shrink exposure.

Security is table stakes: encryption at rest/in transit, least‑privilege access, regional data controls, and a strict “no training on your data” stance. We pin model versions, add defenses against prompt injection, and keep immutable logs of sessions, consents, prompts, outputs, and routing.

Advice‑avoidance guardrails keep the bot informational with fast escalation to a human. Retention controls purge unretained prospect data quickly, with vendor deletion confirmations. Disclaimers and notices adapt by jurisdiction. In short, LegalSoul lets you capture the right clients without collecting the wrong facts.

FAQs

Does using an AI intake chatbot create an attorney‑client relationship?
Not by itself. But duties to a “prospective client” can arise if the bot invites or receives matter‑specific facts.

Are website disclaimers alone enough?
No. Pair your “no attorney‑client relationship” language with a required clickwrap before any free text or file uploads.

Can I allow document uploads on first contact?
Risky. First‑contact uploads often include “significantly harmful” information. Enable attachments only after conflicts clearance.

How long should I keep unretained prospect data?
Adopt a short retention window (e.g., 30–90 days), document purges, and follow GDPR/CCPA where applicable.

What does Rule 1.18(d) require if harmful info is received?
Show reasonable measures, implement a timely screen, and send written notice to the prospective client.

Can a bot give general legal info?
Yes—keep it general and add guardrails. Anything that looks like advice or jurisdiction‑specific guidance should escalate to a human.

Conclusion

AI intake chatbots can create duties to “prospective clients,” so design with that in mind. Lead with a clickwrap gate, collect just enough to check conflicts, hold narratives and uploads until cleared, and screen fast with a proper notice if harmful info appears.

Protect confidentiality with vetted vendors, encryption, tight access, short retention for unretained prospects, and real audit logs. Add advice‑avoidance guardrails. Done right, you’ll convert more good matters without adding unnecessary risk.

Want the fast, safe path? Book a LegalSoul demo and see conflict‑aware workflows, automated screens and notices, and audit‑ready controls tailored to your practice and jurisdictions.