Recently, in the criminal case against the alleged mass shooter at Florida State University, state prosecutors answered discovery demands that revealed they intend to introduce hundreds of ChatGPT conversations into evidence as exhibits. See State v. Ikner, Case No. 25CF01241 (Amended Answer to Demand for Discovery, filed Jul. 31, 2025). Presumably, these represent conversations between the defendant and ChatGPT that are incriminating in some way, or at least relevant to issues anticipated at trial.
This raises a number of questions for civil litigants as to whether an individual’s conversations with ChatGPT are discoverable. Florida appellate cases have not apparently faced this question specifically, but recent cases suggest a possible standard for civil discovery.
The Third District Court of Appeal, in Roque v. Swezy, 390 So. 3d 193, 197 (Fla. 3d DCA 2024), applied Florida’s constitutional right to privacy in a civil discovery matter over scanning data within a party’s mobile phone, opining that “Court orders compelling discovery constitute state action that may impinge on constitutional rights, including the constitutional right of privacy.” Id. at n. 1.
Importantly, if there is a reasonable expectation of privacy in the data, the party seeking the data must show that their need outweighs this privacy right, but also that the least intrusive means are utilized to obtain the discovery sought. Id. The Third District found that there was a reasonable expectation of privacy in mobile phone data, namely, data regarding how the defendant used her mobile phone around the time of an auto accident.
The Third District has also found there is a reasonable expectation of privacy in Google search history. William Hamilton Arthur Architect, Inc. v. Schneider, 342 So. 3d 757, 760 (Fla. 3d DCA 2022) (applying least intrusive means analysis to Google searches). The Third District has also applied this same logic regarding non-party financial discovery. Oramas v. Asencio, Case No. 3D25-0660, 2025 WL 1819273 (Fla. 3d DCA July 2, 2025). It’s not clear how closely other districts will follow this standard.
These cases also raise a natural question: is AI different? Does a person communicating with ChatGPT really expect their data to be private in the way they expect their personal phone data, or their Google searches to be private? Isn’t the AI understood to be a single separate entity that the user is communicating with, and the AI may share or leak that data to millions of others at will? Is there any legal difference between communicating with an AI, which may share your information with the internet generally, and communicating with a human being, which you may expect to maintain your confidence?
Similarly, the Florida Supreme Court has recently federalized discovery in multiple respects. But federal courts are not apparently following the same process regarding Florida’s constitutional privacy rights. See Measured Wealth Private Client Group, LLC v. Foster, No. 20-CV-80148, 2021 WL 309033, at *1 (S.D. Fla. Jan. 29, 2021) (ordering forensic exam of mobile data, if relevant and proportional, any showing that something has been deleted is enough for full phone scan). If the phone at issue is a work device, just missing metadata in discovery may be enough to scan the whole phone in federal court. HealthPlan Services, Inc. v. Dixit, No. 8:18-CV-2608-T-23AAS, 2019 WL 6910139, at *2 (M.D. Fla. Dec. 19, 2019). The Florida Supreme Court recently clarified and reaffirmed the meaning of Article 1, section 23 of the Florida Constitution, namely the right to privacy means the right to informational privacy. See Planned Parenthood of Sw. & Cent. Florida v. State, 384 So. 3d 67, 83 (Fla. 2024). Where will the Florida Supreme Court draw the line in discovery regarding AI?
This also raises technical questions. Chris Korta (Certified eDiscovery Specialist (ACEDS) and Cellebrite Certified Operator-COO) and Matt Dufek (Managing Director) at Harvest Discovery had this to say about the extraction of AI-generated data:
“From an e-Discovery perspective, it is important to know that AI-generated data (such as ChatGPT) is extracted and processed just like many other forms of data. If it is on a device, it can be found and extracted.
Generally speaking, AI data is accessed by most users through either a web browser or an installed app.
- Browser-based AI sessions may leave artifacts in local cache, cookies, indexed DB storage, or synced browser history (sometimes even when the user believes they have cleared their history).
- App-based sessions are analogous to a chat thread between friends and they are extracted accordingly. The prompts entered by the app user (Friend 1) are considered messages to the AI app (Friend 2). The data provided back to the app user by the AI app (Friend 2) are considered messages back to the app user (Friend 1).
AI data can be stored in several ways across a devise and it is not always “deleted” when deleted. Additionally, if the device is backed up to a cloud service, those backups may contain recoverable conversation data long after deletion from the device itself. AI companies internal retention policies also affect which data is available for extraction. The scope, duration, and accessibility of stored content may vary over time.
For eDiscovery purposes, the source of truth for ChatGPT conversations could include:
- The end-user’s device (PC, tablet, mobile phone).
- Associated browser or app cloud backups.
- Enterprise log aggregators, if the user accessed ChatGPT through a corporate SSO or monitored network.
- The AI provider’s own records, if obtainable.
As with any emerging technology, the discoverability of this data will be shaped not just by privacy law and proportionality standards, but also by the practical realities of where the data is stored, who controls it, and whether it can be collected in a forensically sound manner.”
