What AI governance services does Hoag Law.ai offer?

EU AI Act compliance, AI-related IP and output ownership, copyright risk in AI-generated code and content, open-source license exposure in AI-assisted codebases, and internal AI governance policies. AI output fundamentally changes how MSAs, SOWs, Terms of Service, and Privacy Policies need to be drafted.

What SaaS and technology contracts does Hoag Law.ai handle?

MSAs, NDAs, SaaS and licensing agreements, SLAs, and enterprise technology partnerships.

What privacy and AI compliance services are available?

GDPR and CCPA/CPRA compliance, AI data governance, HIPAA guidance for healthtech, Terms of Service, Privacy Policies, and DPA negotiation.

Who owns IP when your codebase is written by AI tools like Claude Code, Cursor, or v0?

Intellectual property ownership and risk allocation in AI-first commercial contracts covers data rights, AI-generated code ownership, derivative works, and downstream use restrictions. Hoag Law.ai helps startups navigate IP ownership when codebases are built with AI development tools. Services also include trademark clearance, registration, and brand protection.

California’s SB 37: Your AI Chatbot Is Your Ad. You Own it. Act Like It.

This is educational material and does not constitute legal advice nor is any attorney/client relationship created with this article, hence you should contact and engage an attorney if you have any legal questions.

California’s SB 37 took effect January 1, 2026, and if you’re a California attorney with an AI chatbot on your website, you’re already in the highest-risk category under the new law.

SB 37 is about attorney responsibility in outsourced influence. It doesn’t matter whether your marketing vendor wrote it, your intake platform generated it, or your chatbot spit it out.

If it markets your firm, you own it.

The chatbot problem most attorneys haven’t thought through

AI chatbots on law firm websites sit at the intersection of two distinct compliance obligations, and most attorneys are only thinking about one of them.

The first is SB 37: your chatbot’s responses are advertising. They need to comply with California’s attorney advertising rules, so no misleading claims, no implied guarantees, proper identification of a responsible California-licensed attorney.

The second is privilege. This one is urgent right now, because of a case that just dropped two weeks ago.

In United States v. Heppner (SDNY, Feb. 17, 2026), Judge Rakoff held that a criminal defendant’s conversations with the consumer version of Claude — used independently, without attorney direction — were not protected by attorney-client privilege or the work product doctrine. The reasoning: Claude isn’t a lawyer, and Anthropic’s consumer ToS expressly permits review and disclosure of user inputs. No confidentiality, no privilege. (Beyond the ruling’s text, I should clarify that this is almost certainly true even if training is toggled off, and even on paid consumer plans. Only enterprise plans, and even then, optimally, with ZDR policies in place, are sufficiently safe not to waive privilege.)

While this is obviously a NY-only ruling for the moment, it stands to reason that other states will follow suit. So that ruling has a direct implication for your intake chatbot. If a prospective client starts describing their legal situation to your AI chatbot before they’ve engaged you, that conversation may be discoverable. Likewise, if your client — or potential client — use an AI chat bot powered by a consumer-tier AI with permissive data handling terms, you’ve compounded the problem.

How I implemented live chat on my site

I recently set up a live chat tool (Crisp.chat if you’re curious; one nice thing, they’re EU-based in France so it makes GDPR compliance a breeze) for my own law practice website — not an AI bot, just a standard live chat widget — and I set it to auto-open on the first page load with this:

“Please do NOT share any private or otherwise confidential information here as there is no attorney/client privilege between us unless and until we sign an Engagement Letter. In the meantime, please do NOT discuss any legal issues with a public AI tool like ChatGPT, Claude, Grok, Gemini, etc., as this may waive any attorney/client privilege that might otherwise exist between us.”

That’s not legalese for its own sake. It’s a direct response to Heppner and to the data handling realities that SB 37 now forces you to confront.

For the record, I have mixed feelings on the direction the law is trending:

First, although I agree with the technical reality that an AI chat both is entirely different to a cloud storage provider, I question the practical reality, and thus, whether it should be considered a third party disclosure.

And second, I find it exceedingly hard to reconcile the recognition that more than 1 billion people world wide now use ChatGPT for discussing their most private, personal, and confidential matters, while we steadfastly maintain that there is no expectation of privacy in such discussions. These two conclusions seem absolutely, undeniably, mutually exclusive to me.

A practical checklist

Before your next client intake conversation happens through your website chatbot — whether it’s an AI bot or simple “dumb chat box,” ask yourself:

Does my chatbot identify a responsible California-licensed attorney?
Are its responses reviewed by an attorney before going live?
Do I know where those conversations are being sent and stored?
Am I warning visitors not to share privileged information?
If it’s AI-powered, what are the underlying platform’s data retention and disclosure terms?

If you can’t answer all five confidently, you have work to do.