b'(d)Informed Client Consent. Where client consent is required, it must be informed. The client must receive a clear explanation of the purpose of the processing, the type of data involved, the type of GAI tool to be used, the potential risks (including risks of disclosure or misuse), andthesafeguardsinplacetoprotectthedata.Thisinformationmustbeprovided separatelyfromothermaterials,andtheclientmustbegiventheopportunitytoask questions before providing consent. Consent must be voluntary and may be revoked at any time and for any reason. i.Authority to Consent. The client may provide consent to process personal data that is (i) the personal data of the client or (ii) personal data of which the client is the lawful controller or processor. If the responsible attorney has reason to doubt the clients authority to consent to the processing for the personal data provided, they must refrain from processing the data using GAI until appropriate authorization is confirmed. ii.Discretionary Consents. The attorney responsible for any client or matter is free to require informed written consent for the use of Approved GAI Tools using criteria that is more restrictive than this Policy provides. If, in the professional judgment of the responsible attorney, informed written consent is prudent in any matter, then the responsible attorneys judgment shall control.(e)System-Wide Processing. System-Wide Processing means using GAI systems in firm-wide administrative, security, or operational tools as part of standard functions, such as document management, email filtering, cybersecurity, or automated billing. These GAI tools are exempt from client opt-out or consent rights described above. 7.Implementation of Client and Project Level Restrictions. Prior to using Approved GAI Tools for any client or client project, the responsible attorney for the matter must complete an evaluation to determine whether any regulatory, contractual, or other specific obligations apply to the client or project.ApprovedGAIToolsmaynotbeusedunlesssuchrequirementsareidentifiedand complied with. For example: i.Client-ImposedRestrictions.ClientsmayincludeGAI-relatedrestrictionsintheir agreements or engagement letters. As described above, clients may also file an opt-out request to limit or prohibit the use of GAI tools to process their data. ii.Flow-Down Restrictions. Clients may be subject to GAI limitations that flow down to ACME,suchaspublic-sectorprocurementrules(e.g.theCaliforniaStateGenAI Procurement Guidelines). iii.Data Protection Requirements. Certain client data may be subject to heightened privacy or security obligations that require additional safeguards around GAI use, including but not limited to the CCPA, GDPR, or HIPAA. Page | 44'