In this interactive, scenario-based workshop, participants will take part in a live tabletop simulation centered around a privacy inquiry involving a third-party SDK integrated into a company’s mobile app. Designed to mirror real-world dynamics, the exercise challenges attendees to navigate cross-functional roles spanning legal, compliance, and business teams.

As the situation evolves in real time, small groups will assess regulatory and reputational risks, make key response decisions, and collaborate to present a coordinated action plan. This workshop emphasizes strategic thinking, internal alignment, and practical problem-solving in the face of emerging third-party data risks.

• Daniel Goldberg
• Richard Borden

Participants will engage in interactive case studies and scenario-based discussions to discuss the key takeaways from notable AI disputes and government investigations and walk away with a checklist and a sample risk framework to: (A) identify the AI litigation and government investigations risks and (B) action on compliance, governance and business operations changes to reduce litigation and regulatory risks.

• Jeewon Serrato
• Stacey Schesser

This interactive workshop will explore regulatory frameworks governing children’s data, with a focus on the European Union and United Kingdom, while identifying global trends in regulator approaches. Participants will review GDPR Article 8 on children’s consent, the UK’s Age Appropriate Design Code (AADC), and emerging international themes in youth data protection.

To apply these concepts in practice, attendees will examine a fictional mobile app to identify compliance gaps and align them with specific regulatory expectations. The session will also highlight enforcement trends from the UK Information Commissioner’s Office (ICO) and other global regulators, helping participants anticipate areas of scrutiny and strengthen their child-focused privacy programs.

• Chris Jeffery
• Lucy Lyons
• Dajin Lie

This interactive workshop will guide participants through real-world enforcement scenarios and litigation risks related to health data practices. Through scenario-based discussions, breakout sessions, and live polling, attendees will examine recent enforcement actions from the Office for Civil Rights (OCR), the Federal Trade Commission (FTC), and various state regulators.

The session will compare regulatory focus areas across jurisdictions and provide strategic insights for navigating the complex U.S. enforcement landscape. Participants will also discuss approaches for harmonizing health data practices in light of evolving regulatory expectations, ensuring compliant and defensible data collection, use, and disclosure frameworks.

• Jennifer Mitchell
• Lynn Sessions

This advanced-level workshop is tailored for seasoned privacy professionals seeking to benchmark and refine their risk assessment practices across global regulatory frameworks, including EU/UK GDPR DPIAs and U.S. assessment requirements. Operating under Chatham House Rule, the session fosters open, candid peer-to-peer discussion.

Prior to the workshop, participants will be asked to submit sanitized examples of real-world privacy assessments. Facilitators will analyze these submissions to develop a set of “Assessment Study Results,” which will highlight key trends, challenges, and best practices from across the cohort.

During the session, participants will engage in guided discussion of the study findings, share personal insights, and explore practical strategies for navigating assessment hurdles. Attendees will leave with study materials, benchmarking data, and the opportunity to contribute to a forthcoming article in CLA’s Privacy Journal.

• Aaron Burnstein
• Chris Tarbell

This interactive workshop walks participants step‑by‑step through conducting an AI/ML Impact Assessment (AIMLIA)—a structured framework for identifying legal, ethical, and operational risks in machine learning systems. Designed for attorneys, privacy professionals, and in‑house counsel, the session demystifies AI risk reviews by applying the AIMLIA method to a live mock use case.

Participants will explore how to identify and mitigate red flags, align system components with U.S. legal frameworks (such as CCPA/CPRA, GLBA, and FTC guidance), and address cross‑border compliance obligations under the EU AI Act and GDPR. The session focuses on translating regulatory expectations into practical workflows—building defensible records, flagging risks early, and communicating findings to both legal and technical teams.

This is a workshop for people who want to do the work—not just talk about it.

• Joshua Heiman
• Steve Mittendorf

This advanced-level workshop is tailored for seasoned privacy professionals seeking to benchmark and refine their risk assessment practices across global regulatory frameworks, including EU/UK GDPR DPIAs and U.S. assessment requirements. Operating under Chatham House Rule, the session fosters open, candid peer-to-peer discussion.

Prior to the workshop, participants will be asked to submit sanitized examples of real-world privacy assessments. Facilitators will analyze these submissions to develop a set of “Assessment Study Results,” which will highlight key trends, challenges, and best practices from across the cohort.

During the session, participants will engage in guided discussion of the study findings, share personal insights, and explore practical strategies for navigating assessment hurdles. Attendees will leave with study materials, benchmarking data, and the opportunity to contribute to a forthcoming article in CLA’s Privacy Journal.

• Jennifer Sheridan
• Linsey Krolik

In an increasingly complex risk landscape, standardized risk assessments fall short. This interactive workshop empowers participants to craft risk assessment requirements uniquely suited to their organization’s needs. By examining a variety of frameworks, methodologies, and industry best practices, attendees will gain insight into what approaches succeed, which fall short, and the reasons behind their effectiveness.

• James Fenelon
• Felix Hilgert

This interactive workshop will explore the evolving notice and transparency requirements under emerging AI regulations and existing privacy laws. Through a series of real-world hypotheticals, participants will examine how these legal frameworks apply to technologies such as chatbots, generative AI systems, and companion bots.

The session will highlight key differences and overlaps between AI and privacy law requirements, and provide practical tips for meeting legal obligations related to user disclosures, consent, and accountability. Attendees will leave with a clearer understanding of how to design and communicate compliant AI-driven products and services.

• Shruti Bhutani Arora
• Divya Gupta

Participants will engage in interactive case studies and scenario-based discussions designed to empower attendees with a clear understanding of the evolving world of AI legislation. Through real world case studies and guided discussions, attendees will explore key legal and regulatory frameworks that shape how AI is developed, developed and governed. You will leave the session with a solid grasp of international and local AI-related laws, as well as hands on experience examining legal implications through scenarios involving data governance, accountability and transparency. 

• David Stauss
• Mark Webber

This session offers privacy, legal, and compliance professionals an in-depth overview of two major regulatory frameworks shaping the future of AI governance—the Colorado AI Act and the EU AI Act. Participants will examine the scope, requirements, and obligations under each law, and explore practical implications for organizations deploying or developing AI technologies.

Through comparative analysis and facilitated discussion, the workshop will highlight key compliance challenges, emerging risks, and strategic opportunities for aligning AI initiatives with evolving regulatory expectations. Attendees will leave with a clearer understanding of how to operationalize responsible AI practices across jurisdictions.

• Cody Venzkec

This workshop will explore the increasing legal and regulatory expectations surrounding vendor management programs, with a focus on practical implementation and risk mitigation. Participants will gain a deeper understanding of how emerging laws—such as the California Consumer Privacy Act (CCPA) and national security-related regulations—require companies to establish mature and accountable vendor oversight frameworks.

Key topics will include:

• Ensuring appropriate contractual provisions are in place
• Navigating vendor ownership considerations for national security compliance
• Conducting effective vendor audits to meet legal and regulatory requirements

This session will provide actionable insights and best practices for legal and privacy professionals working to strengthen third-party risk management within their organizations.

• Nick Ginger
• Celine Guillou
• Sheri Porath Rockwell

This advanced tabletop workshop is designed for experienced data protection professionals ready to tackle today’s evolving cybersecurity challenges. With AI-generated deepfakes, synthetic media, and increasingly sophisticated ransomware tactics on the rise, participants will step into a high-intensity, scenario-based simulation that tests real-time decision-making, cross-functional coordination, and crisis response strategy.

Attendees will be assigned to small incident response teams and face unfolding ransomware scenarios involving AI-powered threats—such as deepfake communications, targeted phishing attacks, and synthetic insider threats. Through live injects, time-sensitive decisions, and expert-facilitated discussions, participants will sharpen their ability to respond under pressure while gaining insights into modern threat landscapes and response dynamics.

• Brett Cook
• Jennie Wang VonCannon

Exclusively for in-house counsel, privacy attorneys, compliance officers, and litigation specialists, this workshop addresses the complex legal and regulatory challenges arising from cybersecurity incidents. Moving beyond technical defenses, it focuses on the legal, compliance, and ethical obligations triggered by social engineering attacks and insider threats. Through real-world scenarios, participants will identify potential liabilities, develop strategies for thorough internal investigations, navigate breach notification requirements, and prepare for litigation. The session highlights proactive legal frameworks to minimize risk and ensure defensible responses to human-centric cyber vulnerabilities.

• Kate Lucente

This advanced workshop is designed for professionals navigating the complex legal and regulatory landscape of vendor security within the cyber supply chain. Focusing specifically on cybersecurity obligations beyond general data protection, participants will delve into audit requirements, legal liabilities, and compliance with evolving cyber regulations. Through practical exercises, attendees will learn to draft and negotiate strong cybersecurity clauses, address security audit findings strategically, manage post-breach vendor legal issues, and proactively mitigate risks from third-party vendors. This program equips legal teams to effectively handle the legal challenges of supply chain cyber incidents.

• Chris Ghazarian
• Steve Millendorf

This advanced workshop is designed for professionals navigating the complex legal and regulatory landscape of vendor security within the cyber supply chain. Focusing specifically on cybersecurity obligations beyond general data protection, participants will delve into audit requirements, legal liabilities, and compliance with evolving cyber regulations. Through practical exercises, attendees will learn to draft and negotiate strong cybersecurity clauses, address security audit findings strategically, manage post-breach vendor legal issues, and proactively mitigate risks from third-party vendors. This program equips legal teams to effectively handle the legal challenges of supply chain cyber incidents.

• Paul Lanois