Events

Privacy + AI Lab
October 10 @ 9:00 am – 6:00 pm

Presented by the CLA Privacy Law Section
Date: October 10, 2025
Location: The Faculty Club, UC Berkeley, Minor Ln, Berkeley, CA 94720
Pricing:
- CLA Member: $899
- Non-CLA Member: $949
- In-House/Government/Public Interest* – Non-CLA Member: $649
- In-House/Government/Public Interest* – CLA Member: $599
This interactive, full-day conference is designed for senior privacy and AI practitioners. In partnership with the BCLT and hosted at the prestigious UC Berkeley Faculty Club, this event provides a unique opportunity to engage in advanced legal topics.
Through a series of hands-on workshops led by expert facilitators, attendees will participate in practical, innovative, and cross-functional discussions on critical areas such as risk assessments, cybersecurity audits, AI, and ADMT regulations. The conference is designed to equip professionals with actionable insights and best practices to navigate the evolving privacy and AI law landscape globally. Additionally, attendees will receive certifications of participation.
Join us for a day of in-depth learning, networking with industry leaders, and engaging in critical thinking to tackle real-world scenarios and develop effective solutions.
Recommended Accommodations:
Special discounted rates for this program are available through the links below:
Subject to availability at time of reservation.
Interested in Sponsoring?
We would be honored to have your support as a sponsor for our upcoming event. With your sponsorship, we can make a bigger impact and create a memorable experience for all attendees.
Schedule
Registration and Breakfast | 8:00 a.m. – 9:00 a.m.
Session 1 | 9:00 a.m. – 10:30 a.m. | 1.5 Hours MCLE
Privacy Tabletop: Responding to a Mobile SDK Inquiry
In this interactive, scenario-based workshop, participants will take part in a live tabletop simulation centered around a privacy inquiry involving a third-party SDK integrated into a company’s mobile app. Designed to mirror real-world dynamics, the exercise challenges attendees to navigate cross-functional roles spanning legal, compliance, and business teams.
As the situation evolves in real time, small groups will assess regulatory and reputational risks, make key response decisions, and collaborate to present a coordinated action plan. This workshop emphasizes strategic thinking, internal alignment, and practical problem-solving in the face of emerging third-party data risks.
- Daniel Goldberg
- Richard Borden
Practical Guide to Managing AI Disputes and Government Investigations
Participants will engage in interactive case studies and scenario-based discussions to discuss the key takeaways from notable AI disputes and government investigations and walk away with a checklist and a sample risk framework to: (A) identify the AI litigation and government investigations risks and (B) action on compliance, governance and business operations changes to reduce litigation and regulatory risks.
- Jeewon Serrato
- Stacey Schesser
Navigating Regulatory Audits: Children’s Data
This interactive workshop will explore regulatory frameworks governing children’s data, with a focus on the European Union and United Kingdom, while identifying global trends in regulator approaches. Participants will review GDPR Article 8 on children’s consent, the UK’s Age Appropriate Design Code (AADC), and emerging international themes in youth data protection.
To apply these concepts in practice, attendees will examine a fictional mobile app to identify compliance gaps and align them with specific regulatory expectations. The session will also highlight enforcement trends from the UK Information Commissioner’s Office (ICO) and other global regulators, helping participants anticipate areas of scrutiny and strengthen their child-focused privacy programs.
- Chris Jeffery
- Lucy Lyons
- Dajin Lie
A Comparison of Privacy Disputes and Investigations: Health Data Case Studies, Common Areas of Risk and Key Mitigation Strategies
This interactive workshop will guide participants through real-world enforcement scenarios and litigation risks related to health data practices. Through scenario-based discussions, breakout sessions, and live polling, attendees will examine recent enforcement actions from the Office for Civil Rights (OCR), the Federal Trade Commission (FTC), and various state regulators.
The session will compare regulatory focus areas across jurisdictions and provide strategic insights for navigating the complex U.S. enforcement landscape. Participants will also discuss approaches for harmonizing health data practices in light of evolving regulatory expectations, ensuring compliant and defensible data collection, use, and disclosure frameworks.
- Jennifer Mitchell
- Lynn Sessions
Session 2 | 10:40 a.m. – 12:10 p.m. | 1.5 Hours MCLE
Privacy Risk Assessments in the Real World: Health Advertising Case Studies
This advanced-level workshop is tailored for seasoned privacy professionals seeking to benchmark and refine their risk assessment practices across global regulatory frameworks, including EU/UK GDPR DPIAs and U.S. assessment requirements. Operating under Chatham House Rule, the session fosters open, candid peer-to-peer discussion.
Prior to the workshop, participants will be asked to submit sanitized examples of real-world privacy assessments. Facilitators will analyze these submissions to develop a set of “Assessment Study Results,” which will highlight key trends, challenges, and best practices from across the cohort.
During the session, participants will engage in guided discussion of the study findings, share personal insights, and explore practical strategies for navigating assessment hurdles. Attendees will leave with study materials, benchmarking data, and the opportunity to contribute to a forthcoming article in CLA’s Privacy Journal.
- Aaron Burnstein
- Chris Tarbell
How to Conduct an AIMLIA: A Hands‑On Workshop for AI/ML Impact Assessments
This interactive workshop walks participants step‑by‑step through conducting an AI/ML Impact Assessment (AIMLIA)—a structured framework for identifying legal, ethical, and operational risks in machine learning systems. Designed for attorneys, privacy professionals, and in‑house counsel, the session demystifies AI risk reviews by applying the AIMLIA method to a live mock use case.
Participants will explore how to identify and mitigate red flags, align system components with U.S. legal frameworks (such as CCPA/CPRA, GLBA, and FTC guidance), and address cross‑border compliance obligations under the EU AI Act and GDPR. The session focuses on translating regulatory expectations into practical workflows—building defensible records, flagging risks early, and communicating findings to both legal and technical teams.
This is a workshop for people who want to do the work—not just talk about it.
- Joshua Heiman
- Steve Mittendorf
Privacy Risk Assessment Study
This advanced-level workshop is tailored for seasoned privacy professionals seeking to benchmark and refine their risk assessment practices across global regulatory frameworks, including EU/UK GDPR DPIAs and U.S. assessment requirements. Operating under Chatham House Rule, the session fosters open, candid peer-to-peer discussion.
Prior to the workshop, participants will be asked to submit sanitized examples of real-world privacy assessments. Facilitators will analyze these submissions to develop a set of “Assessment Study Results,” which will highlight key trends, challenges, and best practices from across the cohort.
During the session, participants will engage in guided discussion of the study findings, share personal insights, and explore practical strategies for navigating assessment hurdles. Attendees will leave with study materials, benchmarking data, and the opportunity to contribute to a forthcoming article in CLA’s Privacy Journal.
- Jennifer Sheridan
- Linsey Krolik
Mind the Risk Gap: Building and Balancing DPIA and Risk Assessment Requirements
In an increasingly complex risk landscape, standardized risk assessments fall short. This interactive workshop empowers participants to craft risk assessment requirements uniquely suited to their organization’s needs. By examining a variety of frameworks, methodologies, and industry best practices, attendees will gain insight into what approaches succeed, which fall short, and the reasons behind their effectiveness.
- James Fenelon
- Felix Hilgert
Lunch | 12:25 p.m. – 1:25 p.m.
Session 3 | 1:35 p.m. – 3:05 p.m. | 1.5 Hours MCLE
Notice and Transparency
This interactive workshop will explore the evolving notice and transparency requirements under emerging AI regulations and existing privacy laws. Through a series of real-world hypotheticals, participants will examine how these legal frameworks apply to technologies such as chatbots, generative AI systems, and companion bots.
The session will highlight key differences and overlaps between AI and privacy law requirements, and provide practical tips for meeting legal obligations related to user disclosures, consent, and accountability. Attendees will leave with a clearer understanding of how to design and communicate compliant AI-driven products and services.
- Shruti Bhutani Arora
- Divya Gupta
Navigating AI Legislation: An In-Depth Look at the Colorado AI Act and the EU AI Act
Participants will engage in interactive case studies and scenario-based discussions designed to empower attendees with a clear understanding of the evolving world of AI legislation. Through real world case studies and guided discussions, attendees will explore key legal and regulatory frameworks that shape how AI is developed, developed and governed. You will leave the session with a solid grasp of international and local AI-related laws, as well as hands on experience examining legal implications through scenarios involving data governance, accountability and transparency.
- David Stauss
- Mark Webber
Consumer Health Data and Precise Geolocation Disclosures and Consent Requirements
This session offers privacy, legal, and compliance professionals an in-depth overview of two major regulatory frameworks shaping the future of AI governance—the Colorado AI Act and the EU AI Act. Participants will examine the scope, requirements, and obligations under each law, and explore practical implications for organizations deploying or developing AI technologies.
Through comparative analysis and facilitated discussion, the workshop will highlight key compliance challenges, emerging risks, and strategic opportunities for aligning AI initiatives with evolving regulatory expectations. Attendees will leave with a clearer understanding of how to operationalize responsible AI practices across jurisdictions.
- Cody Venzkec
Emerging Vendor Monitoring Requirements – New Ideas and Best Practices
This workshop will explore the increasing legal and regulatory expectations surrounding vendor management programs, with a focus on practical implementation and risk mitigation. Participants will gain a deeper understanding of how emerging laws—such as the California Consumer Privacy Act (CCPA) and national security-related regulations—require companies to establish mature and accountable vendor oversight frameworks.
Key topics will include:
- Ensuring appropriate contractual provisions are in place
- Navigating vendor ownership considerations for national security compliance
- Conducting effective vendor audits to meet legal and regulatory requirements
This session will provide actionable insights and best practices for legal and privacy professionals working to strengthen third-party risk management within their organizations.
- Nick Ginger
- Celine Guillou
- Sheri Porath Rockwell
Session 4 | 3:15 p.m. – 4:45 p.m. | 1.5 Hours MCLE
Beyond the Breach: Ransomware Tabletop for the AI Era
This advanced tabletop workshop is designed for experienced data protection professionals ready to tackle today’s evolving cybersecurity challenges. With AI-generated deepfakes, synthetic media, and increasingly sophisticated ransomware tactics on the rise, participants will step into a high-intensity, scenario-based simulation that tests real-time decision-making, cross-functional coordination, and crisis response strategy.
Attendees will be assigned to small incident response teams and face unfolding ransomware scenarios involving AI-powered threats—such as deepfake communications, targeted phishing attacks, and synthetic insider threats. Through live injects, time-sensitive decisions, and expert-facilitated discussions, participants will sharpen their ability to respond under pressure while gaining insights into modern threat landscapes and response dynamics.
- Brett Cook
- Jennie Wang VonCannon
The Weakest Link? Simulating a Social Engineering Cyber Attack
Exclusively for in-house counsel, privacy attorneys, compliance officers, and litigation specialists, this workshop addresses the complex legal and regulatory challenges arising from cybersecurity incidents. Moving beyond technical defenses, it focuses on the legal, compliance, and ethical obligations triggered by social engineering attacks and insider threats. Through real-world scenarios, participants will identify potential liabilities, develop strategies for thorough internal investigations, navigate breach notification requirements, and prepare for litigation. The session highlights proactive legal frameworks to minimize risk and ensure defensible responses to human-centric cyber vulnerabilities.
- Kate Lucente
Vendor Vetting Unlocked: The Onboarding Imperative
This advanced workshop is designed for professionals navigating the complex legal and regulatory landscape of vendor security within the cyber supply chain. Focusing specifically on cybersecurity obligations beyond general data protection, participants will delve into audit requirements, legal liabilities, and compliance with evolving cyber regulations. Through practical exercises, attendees will learn to draft and negotiate strong cybersecurity clauses, address security audit findings strategically, manage post-breach vendor legal issues, and proactively mitigate risks from third-party vendors. This program equips legal teams to effectively handle the legal challenges of supply chain cyber incidents.
- Chris Ghazarian
- Steve Millendorf
Strengthening Digital Defenses: Navigating NIS2, DORA, and the Cyber Resilience Act
This advanced workshop is designed for professionals navigating the complex legal and regulatory landscape of vendor security within the cyber supply chain. Focusing specifically on cybersecurity obligations beyond general data protection, participants will delve into audit requirements, legal liabilities, and compliance with evolving cyber regulations. Through practical exercises, attendees will learn to draft and negotiate strong cybersecurity clauses, address security audit findings strategically, manage post-breach vendor legal issues, and proactively mitigate risks from third-party vendors. This program equips legal teams to effectively handle the legal challenges of supply chain cyber incidents.
- Paul Lanois
Reception | 4:45 p.m. – 6:00 p.m.
Coffee and Pastries Sponsor

We are committed to accessibility! Virtual events are equipped with closed captioning. To request an in-person accommodation, send us a note at accessibility@calawyers.org or contact us at 916-516-1760 for assistance.