AI, Audits & Risk Assessments: Inside California’s Final CCPA Regulations

Oct 8, 2025

Shannon Yavorsky, an Orrick partner and head of the Global Cyber, Privacy & Data Innovation group, dives into the intricacies of California's latest CCPA regulations. She discusses the focus on automated decision-making technology (ADMT) and its implications for financial services, particularly around GLBA carve-outs. The conversation also covers the lack of a broad AI definition, the need for annual cybersecurity audits, and the phased compliance timeline set until 2030. Yavorsky offers insights on whether California's model will influence other states in regulating AI technology.

Ask episode

AI Snips

Chapters

Transcript

Episode notes

INSIGHT

California's Regulatory Focus

California's new CCPA regulations target cybersecurity audits, risk assessments, and automated decision-making technology (ADMT).
The CPPA aims to increase transparency, reduce harm, and build consumer trust in data practices.

ADVICE

Assess Models Used For Significant Decisions

If you train or provide models used to make significant decisions, perform a risk assessment and share facts so recipients can do theirs.
Treat tools that enable significant decisions differently than consumer-facing assistants like search or drafting tools.

INSIGHT

From AI Definition To Use-Case Regulation

The CPPA dropped a detailed AI definition and instead regulates ADMT use cases.
Focusing on decision-making narrow scope avoids over-regulating benign tools like calculators or simple assistants.

Get the Snipd Podcast app to discover more snips from this episode

Get the app