PriCyai Advisory LP at the #RISK Digital Conference by GRC World Forums

PriCyai Advisory is pleased to share key reflections from our participation in the #RISK Digital Conference, hosted by GRC World Forums. Our Senior Consultant, Adedoyin Fadare, contributed to a timely panel discussion titled “California’s Privacy Reset: Will the Golden State Set a New Standard for America?”, which examined the sweeping privacy and AI reforms emerging from California in 2025.

The conversation opened with an overview of California’s new legislative package, one of the most comprehensive in the United States. Adedoyin walked attendees through the significance of the Opt-Me-Out Act, strengthened data broker regulations, new social media deletion requirements, and the escalating focus on youth safety through measures such as age-signal mandates and risk-warning labels. The session also highlighted California’s rapidly developing AI governance rules, including obligations for chatbot disclosure, safety intervention protocols, and corporate accountability for harm caused by AI systems. These reforms, combined with the CPPA’s implementation of the Delete Act and updated CPRA audit and security regulations, underscore a clear shift toward integrated, safety-centric digital governance.

A major theme of the discussion was the operational impact of these laws. Adedoyin emphasised that compliance is no longer limited to legal updates; it now requires meaningful changes across engineering, identity governance, and product design. Organisations must rethink verification workflows, deletion mechanisms, age-appropriate user interfaces, and the role of third-party vendors who process California resident data. This shift demands closer collaboration across compliance, security, engineering, IAM, and risk teams.

The panel also examined the unintended consequences of well-meaning regulation. In particular, Adedoyin raised concerns about user-unfriendly verification processes that may introduce additional privacy risks, and the growing possibility that companies respond with “compliance dark patterns” that technically meet legal requirements but degrade user experience. These questions sparked thoughtful engagement around privacy-preserving design and the need for balanced regulatory implementation.

Another central point was the difficulty companies face when operating across multiple jurisdictions. With California setting increasingly high standards and other states adopting divergent models, many organisations struggle to identify a coherent compliance approach. Adedoyin discussed the importance of establishing a scalable governance foundation that can accommodate California, emerging U.S. state laws, GDPR, and global frameworks across APAC, LATAM, the Middle East, and Africa. The conversation also touched on how compliance expectations differ for SMBs versus global enterprises.

The session concluded with forward-looking reflections on whether California is becoming the United States’ equivalent of the GDPR. While there are meaningful differences, it is clear that California is shaping national expectations—particularly in areas such as AI safety and youth protection, where it is moving faster than most jurisdictions.

PriCyai Advisory is proud to have contributed to this important dialogue and remains committed to supporting organisations as they navigate the evolving intersection of privacy, AI governance, and regulatory risk. California’s 2025 privacy reset represents more than a state-level shift—it is a signpost for the future of digital governance in the United States and beyond.

‍