McDermott, Will and Emery Partner Michael Morgan, CIPP/US, saw firsthand how California’s consumer privacy landscape evolved from the dot-com craze in the 1990s. Today, he leads the firm’s Global Privacy and Cybersecurity Practice Group and advises national and multinational companies on U.S. and international cybersecurity and data privacy laws.

The Los Angeles-based lawyer was first drawn to privacy law when he represented a celebrity couple as an associate. The case centered around the opposing party obtaining private information and specifics about the couple's home security system. While litigating the matter, Morgan learned privacy as a legal concept was unsettled terrain.

In this Member Spotlight, Morgan speaks with IAPP Staff Writer Alex LaCasse about getting his feet wet in the privacy world, when serving as General Counsel to an ecommerce company in the early 2000s and later in joining Jones Day’s first privacy and cybersecurity group, as well as his clients' lingering concerns about the implementation of the California Privacy Rights Act. Now, in his current position, Morgan is proud of his firm's work to build the Global Privacy and Cybersecurity Practice Group into what it is today. He is thankful for colleagues in other departments, who work on cases outside the privacy realm, as well as his associates, whose work further avails him to meet his client's needs.

Editor's note: This conversation has been edited for length and clarity.

The Privacy Advisor: How did you get your start in privacy?

Morgan: I started in privacy in the 1990s as an associate attorney. We represented a couple of celebrities in litigation and the opponent, in this case, gained access to private information about them, some of which was private personal information about how they lived their lives. It should’ve been of interest to nobody, but it was of interest to the tabloids. The lawsuit also had to do with security: the opponent had information about the security system our clients used in their home and some of their other properties. The opponent thought they could file some of this in the public record for strategic purposes.

It was the first time I dug into privacy rights in a big way — in an actual client situation with a significant need for protection — and there wasn't a lot of law (in that area), so it ultimately came down to a decision by a judge. It wasn’t like the motion to suppress was a slam dunk, but the decision was a nice win and it got me thinking about privacy. Also, the dot-com wave was going on at the time, so there were lots of opportunities.

The Privacy Advisor: How would you say you developed your subject-matter expertise in this field?

Morgan: I became general counsel at an e-commerce solutions company, where I worked on a lot of software development agreements and contracts (containing) mostly security-type terms; I was there for a couple of years. I worked at Jones Day for 14 years as part of their first formal privacy and cybersecurity group. There were cases involving technical or security components and with my prior experience and previous privacy knowledge, it came quite natural to me. 

In the early 2000s I had a case involving the hacking of a satellite communications mechanism, framed in terms of trade-secret violations and a bunch of common law claims. At the time, this industry was still very much being developed. People came together from different backgrounds. There weren’t a lot of folks who (focused on) privacy from their first day out of law school. It was more like you had some skill set and were part of trying to help clients in situations that implicated these theories.

The Privacy Advisor: Can you take me through your day-to-day responsibilities?

Morgan: The typical day in, day out involves a lot of conversation with clients. I talk with their general counsels, chief privacy officers and chief compliance officers. We talk a lot about what they're trying to achieve, whether it's an investment opportunity, product development opportunity or just an opportunity involving the exchange of data. Nowadays almost every business plan has a significant data component, so there's value to be added in having those discussions.

The Privacy Advisor: Do you find there are common baseline privacy issues shared by many of your clients or are they more case-by-case?

Morgan: Every client is different. But, in broad strokes, clients will differ in terms of their levels of maturity on privacy and cybersecurity issues. For a mature client, there may be things like a cadence for cybersecurity assessments and one for privacy assessments and reviews. A client may have a fairly refined process for that. I deal with maintaining those processes and trying to further mature them for other clients who may be very new businesses or growing very fast. I do my best to make compliance part of the fast-growing companies that probably don't wake up in the morning worrying about (compliance), so much as they're worried about the development of their product, market penetration and other types of issues. Those are really interesting clients. I love representing startups. They have unique attributes that can make the work particularly challenging, but it's fulfilling to be part of a company that's growing and interested in growing in a compliant way.

The Privacy Advisor: How would you describe your approach to advising clients who may have varying levels of subject area knowledge for privacy-related concerns?

Morgan: When I talk with existing and prospective clients, they appreciate the advice given has value, is practical and is delivered with humility and an understanding of their business. We want to empathize with our clients because being an internal privacy person can be a really difficult job. For many of the privacy professionals we work with, sometimes the hardest part of their job is just getting the organization to respond to them and their concerns.

The Privacy Advisor: You practice in California, the nexus of U.S. privacy activity in recent years. What’s it been like to watch privacy’s legal landscape evolve as you’ve gone about your career?

Morgan: You see a lot of things come and a lot of things go. You see business and technology cycles play out. The reason people get into this profession is to do something dynamic and changing. In the early 2000s, working on privacy stuff, it felt like every project was a little bit different. We didn't have checklists for the first call with clients about a data security incident or any of the privacy things we take for granted now. There had to be a version 1.0 for everything.

The Privacy Advisor: When you look at the California Privacy Rights Act, set to go into effect at the beginning of 2023, do you have any concerns about unresolved issues?

Morgan: We probably have several dozen CPRA projects going on for clients right now. We’re working to make progress with our clients and get them in good shape by the end of the year. We would love additional clarity around the meaning of the key provisions in CPRA and additional clarity in terms of the regulations. But I think clients are doing a pretty good job and, from an overall risk perspective, it will be very interesting to see the development of the enforcement agency here in California. Everybody's got eyes on that.

The Privacy Advisor: Given how the legislative process played out with the American Data Privacy Protection Act this year, do you see the California delegation’s opposition to preemption as a near-term intractable problem to passing a comprehensive federal privacy bill?

Morgan: For now, it's intractable. Members of the California delegation will not drop their objections to a federal law that includes preemption. I think California, for the time being, is committed to that approach. It'll be interesting to see how it plays out in the coming years. I expect we will get something at some point. And it's going to be something nobody is truly happy with. It will involve compromises, but there needs to be some federal legislation in the space.