Donna L. Wilson

Wilson, who leads Manatt, Phelps & Phillips LLP’s privacy and data security practice, is set to take over July 1 as the firm’s CEO and managing partner.

In late February, she served as co-chair and moderator of The Daily Journal’s Cybersecurity/Privacy Forum 2019, where she surprised attendees by announcing that state lawmakers were moving to make the new California Consumer Privacy Act—which takes effect Jan. 1, 2020—even tougher.

Wilson and her team spend a lot of time counseling clients on the new law, which as originally written allowed consumers to sue only when company data breaches occur. But after Attorney General Xavier Becerra and others called for strengthening the law, Democratic Senator Hannah-Beth Jackson of Santa Barbara introduced SB 561, which would expand consumer remedies by allowing private lawsuits over violations of any portion of the legislation, such as a failure to delete consumer data when requested.

“You could hear the gasp in the audience when I updated them,” Wilson said. “We are counseling clients across the country on how the statute will affect them.”

Wilson is well-versed in the world of data breaches. She represented Aetna Inc. in a 2017 breach in which letters the insurer sent about 12,000 members allegedly allowed personal health information, including HIV status, to be visible through an envelope window. Last year her team reached a $17 million settlement to avoid protracted litigation. Beckett v. Aetna Inc., 2:17-cv-03864 (E.D. Penn., filed Aug. 28, 2017).

The proposed changes to California’s law would rename it the Privacy for All Act of 2019. Foes mounting a counter-campaign include Alphabet Inc.’s Google and the U.S. Chamber of Commerce, which want Congress to shield them from the law by passing national pre-emptive legislation to override it. However that shakes out, the new emphasis on consumer privacy is keeping Wilson’s team on the go.

“We’re both business and legal advisors,” she said of Manatt’s role. “We describe our role as three buckets: Consulting and risk management; incident response; and litigation and enforcement. We help clients from an enterprise risk perspective, and we’re very busy.”

Complicating matters further, other states are considering their own privacy laws, many of them modeled on California’s.

Clients whose businesses are built around consumer data were already feeling the pressure of the European Union’s new General Data Protection Regulation, which took effect May 25, 2018.

“Some companies escaped the scope of the GDPR only to find themselves shortly afterwards facing the CPA,” Wilson said. “It’s a whole new world again for them, to be hearing that if they do business in California they will be encountering what some describe as a mini-GDPR. They’re not use to this, and we help them navigate the new requirements.”

—John Roemer