Matthew E.S. Coleman

Senior Associate

New York


Matthew Coleman advises on audits, litigates, and researches complex, multi-jurisdictional privacy, cybersecurity, and information governance issues. Matthew develops global privacy and cybersecurity programs to meet state, federal, and international laws and self-regulatory regimes, and identifies and mitigates risks during mergers and acquisitions. He also counsels on cybersecurity breach preparedness and leads the immediate response after an incident to guide clients through an investigation, incident remediation, consumer and regulatory notifications, and government inquiries.

Matthew helps clients comply with the Controlling the Assault of Non-Solicited Pornography And Marketing Act (CAN-SPAM), the Children’s Online Privacy Protection Act (COPPA), the California Consumer Privacy Act of 2018 (CCPA), the Fair Credit Reporting Act (FCRA), the Gramm-Leach-Bliley Act (GLBA), the General Data Protection Regulation (GDPR), the Telephone Consumer Protection Act (TCPA), and state breach notification, biometric privacy, and cybersecurity laws. He counsels on self-regulatory privacy programs, including Binding Corporate Rules, the Asia-Pacific Economic Cooperation Cross-Border Privacy Rules (APEC CBPRs); programs covering online behavioral advertising, including the Digital Advertising Alliance (DAA), the European Interactive Digital Advertising Alliance (EDAA), the Interactive Advertising Bureau (IAB), and the Network Advertising Initiative (NAI); and programs covering payment card processing. Matthew also provides compliance solutions for emerging technologies, including artificial intelligence and blockchain.

Matthew’s federal regulatory experience helps clients stay compliant and avoid regulatory scrutiny. His comprehensive data management knowledge helps him counsel beyond the letter of the law and facilitates worldwide expansion, interoperable business processes, and innovative uses of consumer data while maintaining user trust. His all-encompassing, risk-based approach involves developing and executing internal and external policies for the collection, use, disclosure, sharing, retaining, transferring, and destruction of personal information. This includes managing contractual relationships with vendors, employees, acquired entities, and creditors as well as building privacy into companies’ product development life cycle and change management strategies.

Prior to joining Orrick, Matthew was an Enterprise Privacy Solutions Manager for TrustArc (formerly TRUSTe), a San Francisco-based privacy consulting and certification firm, and an adjunct law professor of Privacy Law at Santa Clara University. Matthew is a Certified Information Privacy Manager and a Certified Information Privacy Professional with a specialization in United States privacy law.