Matthew helps clients comply with the Controlling the Assault of Non-Solicited Pornography And Marketing Act (CAN-SPAM), the Children’s Online Privacy Protection Act (COPPA), the California Consumer Privacy Act of 2018 (CCPA), the Fair Credit Reporting Act (FCRA), the Gramm-Leach-Bliley Act (GLBA), the General Data Protection Regulation (GDPR), the Telephone Consumer Protection Act (TCPA), and state breach notification, biometric privacy, and cybersecurity laws. He counsels on self-regulatory privacy programs, including Binding Corporate Rules, the Asia-Pacific Economic Cooperation Cross-Border Privacy Rules (APEC CBPRs); programs covering online behavioral advertising, including the Digital Advertising Alliance (DAA), the European Interactive Digital Advertising Alliance (EDAA), the Interactive Advertising Bureau (IAB), and the Network Advertising Initiative (NAI); and programs covering payment card processing. Matthew also provides compliance solutions for emerging technologies, including artificial intelligence and blockchain.
Matthew’s federal regulatory experience helps clients stay compliant and avoid regulatory scrutiny. His comprehensive data management knowledge helps him counsel beyond the letter of the law and facilitates worldwide expansion, interoperable business processes, and innovative uses of consumer data while maintaining user trust. His all-encompassing, risk-based approach involves developing and executing internal and external policies for the collection, use, disclosure, sharing, retaining, transferring, and destruction of personal information. This includes managing contractual relationships with vendors, employees, acquired entities, and creditors as well as building privacy into companies’ product development life cycle and change management strategies.
Prior to joining Orrick, Matthew was an Enterprise Privacy Solutions Manager for TrustArc (formerly TRUSTe), a San Francisco-based privacy consulting and certification firm, and an adjunct law professor of Privacy Law at Santa Clara University. Matthew is a Certified Information Privacy Manager and a Certified Information Privacy Professional with a specialization in United States privacy law.
His practice focuses on negotiating data licenses and other commercial contracts, drafting privacy notices, and providing practical product counseling. With experience managing hundreds of strategic transactions each year, David helps clients streamline compliance efforts and navigate complex regulatory and business challenges.
David’s work spans a range of technology industries, including PropTech, HealthTech, and EdTech among others. He regularly advises clients on privacy policies, terms of service, and data processing agreements, with a particular focus on compliance with the California Consumer Privacy Act (CCPA) and other state privacy laws, state data broker laws, AI regulations, the Children’s Online Privacy Protection Act (COPPA), and cross-border data transfer requirements under the EU and UK General Data Protection Regulation (GDPR). David also counsels clients on AI-powered products, on digital advertising, Internet law, and consumer protection, helping clients anticipate and address evolving legal risks.
A founding member of Orrick’s Boston office, David recently returned to Massachusetts after many years in Seattle. He is a member of the Boston Bar Association’s Privacy, Cybersecurity & Digital Law steering committee. David has also served as an adjunct professor at Harvard Law School, where he taught legal research and writing.
Anupam provides strategic support during the entire cybersecurity incident lifecycle, including leading tabletop exercises and assessments, advising on state breach notification laws, preparing notifications, and managing investigations and enforcement actions. He has worked on data breach investigations for companies in various sectors, helping them respond efficiently to sophisticated cyberattacks and advising them on regulatory investigations.
Anupam also has experience defending clients in class action litigation for alleged consumer privacy violations under the California Invasion of Privacy Act (CIPA), the California Constitution and the Washington Consumer Protection Act.
Behn advises gaming and gambling providers, large media companies, Fintech, blockchain and more traditional financial services participants, and other technology and consumer-focused companies on issues at the intersection of gaming, financial services, data privacy and governance and related regulatory areas. Clients turn to him for his ability to advise on the whole frame of issues they may encounter, and he is equally comfortable guiding emerging companies in the early stages of their lifecycles and mature, multinational public companies. Behn is at home in the courtroom – representing clients in cutting-edge gaming litigations, before regulatory bodies – helping the crypto industry address growing sanctions and other financial services obligations, and in the boardroom – assisting in the formation of significant commercial partnerships, brand licenses, acquisitions and other combinations.
Katy assists clients in their data breach investigations and cybersecurity incident response, including advising clients on data breach notification responsibilities and providing strategic advice on how to manage cybersecurity risks. She advises on enhancing existing privacy and information security policies and procedures, such as online privacy notices.
Her work includes counseling on compliance with the California Consumer Privacy Act (CCPA) and General Data Protection Regulation (GDPR) for day-to-day business operations and the development of new products.
Katy graduated from Boston College Law School. During that time, she externed in the Data Privacy & Security Unit at the Massachusetts Attorney General’s Office where she supported consumer protection enforcement actions. She also interned with The Future of Privacy Forum and in-house with a leading cloud-based software company.
Please do not include any confidential, secret or otherwise sensitive information concerning any potential or actual legal matter in this e-mail message. Unsolicited e-mails do not create an attorney-client relationship and confidential or secret information included in such e-mails cannot be protected from disclosure. Orrick does not have a duty or a legal obligation to keep confidential any information that you provide to us. Also, please note that our attorneys do not seek to practice law in any jurisdiction in which they are not properly authorized to do so.
By clicking "OK" below, you understand and agree that Orrick will have no duty to keep confidential any information you provide.