Matthew E.S. Coleman
Partner
New York
Boston
Matthew Coleman advises global companies on regulatory issues related to privacy, AI, cybersecurity and data governance and how to build world-class products enabled by digital trust.
Matthew develops global privacy, AI and cybersecurity programs to meet state, federal and international laws and self-regulatory regimes. He also leads Orrick’s data protection team in supporting mergers and acquisitions and data licensing transactions. Matthew counsels on cybersecurity breach preparedness and leads the immediate response after an incident to guide clients through an investigation, incident remediation, consumer and regulatory notifications and government inquiries.
Matthew helps clients comply with:
- U.S. state comprehensive privacy laws, including the California Consumer Privacy Act of 2018 (CCPA)
- The General Data Protection Regulation (GDPR)
- U.S. state AI laws
- U.S. state biometrics privacy laws, including Illinois’ Biometric Information Privacy Act
- U.S. state consumer health data laws, including Washington’s My Health My Data
- The Controlling the Assault of Non-Solicited Pornography and Marketing Act (CAN-SPAM)
- The Children’s Online Privacy Protection Act (COPPA)
- The Fair Credit Reporting Act (FCRA)
- the Gramm-Leach-Bliley Act (GLBA)
- The Telephone Consumer Protection Act (TCPA) and state breach notification, biometric privacy and cybersecurity laws
He counsels on self-regulatory privacy programs, including:
- NIST, ISO, AICPA and OECD frameworks for AI risk management and cybersecurity
- Programs covering online behavioral advertising, including the Digital Advertising Alliance (DAA), the European Interactive Digital Advertising Alliance (EDAA), the Interactive Advertising Bureau (IAB) and the Network Advertising Initiative (NAI)
- Payment Card Industry Data Security Standard
- EU-U.S. Data Privacy Framework
- Binding Corporate Rules
- The Asia-Pacific Economic Cooperation Cross-Border Privacy Rules (APEC CBPRs)
Matthew also acts as product counsel and provides compliance solutions for emerging technologies, including artificial intelligence and blockchain. His comprehensive data management knowledge enables clients to meet regulatory obligations while supporting business innovation, interoperability, growth and digital trust. He takes a risk‑based approach to developing and implementing policies governing the full lifecycle of personal information and manages data‑related relationships with vendors, employees, acquired entities and creditors. He also integrates privacy considerations into product development and change‑management processes.
Matthew’s past role with the Federal Trade Commission (FTC) helps clients stay compliant and avoid regulatory scrutiny. Prior to joining Orrick, Matthew was an Enterprise Privacy Solutions Manager for TrustArc (formerly TRUSTe), a San Francisco-based privacy consulting and certification firm and an adjunct law professor of Privacy Law at Santa Clara University. Matthew is a Certified Information Privacy Manager and a Certified Information Privacy Professional with a specialization in United States privacy law.
-
- Representing the developer of AI voice services in the development of its product, compliance controls addressing biometric, AI, publicity and privacy legal risks, and licensing digital replica services
- Conducting a comprehensive review of PolyAI Limited’s compliance with data protection and AI laws across the EU, UK and U.S. and implementing innovative risk mitigation strategies to address the complex legal challenges of its advanced voice assistant platform.
- Representing a leading AI underwriting company, Orrick partnered to develop an industry-first safety and risk management standard for AI agent services aligned with frameworks like SOC-2 and the EU AI Act, and continues to advise on legal aspects of certification, contracting and go-to-market strategy.
- Representing The Internet Society, Orrick developed a global privacy compliance program ensuring GDPR adherence for its international chapters, placing our team at the forefront of global data protection, privacy and cybersecurity policy.
- Representing the largest casual dining chain in the U.S., Orrick strengthened the client’s cybersecurity, privacy and adtech practices by conducting risk assessments, updating regulatory disclosures, advising on state privacy law compliance and AI use and providing guidance on digital advertising and consumer protection.
- Representing a nationally recognized horse racing complex, Orrick advised on compliance with new U.S. state privacy laws, managed wiretap litigation risks and guided the client through complex “do not sell” and “do not share” obligations for consumer-facing digital platforms.
- Representing a major public research university system, Orrick is advising on privacy and advertising compliance for student health center websites by assessing data collection and transfer practices, reviewing Adtech use and ensuring regulatory adherence across multiple platforms.
- Representing a major public university, Orrick is advising on privacy and advertising compliance for student health center websites by analyzing data collection and transfer practices, reviewing Adtech use and ensuring regulatory adherence for healthcare operations.
- Representing a leading medical device company, Orrick advises on privacy and AI compliance for diabetes management products, including launching a direct-to-consumer monitor, navigating HIPAA and state privacy laws, developing an AI compliance program, negotiating privacy terms for a joint venture and ensuring compliance with the EU-AI Act.
- Representing an American cloud-based software company, Orrick advised on the acquisition of an AI-native document intelligence platform, enabling the client to enhance its suite with AI-powered contract and document analysis for over 10,500 organizations worldwide.
- Representing a leading AI developer platform, Orrick advised on its acquisition by CoreWeave, enabling CoreWeave’s customers to accelerate AI innovation and expand its reach beyond hyperscale clients.
