Matthew E.S. Coleman

Managing Associate

New York

Read full biography at

Matthew Coleman is a Managing Associate in Orrick’s Cyber, Privacy & Data Innovation practice group in New York. Matthew leverages years of experience in researching, auditing, counseling, and litigating complex, multi-jurisdictional issues surrounding privacy, cybersecurity and information governance. Matthew is a Certified Information Privacy Manager and a Certified Information Privacy Professional with a specialization in United States privacy law.

Matthew focuses his practice on helping clients develop global privacy programs to meet the requirements of an incomplete patchwork of privacy and cybersecurity laws, both in the United States and abroad, including the GDPR, CCPA and its progeny, GLBA, COPPA, FCRA, TCPA, CAN-SPAM and state breach notification and cybersecurity laws. He also has extensive experience guiding clients through mergers and acquisitions to identify and mitigate privacy and cybersecurity risks. Matthew routinely advises on emerging technologies, including artificial intelligence and blockchain, and helps clients navigate self-regulatory privacy programs such as Binding Corporate Rules, APEC CBPRs, programs covering online behavioral advertising including the DAA, EDAA, IAB and the NAI, and programs covering payment card processing. An ever-growing portion of Matthew’s practice involves helping companies prepare for privacy or security breaches and leading an immediate response in the event of an incident, successfully guiding clients through investigation, remediation, notification and ensuing government inquiries.

Matthew leans on his experience working for federal regulators to keep clients on the safe side of the watchful eye of the law. His understanding of overarching data management best practices helps him counsel beyond the letter of the law, but also facilitate worldwide expansion, interoperable business processes, and innovative uses of consumer data all while maintaining user trust. His all-encompassing, risk-based approach involves developing and executing internal and external policies for the collection, use, disclosure, sharing, retaining, transferring, and destruction of personal information. This includes managing contractual relationships with vendors, employees, acquired entities, and creditors as well as the building privacy into companies’ product development life cycle and change management strategies. Prior to joining Orrick, Matthew was an Enterprise Privacy Solutions Manager for TrustArc (formerly TRUSTe), a San Francisco-based privacy consulting and certification firm, and an adjunct law professor of Privacy Law at Santa Clara University.

Posts by: Matthew E.S. Coleman

How to Move to Remote Work and Comply with U.S. Privacy and Cybersecurity Laws

Cybercriminals are known to attack networks and individuals at inopportune times of crisis—and the coronavirus pandemic unfortunately presents just such an opportunity as millions are accessing corporate networks and databases from home. This past weekend New Jersey and Connecticut joined the growing list of jurisdictions (e.g., California, Delaware, Illinois, Louisiana, Ohio, and New York) to issue orders effectively requiring non-essential workers to avoid the workplace, and in some cases, to shelter-in-place. READ MORE

California Attorney General Releases Updated Drafts of Proposed CCPA Regulations

On February 7 and again on February 10, 2020, the California Attorney General Xavier Becerra released an updated draft of proposed regulations pursuant to the California Consumer Privacy Act of 2018 (“CCPA”).  The updated drafts feature significant changes, clarifications and reversals of policy from the original proposal.

The updated draft regulations—available here (clean) and here (redline to the original October 2019 Draft)—reflect input gathered during the public comment period and series of public hearings which concluded on December 6, 2019. The first draft of the proposed regulations, the public comments and the transcripts and audio of the public hearings are available on the Attorney General’s CCPA webpage.  The Attorney General also updated the online cache of documents and other information relied upon in preparing the revised draft regulations here.


Orrick Webinar: New U.S. Privacy Laws – What Companies Need to Know

Webinar (recording available) | June.25.2019

Click to Play

Download Powerpoint Presentation

Please join Heather Sussman and Matthew Coleman for the Cyber, Privacy & Data Innovation practice’s webinar “California’s and Nevada’s New Privacy Laws – What Companies Need to Know.”

California was the first U.S. state to enact a sweeping new privacy law, known as the CCPA, with an effective date of January 2020. Nevada has now enacted a scaled-down version of the CCPA that is slated to take effect even sooner – as early as October 2019.