-
Trusted Privacy and Cybersecurity Expertise
Leveraging more than two decades of experience in privacy and cybersecurity, Matthew helps clients in numerous industries comply with a wide variety of laws, regulations, self-regulatory requirements, industry standards, and best practices.
-
Deep Transactional Experience
Matthew's greater than 20 years of experience as a transactional lawyer, coupled with deep privacy and cybersecurity experience spanning back to 2004, has allowed him to establish and manage a leading practice—one of the first in the U.S.—focused on advising on privacy, data protection, cybersecurity, and data collection, use, and processing matters, and drafting and negotiating related contracts and contractual provisions, in the context of mergers, acquisitions, securities offerings, strategic alliances, venture financings, and other corporate and commercial transactions.
-
Industry Certified
The International Association of Privacy Professionals has designated Matthew as a Certified Information Privacy Professional.
-
Matthew is a frequent contributor to the WSGR Data Advisor
Wilson Sonsini’s Data Advisor is your source for privacy news and insights, brought to you by our global privacy and cybersecurity team. Visit wsgrdataadvisor.com and subscribe to stay connected.
Matthew Staples is a partner in the Austin office of Wilson Sonsini Goodrich & Rosati. Matthew advises companies in numerous industries regarding privacy, data protection, cybersecurity, and data processing matters. Having worked extensively on privacy, data processing, and cybersecurity matters for more than 20 years, Matthew possesses deep experience that allows him to help clients ranging from start-ups to Fortune 100 companies in numerous industries, including autonomous vehicles, artificial intelligence (AI), electronic gaming, fintech, payments, adtech, Internet of Things (IoT), software-as-a-service (SaaS), the metaverse, cloud computing, pharmaceuticals, and others, comply with numerous laws, regulations, self-regulatory requirements, industry standards, and best practices applicable to their collection, use, disclosure, transfer, and other processing of data, and their rights in and to various data sets, while helping them understand and manage related risks. He helps clients navigate issues arising from novel and innovative data practices by offering practical risk assessments and pragmatic advice.
Matthew's experience as a transactional lawyer allowed him to establish and manage a leading practice, one of the first in the country, focused on addressing privacy, cybersecurity, and data acquisition, use, retention, and processing in the context of various transactions. He addresses these issues in the context of mergers, acquisitions, spin-offs, securities offerings, outsourcing transactions, strategic alliances, venture financings, and other corporate transactions, as well as in outsourcing agreements, services arrangements, vendor agreements, and other commercial transactions.
Matthew couples a pragmatic, business-friendly approach with extensive experience and drafting and negotiation acumen, allowing him to design approaches to address compliance risks, obtain rights to use and otherwise process critical data, and help clients complete their most critical transactions and achieve their business goals.
Matthew has been recognized annually in Lawdragon 500 Leading Global Cyber Lawyers since the inaugural edition was published in 2024. In addition, the International Association of Privacy Professionals has designated Matthew as a Certified Information Privacy Professional.
Matthew Staples is a partner in the Austin office of Wilson Sonsini Goodrich & Rosati. Matthew advises companies in numerous industries regarding privacy, data protection, cybersecurity, and data processing matters. Having worked extensively on privacy, data processing, and cybersecurity matters for more than 20 years, Matthew possesses deep experience that allows him to help clients ranging from start-ups to Fortune 100 companies in numerous industries, including autonomous vehicles, artificial intelligence (AI), electronic gaming, fintech, payments, adtech, Internet of Things (IoT), software-as-a-service (SaaS), the metaverse, cloud computing, pharmaceuticals, and others, comply with numerous laws, regulations, self-regulatory requirements, industry standards, and best practices applicable to their collection, use, disclosure, transfer, and other processing of data, and their rights in and to various data sets, while helping them understand and manage related risks. He helps clients navigate issues arising from novel and innovative data practices by offering practical risk assessments and pragmatic advice.
Matthew's experience as a transactional lawyer allowed him to establish and manage a leading practice, one of the first in the country, focused on addressing privacy, cybersecurity, and data acquisition, use, retention, and processing in the context of various transactions. He addresses these issues in the context of mergers, acquisitions, spin-offs, securities offerings, outsourcing transactions, strategic alliances, venture financings, and other corporate transactions, as well as in outsourcing agreements, services arrangements, vendor agreements, and other commercial transactions.
Matthew couples a pragmatic, business-friendly approach with extensive experience and drafting and negotiation acumen, allowing him to design approaches to address compliance risks, obtain rights to use and otherwise process critical data, and help clients complete their most critical transactions and achieve their business goals.
Matthew has been recognized annually in Lawdragon 500 Leading Global Cyber Lawyers since the inaugural edition was published in 2024. In addition, the International Association of Privacy Professionals has designated Matthew as a Certified Information Privacy Professional.
- J.D., UC Berkeley School of LawExecutive Editor, California Law Review; Senior Executive Editor, Berkeley Business Law Journal; Managing Editor, Berkeley Technology Law Journal; Fellow, Berkeley Center for Law and Technology
- B.S., Biology, Washington State UniversitySumma Cum Laude; Recipient, Presidential Scholarship; Recipient, S. Town Stephenson Award, University Honors College; Member, Phi Beta Kappa, Phi Eta Sigma, and Phi Kappa Phi honor societies
- Member, American Bar Association Section of Business Law (Privacy and Data Security Committee and Committee on Electronic Commerce)
- Member, American Bar Association Section of Science and Technology Law (E-Privacy Law Committee and Information Security Committee)
- Member, Washington State Bar Association
- Selected for inclusion in the 2025-2026 editions of the Lawdragon’s "500 Leading Global Cyber Lawyers" guide
- Named to Washington Super Lawyers' list of "Rising Stars" in 2011-2018
- State Bar of Texas
- State Bar of Washington
- U.S. Patent and Trademark Office
- J.D., UC Berkeley School of LawExecutive Editor, California Law Review; Senior Executive Editor, Berkeley Business Law Journal; Managing Editor, Berkeley Technology Law Journal; Fellow, Berkeley Center for Law and Technology
- B.S., Biology, Washington State UniversitySumma Cum Laude; Recipient, Presidential Scholarship; Recipient, S. Town Stephenson Award, University Honors College; Member, Phi Beta Kappa, Phi Eta Sigma, and Phi Kappa Phi honor societies
- Member, American Bar Association Section of Business Law (Privacy and Data Security Committee and Committee on Electronic Commerce)
- Member, American Bar Association Section of Science and Technology Law (E-Privacy Law Committee and Information Security Committee)
- Member, Washington State Bar Association
- Selected for inclusion in the 2025-2026 editions of the Lawdragon’s "500 Leading Global Cyber Lawyers" guide
- Named to Washington Super Lawyers' list of "Rising Stars" in 2011-2018
- State Bar of Texas
- State Bar of Washington
- U.S. Patent and Trademark Office
Select Matters
- Counseled clients on laws, regulations, industry standards, self-regulatory requirements, and best practices relating to privacy, data protection, cybersecurity, and data processing matters in numerous industries, including autonomous vehicles, artificial intelligence (AI), electronic gaming, fintech, payments, adtech, Internet of Things (IoT), software-as-a-service (SaaS), the metaverse, cloud computing, pharmaceuticals, and others
- Counseled clients regarding compliance with cybersecurity requirements imposed by numerous legal regimes, including the California Consumer Privacy Act, as modified by the California Privacy Rights and Enforcement Act, comprehensive privacy statutes in several other states, the enforcement activity of the Federal Trade Commission, sector-specific federal legislation, and other state laws, including biometrics legislation
- Prepared terms of service, privacy policies, and other forms of privacy notices for various online services and consumer-facing offerings
- Coordinated and conducted due diligence; negotiated representations, warranties, and covenants; and addressed transition and integration matters relating to privacy, data protection, and cybersecurity in connection with several hundred mergers, acquisitions, spin-offs, and other significant corporate transactions
- Counseled numerous clients regarding the acquisition, use, transfer, and other processing of data, including cross-border data transfers, in connection with mergers, acquisitions, asset sales, and other business transfers, including the design of practical solutions to permit the value of key data sets to be maintained while mitigating associated risks
- Assisted several clients in the drafting and negotiation of cybersecurity and data processing provisions in the context of outsourcing, other types of services arrangements, and numerous other commercial arrangements
- Assisted numerous clients with preparing appropriate risk factor disclosures, MD&A, and other contents of securities filings relating to data processing, AI, privacy, data protection, and cybersecurity
- Advised numerous companies on legal issues and risks, and strategies for managing the same, relating to the acquisition, use, disclosure, and other processing of data from third-party sources
- Counseled advertising technology companies regarding compliance with relevant laws, regulations, standards, and best practices
- Counseled developers of platform software, mobile device applications, connected devices, autonomous vehicles, and other consumer-facing services and interfaces regarding privacy, cybersecurity, and data processing issues
- Counseled clients regarding the CAN-SPAM Act, Telephone Consumer Protection Act, Telephone Sales Rule, junk fax legislation, mobile spam regulations, and other state and federal laws bearing upon email, text messaging and SMS, push messaging, and other forms of consumer communications in numerous jurisdictions
- Assisted several clients, including several large public companies, regarding the mitigation of, and other responses relating to, cybersecurity breaches and incidents, including the coordination of nationwide reporting to consumers, and making other required notifications and taking other required compliance steps, in compliance with security breach notification laws
- Counseled numerous clients regarding the Children's Online Privacy Protection Act, numerous laws in California and other states, seal program requirements, and other industry initiatives relating to the collection, use, and other processing of data relating to children within and outside of the educational context
- Counseled educational technology and other companies on laws, regulations, and other requirements applicable to the collection, use, and other handling of student records and other data collected and processed in the educational context
- Counseled companies on the application of the Video Privacy Protection Act in the context of online and mobile streaming
- Counseled wireless telecommunications carriers regarding location-based privacy and other issues pertaining to access to, and use and disclosure of, customer proprietary network information
- Counseled clients regarding compliance with the Payment Card Industry Data Security Standard and other security requirements relating to their acceptance, storage, and handling of cardholder data
Select Matters
- Counseled clients on laws, regulations, industry standards, self-regulatory requirements, and best practices relating to privacy, data protection, cybersecurity, and data processing matters in numerous industries, including autonomous vehicles, artificial intelligence (AI), electronic gaming, fintech, payments, adtech, Internet of Things (IoT), software-as-a-service (SaaS), the metaverse, cloud computing, pharmaceuticals, and others
- Counseled clients regarding compliance with cybersecurity requirements imposed by numerous legal regimes, including the California Consumer Privacy Act, as modified by the California Privacy Rights and Enforcement Act, comprehensive privacy statutes in several other states, the enforcement activity of the Federal Trade Commission, sector-specific federal legislation, and other state laws, including biometrics legislation
- Prepared terms of service, privacy policies, and other forms of privacy notices for various online services and consumer-facing offerings
- Coordinated and conducted due diligence; negotiated representations, warranties, and covenants; and addressed transition and integration matters relating to privacy, data protection, and cybersecurity in connection with several hundred mergers, acquisitions, spin-offs, and other significant corporate transactions
- Counseled numerous clients regarding the acquisition, use, transfer, and other processing of data, including cross-border data transfers, in connection with mergers, acquisitions, asset sales, and other business transfers, including the design of practical solutions to permit the value of key data sets to be maintained while mitigating associated risks
- Assisted several clients in the drafting and negotiation of cybersecurity and data processing provisions in the context of outsourcing, other types of services arrangements, and numerous other commercial arrangements
- Assisted numerous clients with preparing appropriate risk factor disclosures, MD&A, and other contents of securities filings relating to data processing, AI, privacy, data protection, and cybersecurity
- Advised numerous companies on legal issues and risks, and strategies for managing the same, relating to the acquisition, use, disclosure, and other processing of data from third-party sources
- Counseled advertising technology companies regarding compliance with relevant laws, regulations, standards, and best practices
- Counseled developers of platform software, mobile device applications, connected devices, autonomous vehicles, and other consumer-facing services and interfaces regarding privacy, cybersecurity, and data processing issues
- Counseled clients regarding the CAN-SPAM Act, Telephone Consumer Protection Act, Telephone Sales Rule, junk fax legislation, mobile spam regulations, and other state and federal laws bearing upon email, text messaging and SMS, push messaging, and other forms of consumer communications in numerous jurisdictions
- Assisted several clients, including several large public companies, regarding the mitigation of, and other responses relating to, cybersecurity breaches and incidents, including the coordination of nationwide reporting to consumers, and making other required notifications and taking other required compliance steps, in compliance with security breach notification laws
- Counseled numerous clients regarding the Children's Online Privacy Protection Act, numerous laws in California and other states, seal program requirements, and other industry initiatives relating to the collection, use, and other processing of data relating to children within and outside of the educational context
- Counseled educational technology and other companies on laws, regulations, and other requirements applicable to the collection, use, and other handling of student records and other data collected and processed in the educational context
- Counseled companies on the application of the Video Privacy Protection Act in the context of online and mobile streaming
- Counseled wireless telecommunications carriers regarding location-based privacy and other issues pertaining to access to, and use and disclosure of, customer proprietary network information
- Counseled clients regarding compliance with the Payment Card Industry Data Security Standard and other security requirements relating to their acceptance, storage, and handling of cardholder data
Select Publications
Matthew has authored or co-authored numerous publications, including the following:
- Co-author, “SEC Adopts Cybersecurity Disclosure Rules for Public Companies,” Wilson Sonsini Alert, August 1, 2023
- Co-author, “Considerations for M&A Transactions Involving Fintech Companies,” Wilson Sonsini Alert, June 15, 2023
- Co-author, “SEC Proposes New Cybersecurity Reporting and Enhanced Standardized Disclosure,” Wilson Sonsini Alert, March 16, 2022
- "California Consumer Privacy Act: Industry, Advocate, and Enforcement Concerns and Legislative Amendments," The WSGR Data Advisor, October 8, 2018
- "California Enacts Sweeping Privacy Law to Avert Potential Ballot Measure," The WSGR Data Advisor, July 3, 2018
- "New FTC Report Recommends Steps to Improve Mobile Security Updates," The WSGR Data Advisor, May 23, 2018
- "NAI Issues 2018 Update to Its Code of Conduct," The WSGR Data Advisor, January 24, 2018
- "Post-Spokeo Jurisdictional Divide Continues as Northern District of California Rejects TransUnion's Lack of Standing Argument," The WSGR Data Advisor, November 15, 2017
- Co-author with C. Readhead, "FTC Cracks Down on Lead Generation Company's Indiscriminate Sharing of Consumers' Sensitive Data," The WSGR Data Advisor, September 1, 2017
- Contributing Author, Guide to Cybersecurity Due Diligence in M&A Transactions, American Bar Association Business Law Section, ABA Publishing, 2017
- Co-author with J. Adams, "FAST Act Eases GLBA Compliance Burdens for Many Companies, Addresses Transportation and Infrastructure Privacy and Cybersecurity Issues," The WSGR Data Advisor, February 4, 2016
- "Privacy and Data Security Due Diligence," The WSGR Data Advisor, November 2015
- "Navigating Public Company Cybersecurity Obligations: Advising Boards and Disclosing to Investors," The WSGR Data Advisor, July 2015
- "Privacy and Data Security in Transactions: What's the Deal?" Eye on Privacy, February 2015
- "Proposed California Law Would Impose Data Breach Liability on Retailers and Create More Stringent Data Security Requirements for Businesses," Eye on Privacy, July 2014
- "Kaiser Foundation Health Plan Settles California Attorney General Charges over Delayed Data Breach Notification," Eye on Privacy, March 2014
- "California Extends Security Breach Notification Requirements to Online Account Credentials," Eye on Privacy, November 2013
- "Digital Advertising Alliance Releases Guidance on the Application of Its Self-Regulatory Principles to the Mobile Environment," Eye on Privacy, September 2013
- "FTC Recommends Consumer Protections for Mobile Payment Industry," Intellectual Property and Technology Law Journal, June 2013
- "California Supreme Court Holds Song-Beverly Act Inapplicable to Online Businesses Selling Downloadable Products," Eye on Privacy, March 2013
- "FTC Releases Final Amendments to Children's Online Privacy Protection Rule," Eye on Privacy, January 2013
- "FTC Announces $1 Million Penalty for Children's Privacy Violations by Fan-Club Website Operator," Eye on Privacy, November 2012
- "FTC Proposes Additional Revisions to Children's Online Privacy Protection Rule," Eye on Privacy, September 2012
- "Myspace Reaches Consent Agreement with FTC over Misrepresentations in Privacy Policy," Eye on Privacy, May 2012
- "FTC Releases Final Privacy Report, Sets Forth Best Practices, and Calls for Federal Privacy, Data Security, and Breach Notification Legislation," Eye on Privacy, May 2012
- "New Principles for the Collection of Data Online Released," Law360, November 23, 2011
- "Red Flags Rules: Financial Institutions and Creditors with Covered Accounts Must Implement ID Theft Prevention Programs," American Bar Association Section of Antitrust Law, Insurance and Financial Services Committee Newsletter, Fall 2009
- "Security Breach Notification," 1 Privacy and Data Security Law Journal 391, 2006
- Contributor, American Bar Association E-Privacy Law Database
Select Speaking Engagements
- Speaker, 33rd Annual Technology Law Conference, University of Texas, May 21, 2020
- "Privacy and Cybersecurity: Hot Topics," Association of Corporate Counsel—Austin, Austin, Texas, June 28, 2018
- Panelist, "Cybersecurity Due Diligence and Cyber Risks in M&A Transactions," 2018 Investment Arbitration & Trans-Pacific Transactions Conference, ABA Section of International Law, Singapore, May 11, 2018
- Panelist, "Cybersecurity Due Diligence in Mergers and Acquisitions," ABA Section of Business Law Annual Meeting, September 14, 2017
- Panelist, "Dealing in Data: Privacy and Security in Commercial Transactions and M&A," IAPP Global Privacy Summit, Washington, D.C., April 20, 2017
- Panelist, "Cybersecurity Due Diligence in M&A Transactions," American Bar Association, Business Law Section Spring Meeting, April 2016
- "Current Privacy Issues: Big Data Analytics and Machine Learning," The Cloud and Big Data 2015, Law Seminars International, April 2015
Select Publications
Matthew has authored or co-authored numerous publications, including the following:
- Co-author, “SEC Adopts Cybersecurity Disclosure Rules for Public Companies,” Wilson Sonsini Alert, August 1, 2023
- Co-author, “Considerations for M&A Transactions Involving Fintech Companies,” Wilson Sonsini Alert, June 15, 2023
- Co-author, “SEC Proposes New Cybersecurity Reporting and Enhanced Standardized Disclosure,” Wilson Sonsini Alert, March 16, 2022
- "California Consumer Privacy Act: Industry, Advocate, and Enforcement Concerns and Legislative Amendments," The WSGR Data Advisor, October 8, 2018
- "California Enacts Sweeping Privacy Law to Avert Potential Ballot Measure," The WSGR Data Advisor, July 3, 2018
- "New FTC Report Recommends Steps to Improve Mobile Security Updates," The WSGR Data Advisor, May 23, 2018
- "NAI Issues 2018 Update to Its Code of Conduct," The WSGR Data Advisor, January 24, 2018
- "Post-Spokeo Jurisdictional Divide Continues as Northern District of California Rejects TransUnion's Lack of Standing Argument," The WSGR Data Advisor, November 15, 2017
- Co-author with C. Readhead, "FTC Cracks Down on Lead Generation Company's Indiscriminate Sharing of Consumers' Sensitive Data," The WSGR Data Advisor, September 1, 2017
- Contributing Author, Guide to Cybersecurity Due Diligence in M&A Transactions, American Bar Association Business Law Section, ABA Publishing, 2017
- Co-author with J. Adams, "FAST Act Eases GLBA Compliance Burdens for Many Companies, Addresses Transportation and Infrastructure Privacy and Cybersecurity Issues," The WSGR Data Advisor, February 4, 2016
- "Privacy and Data Security Due Diligence," The WSGR Data Advisor, November 2015
- "Navigating Public Company Cybersecurity Obligations: Advising Boards and Disclosing to Investors," The WSGR Data Advisor, July 2015
- "Privacy and Data Security in Transactions: What's the Deal?" Eye on Privacy, February 2015
- "Proposed California Law Would Impose Data Breach Liability on Retailers and Create More Stringent Data Security Requirements for Businesses," Eye on Privacy, July 2014
- "Kaiser Foundation Health Plan Settles California Attorney General Charges over Delayed Data Breach Notification," Eye on Privacy, March 2014
- "California Extends Security Breach Notification Requirements to Online Account Credentials," Eye on Privacy, November 2013
- "Digital Advertising Alliance Releases Guidance on the Application of Its Self-Regulatory Principles to the Mobile Environment," Eye on Privacy, September 2013
- "FTC Recommends Consumer Protections for Mobile Payment Industry," Intellectual Property and Technology Law Journal, June 2013
- "California Supreme Court Holds Song-Beverly Act Inapplicable to Online Businesses Selling Downloadable Products," Eye on Privacy, March 2013
- "FTC Releases Final Amendments to Children's Online Privacy Protection Rule," Eye on Privacy, January 2013
- "FTC Announces $1 Million Penalty for Children's Privacy Violations by Fan-Club Website Operator," Eye on Privacy, November 2012
- "FTC Proposes Additional Revisions to Children's Online Privacy Protection Rule," Eye on Privacy, September 2012
- "Myspace Reaches Consent Agreement with FTC over Misrepresentations in Privacy Policy," Eye on Privacy, May 2012
- "FTC Releases Final Privacy Report, Sets Forth Best Practices, and Calls for Federal Privacy, Data Security, and Breach Notification Legislation," Eye on Privacy, May 2012
- "New Principles for the Collection of Data Online Released," Law360, November 23, 2011
- "Red Flags Rules: Financial Institutions and Creditors with Covered Accounts Must Implement ID Theft Prevention Programs," American Bar Association Section of Antitrust Law, Insurance and Financial Services Committee Newsletter, Fall 2009
- "Security Breach Notification," 1 Privacy and Data Security Law Journal 391, 2006
- Contributor, American Bar Association E-Privacy Law Database
Select Speaking Engagements
- Speaker, 33rd Annual Technology Law Conference, University of Texas, May 21, 2020
- "Privacy and Cybersecurity: Hot Topics," Association of Corporate Counsel—Austin, Austin, Texas, June 28, 2018
- Panelist, "Cybersecurity Due Diligence and Cyber Risks in M&A Transactions," 2018 Investment Arbitration & Trans-Pacific Transactions Conference, ABA Section of International Law, Singapore, May 11, 2018
- Panelist, "Cybersecurity Due Diligence in Mergers and Acquisitions," ABA Section of Business Law Annual Meeting, September 14, 2017
- Panelist, "Dealing in Data: Privacy and Security in Commercial Transactions and M&A," IAPP Global Privacy Summit, Washington, D.C., April 20, 2017
- Panelist, "Cybersecurity Due Diligence in M&A Transactions," American Bar Association, Business Law Section Spring Meeting, April 2016
- "Current Privacy Issues: Big Data Analytics and Machine Learning," The Cloud and Big Data 2015, Law Seminars International, April 2015
- Privacy Policy
- Terms of Use
- Accessibility