Sulina Gabale


Washington, D.C.

Sulina Gabale is a Partner and founding member of the Cyber, Privacy & Data Innovation practice, named Privacy & Data Security Law Firm of the Year by Chambers USA in 2019.

As innovation pushes the limits of technology, those ideas challenge the boundaries of what is considered “personally identifiable information.” Sulina answers the question - how can we create tomorrow’s technology with yesterday’s privacy and consumer protection laws? Sulina works closely with innovators at all levels of a business – executives, engineers, marketing and product, HR and customer service teams – to gain a true understanding of their goals and the data they’re collecting, using and sharing. She places herself in her client’s shoes as well as in consumers’ mindset to devise creative privacy-by-design solutions, ensuring her client’s business and data innovation strategies withstand multi-national rules, government regulations, industry standards and consumer scrutiny.

With experience in both data privacy and consumer protection, Sulina utilizes a comprehensive approach to counsel clients on a myriad of issues affecting consumers and businesses. She routinely guides companies of all sizes through the existing patchwork of laws, self-regulatory standards and industry practice impacting data privacy and security. She advises clients subject to regulatory investigations and litigation involving a spectrum of federal and state laws, including:

  • California Online Privacy Protection Act (CalOPPA)
  • Children’s Online Privacy Protection Act (COPPA)
  • Family Educational Rights and Privacy Act (FERPA) and related state student data privacy laws
  • Fair Credit Reporting Act (FCRA)
  • Gramm-Leach-Bliley Act (GLBA)
  • Illinois’ Biometric Information Privacy Act (BIPA) and other biometric privacy laws
  • Section 5 of the Federal Trade Commission Act (FTC Act)
  • U.S. state privacy laws in California, Colorado, Connecticut, Utah and Virginia (CCPA, CPRA, CPA, CTDPA, UCPA, VCDPA)

Sulina advises companies of all sizes on the development and deployment of cutting-edge technologies and services, including ad-tech, AI and machine learning, biometric tools, social media, robotics and IoT devices, marketing and promotions and more. Sulina began her legal career focusing on consumer protection. She continues to counsel clients on marketing and promotional issues, including interest-based ads; sweepstakes and promotions; automatic renewal and subscriptions; advertising substantiation; influencer programs and social media; SMS text messaging and telemarketing (including matters involving the Telemarketing Sales Rule (TSR), the Telephone Consumer Protection Act (TCPA)); and other state and federal consumer protection laws.

Sulina’s practice is industry-agnostic. She has represented clients ranging from start-ups to Fortune 500s, non-profits, academic institutions and city governments across a range of industries from fashion and ecommerce, financial services, retail, food and beverage and technology services. Prior to law school, Sulina worked in the highly interactive fields of journalism, entertainment and digital media. This well-rounded background helps her connect with clients on a personal level, and ensure her advice integrates legal solutions with business practicality.

Before joining Orrick, Sulina was a member of the Privacy & Data Security Group; Entertainment & Media Group; and IP, Information & Innovation Group at Reed Smith, LLP in New York and Washington, D.C.

  • A representative selection of Sulina’s experience, includes the following:

    Data Privacy and Cybersecurity:

    • Advised on and assisted with implementation of the California Consumer Privacy Act (CCPA) and new state consumer privacy laws for covered business and service providers across industries (e.g., retail, restaurant, technology, education).
    • Advised education technology (EdTech) provider on compliance with applicable student data privacy laws and drafted data protection addendum to incorporate relevant obligations.
    • Advised family and children’s social media mobile app on COPPA compliance and drafted specific disclosures and compliant consent mechanisms for various user flows focusing on UX.
    • Advised “smart oven” manufacturer on IoT-related privacy compliance and crafted internal policies and consumer disclosures consistent with applicable laws and industry standards.
    • Advised car manufacturer on autonomous vehicle laws, industry standards, and best practices for development of smart car capabilities.
    • Advised Fortune 500 company in designing and implementing global privacy compliance program and updating online privacy policies and “just-in-time” privacy notices.
    • Implemented privacy-by-design approach in development and launch of vehicle tracking smart devices by software company.
    • Advised AI/machine learning start-up on design of online privacy policies, mobile privacy policies and data collection practices and procedures.
    • Advised interest-based advertising company on industry best practices for tracking technologies deployed on customer sites and services and drafted relevant privacy and opt-out policies.
    • Analyzed, drafted and revised commercial agreements for Fortune 500 companies regarding the collection, use and disclosure of end user and employee data with service providers and business partners in a range of sectors.
    • Assisted renewable energy company with third party smart device integrations (e.g., smart thermostats) and applicable privacy obligations.
    • Advised cryptocurrency trading mobile app with regulatory compliance regime and end user privacy disclosures.
    • Advised state government, consumer lending company and major financial institution on proactive and reactive security breach incident protocols, including assisting on data breach analyses and notification to consumers, state AGs and regulatory entities under applicable state laws and regulatory requirements.
    • Advised Internet of Things (IoT) geolocation service provider in drafting and revising commercial agreements with business customers relating to data privacy and security to align with industry best practices and global data privacy regulations.
    • Assisted on buy sides, sell sides, investor and investee sides in mergers, acquisitions and funding diligence relating to data privacy and security practices.
    • Assisted in regulatory and self-regulatory investigations and litigation affecting data privacy issues (see below).

    Consumer Protection, Marketing and Sales:

    • Assisted cryptocurrency mobile app in designing invite-a-friend text messaging regime in compliance with TCPA, applicable state laws, and industry best practices.
    • Advised mobile app developer on advertising and promotional engagement, including use of ad-tech and the design and implementation of multi-channel social media influencer program.
    • Advised global blockchain company on launching an international hackathon under applicable privacy and consumer protection laws.
    • Assisted social media start-up with sweepstakes and contest design, compliance and commercial agreements/releases.
    • Assisted major grocery retailer on sales and advertising substantiation in-store and online disclosures to website and mobile app users, in compliance with Section 5 of the FTC Act and applicable FTC and FDA guidelines.
    • Assisted B2B platform offering text messaging services to retail customers on TCPA compliance in light of relevant case law and industry best practices and drafted FAQs and guidelines for customers.
    • Advised meal delivery e-commerce platform on automatic renewal laws and consumer disclosure requirements for subscription-based pricing.
    • Assisted in regulatory and self-regulatory investigations and litigation affecting consumer protection issues (see below).

    Regulatory Investigations and Litigation:

    • EdTech provider (successfully represented business in non-public FTC investigation involving alleged COPPA violations in connection with student-directed services and ad-tech).
    • Consumer financing company (FTC investigation relating to marketing of unique consumer financing product).
    • Mobile dating app (California Attorney General’s Office investigation relating to online privacy policies, disclosures and geolocation practices).
    • Cryptocurrency mobile app (class action litigation relating to the TCPA and consumer protection laws).
    • Consumer reporting agency (CFPB investigation relating to online disclosures to consumers).
    • Multinational technology company and mobile phone retailer (litigation and settlement relating to an individual consumer’s right to privacy).
    • Children’s electronic toy manufacturer (class action litigation relating to COPPA and FTC investigation).
    • National retailer (National Advertising Division investigation relating to substantiation of claims made to consumers).