1. Home
  2. People
  3. Gabale, Sulina

Sulina Gabale

Partner

ワシントンD.C.オフィス

Sulina Gabale is a Partner and founding member of Orrick’s Cyber, Privacy & Data Innovation practice, and is known for her collaborative approach and experience in guiding clients through complex privacy and consumer protection challenges with practical, creative solutions.

As innovation pushes the limits of technology, Sulina helps clients navigate the evolving boundaries of what is considered "personally identifiable information." She answers the question: how can we create tomorrow's technology with yesterday's privacy and consumer protection laws? Sulina works closely with innovators at all levels of a business – executives, engineers, marketing, product, HR and customer service teams – to understand their goals and the data they're collecting, using and sharing. She has significant experience helping clients harness Artificial Intelligence (AI) responsibly, ensuring that AI-driven data practices and products comply with evolving privacy requirements. Sulina places herself in both her client's and consumers' shoes to devise creative privacy-by-design solutions that withstand multi-national rules, government regulations, industry standards and consumer scrutiny.

Sulina counsels clients on a range of consumer protection issues with a focus on data innovation and children’s privacy, advising on compliance strategies that address evolving regulatory requirements and industry standards. Her practice emphasizes advisory and litigation-adjacent work, including risk remediation measures designed to deter future litigation and enforcement actions. Sulina has substantial experience navigating state anti-wiretapping laws and maintains a strong pulse on litigation and enforcement trends. She also advises on financial regulatory matters as they intersect with consumer protection, ensuring clients are well-positioned to respond proactively to emerging risks.

With experience in both data privacy and consumer protection, Sulina utilizes a comprehensive approach to counsel clients on a myriad of issues affecting consumers and businesses, including those arising from AI adoption. She routinely guides companies of all sizes through the existing patchwork of laws, self-regulatory standards and industry practice impacting data privacy and security. She advises clients subject to regulatory investigations and litigation involving a spectrum of a federal and state laws, including:

  • California Online Privacy Protection Act (CalOPPA)
  • Children’s Online Privacy Protection Act (COPPA)
  • Family Educational Rights and Privacy Act (FERPA) and related state student data privacy laws
  • Fair Credit Reporting Act (FCRA)
  • Gramm-Leach-Bliley Act (GLBA)
  • Illinois’ Biometric Information Privacy Act (BIPA) and other biometric privacy laws
  • Section 5 of the Federal Trade Commission Act (FTC Act)
  • U.S. state privacy laws in California, Colorado, Connecticut, Utah, Virginia and other states
  • State anti-wiretapping laws

Sulina advises companies of all sizes on the development of cutting-edge technologies and services, including—ad-tech, AI and machine learning, biometric tools, social media, robotics and IoT devices, marketing and promotions. Sulina began her legal career focusing on consumer protection and she continues to counsel clients on marketing and promotional issues, including interest-based ads, sweepstakes and promotions, automatic renewal and subscriptions, advertising substantiation; influencer programs, social media, SMS text messaging and telemarketing (including matters involving the Telemarketing Sales Rule (TSR) and the Telephone Consumer Protection Act (TCPA)) and other state and federal consumer protection laws.

Her practice is industry-agnostic. She has represented start-ups, Fortune 500s, non-profits, academic institutions and city governments across sectors such as fashion and ecommerce, financial services, retail, food and beverage and technology. Prior to law school, Sulina worked in journalism, entertainment and digital media – experience that helps her connect with clients personally and ensure her advice integrates legal solutions with business practicality.

  • Data Privacy and Cybersecurity:

    • Advising a Fortune 500 cryptocurrency company on global privacy compliance and risk mitigation, including analyzing state regulatory enforcement trends, operationalizing privacy frameworks across jurisdictions and advising on cutting-edge AI use cases.
    • Advising a Fortune 500 cryptocurrency company on global privacy compliance and risk mitigation, including analyzing state regulatory enforcement trends, operationalizing privacy frameworks across jurisdictions and advising on cutting-edge AI use cases.
    • Advising a global jewelry brand on U.S. state and federal privacy regulations (COPAA) and compliance for their proposed financial incentives and discrimination loyalty program for provisions.
    • Advising the world’s largest tire manufacturer, on developing and implementing a comprehensive international privacy compliance strategy across the US, UK, EU and Canada, including updating privacy notices and policies to ensure a harmonized, global approach for all brands and stakeholders.
    • Advising a leading national restaurant chain on strengthening its cybersecurity, privacy and adtech practices by conducting a comprehensive cybersecurity risk assessment, updating regulatory disclosures, analyzing state privacy law compliance gaps, advising on responsible AI and facial recognition use, and updating digital advertising and consent language to address consumer protection requirements.
    • Advising a leading global luxury products conglomerate on developing a comprehensive privacy playbook, conducting risk assessments in high-risk areas, and providing actionable compliance advice across multiple brands and industries.
    • Advised on and assisted with implementation of the California Consumer Privacy Act (CCPA) and new state consumer privacy laws for covered business and service providers across industries (e.g., retail, restaurant, technology, education).
    • Advised education technology (EdTech) provider on compliance with applicable student data privacy laws and drafted data protection addendum to incorporate relevant obligations.
    • Advised family and children’s social media mobile app on COPPA compliance and drafted specific disclosures and compliant consent mechanisms for various user flows focusing on UX.
    • Advised “smart oven” manufacturer on IoT-related privacy compliance and crafted internal policies and consumer disclosures consistent with applicable laws and industry standards.
    • Advised car manufacturer on autonomous vehicle laws, industry standards, and best practices for development of smart car capabilities.
    • Advised Fortune 500 company in designing and implementing global privacy compliance program and updating online privacy policies and “just-in-time” privacy notices.
    • Implemented privacy-by-design approach in development and launch of vehicle tracking smart devices by software company.
    • Advised AI/machine learning start-up on design of online privacy policies, mobile privacy policies and data collection practices and procedures.
    • Advised interest-based advertising company on industry best practices for tracking technologies deployed on customer sites and services and drafted relevant privacy and opt-out policies.
    • Analyzed, drafted and revised commercial agreements for Fortune 500 companies regarding the collection, use and disclosure of end user and employee data with service providers and business partners in a range of sectors.
    • Assisted renewable energy company with third party smart device integrations (e.g., smart thermostats) and applicable privacy obligations.
    • Advised cryptocurrency trading mobile app with regulatory compliance regime and end user privacy disclosures.
    • Advised state government, consumer lending company and major financial institution on proactive and reactive security breach incident protocols, including assisting on data breach analyses and notification to consumers, state AGs and regulatory entities under applicable state laws and regulatory requirements.
    • Advised Internet of Things (IoT) geolocation service provider in drafting and revising commercial agreements with business customers relating to data privacy and security to align with industry best practices and global data privacy regulations.
    • Assisted on buy sides, sell sides, investor and investee sides in mergers, acquisitions and funding diligence relating to data privacy and security practices.
    • Assisted in regulatory and self-regulatory investigations and litigation affecting data privacy issues (see below).

    Consumer Protection, Marketing and Sales:

    • Advising a major hotel and casino entertainment company on compliance with state biometric privacy laws, use of facial recognition software and license plate reader technology, and advanced digital advertising strategies, demonstrating the firm’s ability to guide consumer-facing brands through evolving privacy and adtech regulations and complex, high-risk business initiatives.
    • Advising a leading U.S. horse racing and entertainment company on compliance with new state privacy laws—including “do not sell” and “do not share” requirements—conducted data inventory reviews and provided counsel on mitigating wiretap litigation risk for its consumer-facing digital platforms.
    • Assisted cryptocurrency mobile app in designing invite-a-friend text messaging regime in compliance with TCPA, applicable state laws, and industry best practices.
    • Advised mobile app developer on advertising and promotional engagement, including use of ad-tech and the design and implementation of multi-channel social media influencer program.
    • Advised global blockchain company on launching an international hackathon under applicable privacy and consumer protection laws.
    • Assisted social media start-up with sweepstakes and contest design, compliance and commercial agreements/releases.
    • Assisted major grocery retailer on sales and advertising substantiation in-store and online disclosures to website and mobile app users, in compliance with Section 5 of the FTC Act and applicable FTC and FDA guidelines.
    • Assisted B2B platform offering text messaging services to retail customers on TCPA compliance in light of relevant case law and industry best practices and drafted FAQs and guidelines for customers.
    • Advised meal delivery e-commerce platform on automatic renewal laws and consumer disclosure requirements for subscription-based pricing.
    • Assisted in regulatory and self-regulatory investigations and litigation affecting consumer protection issues (see below).

    Regulatory Investigations and Litigation:

    • EdTech provider (successfully represented business in non-public FTC investigation involving alleged COPPA violations in connection with student-directed services and ad-tech).
    • Consumer financing company (FTC investigation relating to marketing of unique consumer financing product).
    • Mobile dating app (California Attorney General’s Office investigation relating to online privacy policies, disclosures and geolocation practices).
    • Cryptocurrency mobile app (class action litigation relating to the TCPA and consumer protection laws).
    • Consumer reporting agency (CFPB investigation relating to online disclosures to consumers).
    • Multinational technology company and mobile phone retailer (litigation and settlement relating to an individual consumer’s right to privacy).
    • Children’s electronic toy manufacturer (class action litigation relating to COPPA and FTC investigation).
    • National retailer (National Advertising Division investigation relating to substantiation of claims made to consumers).