Kyle Kessler

Managing Associate

Los Angeles


Read full biography at www.orrick.com

For Kyle Kessler, data privacy is where her passion for the law and for cutting-edge programs meets technology. With a background in marketing, public relations and communications, she translates marketing concepts into legal terms. Kyle brings more than a decade of business acumen and experience to her work, and companies turn to her for advice that blends practical business strategies with in-house and outside counsel perspectives.

As a privacy advisor, Kyle is undaunted by the complexity of state, federal and international data privacy and security requirements. She evaluates and advises clients on data collection, storage, use and transfer, as well as breach laws and regulations. Kyle advises on the Children’s Online Privacy Protection Act (COPPA), California Online Privacy Protection Act (CalOPPA), the new California Consumer Privacy Act of 2018 (CCPA) and on the EU General Data Protection Regulation (GDPR) from a U.S. perspective.

Kyle also advises and collaborates with her clients on general consumer protection and marketing/advertising matters. For instance, she regularly reviews marketing assets to ensure legal compliance across all channels. She also advises on unfair and deceptive trade practices, compliance issues relating to the Federal Trade Commission and the National Advertising Division (NAD) of the Better Business Bureau, the Fair Credit Reporting Act (FCRA), and the Gramm-Leach-Bliley Act (GLBA), as well as on other state and federal laws.

Before joining Orrick, Kyle was an in-house attorney at one of the Forbes 100 Largest Private Companies, and she has experience in the retail industry working in, among other things, data protection, incident response, unfair and deceptive trade practices and consumer-protection matters.

Kyle is an active member of the International Association of Privacy Professionals (IAPP), the LGBT Bar Association of Los Angeles and Women in Security and Privacy (WISP).

Posts by: Kyle Kessler

EUR 30,000 for “a simple cookie banner”?!? – Spanish Supervisory Authority fines airline for non-compliance

The Spanish supervisory authority agencia española protección datos (“Supervisory Authority”) has issued a fine (the original Spanish document can be accessed here) against an airline based on their use of a cookie banner, which the Supervisory Authority considered not to be compliant with privacy provisions.

In issuing the fine, the Supervisory Authority referred to Art. 22.2 of the Spanish Act of the Services of the Information Society and Electronic Commerce (Ley de Servicios de la Sociedad de la Información—“LSSI”) rather than the General Data Protection Regulation (“GDPR”). Art. 22.2 LSSI is based on the ePrivacy Directive, which is still in effect and is not replaced by the provisions of the GDPR—we note, however, that the ePrivacy Directive would likely be replaced by the provisions of the proposed ePrivacy Regulation, which is still being negotiated.

This fine highlights the European data protection authorities’ continued concern over the collection of personal information through cookies and other tracking technologies and should thus attract the attention of companies that provide websites to customers in the EU. The decision might set the standard for fines on the lack of consent for cookies and is in line with the rather conservative view of the European Court of Justice (“CJEU”) in its recent court decision, which explicitly referred to the GDPR (please also see our blog post on the CJEU’s decision). READ MORE

Nevada Passes Opt-Out Law, Effective October 2019 – Three Months Before the CCPA

Following in California’s footsteps, Nevada has passed a new privacy law providing consumers the right to opt out of the sale of their personal information. Senate Bill 220 (SB-220), signed into law by Governor Steve Sisolak on May 29, 2019, amends Nevada’s existing online privacy statute, NRS 603A.340, to include a requirement that online operators provide consumers with a means to opt out of the sale of specific personal information collected by websites or online services. The act goes into effect on October 1, 2019 – three months ahead of the January 1, 2020 effective date of the California Consumer Privacy Act (CCPA) – which may force companies to fast track implementation efforts for opt-out requests in particular. READ MORE

Putting Individuals In The (Urth)Box: FTC Goes After Individual Executives For Unfair And Deceptive Practices

In an increasing trend, the Federal Trade Commission (FTC) joined other federal regulators seeking to hold individuals – not just companies – liable in enforcement proceedings. The most recent target was San Francisco-based UrthBox, Inc. and its principal, Behnam Behrouzi. Specifically, Urthbox and Behrouzi agreed to settle FTC allegations that UrthBox engaged in unfair or deceptive acts or practices by: (1) failing to adequately disclose key terms of its “free trial” automatic renewal programs, and (2) misrepresenting that customer reviews were independent when, in fact, UrthBox provided customers with free products and other incentives to post positive reviews online.[1]

READ MORE

2019 IAPP Global Privacy Summit: Lessons from GDPR, Plans for CCPA and the Future of U.S. Privacy Law

At the beginning of this month, more than 4,000 privacy professionals from around the globe gathered in Washington, D.C. for the International Association of Privacy Professionals’ Global Privacy Summit 2019. The conference focused on lessons learned from the first year of GDPR enforcement in Europe, the expansion of European-style rights to more jurisdictions around the world, plans for addressing new obligations imposed by the CCPA in California, and the future of privacy law in the United States including whether federal legislature is likely or desired – especially in light of the CCPA and similar proposed legislation in states throughout the nation. READ MORE

California Sets the Standard With a New IoT Law

This past September Governor Brown signed into law Senate Bill 327, which is the first state law designed to regulate the security features of Internet of Things (IoT) devices. The bill sets minimum security requirements for connected device manufacturers, and provides for enforcement by the California Attorney General. The law will come into effect on January 1, 2020, provided that the state legislature passes Assembly Bill 1906, which is identical to Senate Bill 327. READ MORE

Making Your Head Spin: “Clean Up” Bill Amends the California Consumer Privacy Act, Delaying Enforcement But Making Class Litigation Even MORE Likely

The California Consumer Privacy Act of 2018 (the “CCPA” or the “Act”), which we reported on here and here continues to make headlines as the California legislature fast-tracked a “clean up” bill to amend the CCPA before the end of the 2018 legislative session. In a flurry of legislative activity, the amendment bill (“SB 1121” or the “Amendment”) was revised at least twice in the last week prior to its passage late in the evening on August 31, just hours before the legislative session came to a close. The Amendment now awaits the governor’s signature.

Although many were hoping for substantial clarification on many of the Act’s provisions, the Amendment focuses primarily on cleaning up the text of the hastily-passed CCPA, and falls far short of addressing many of the more substantive questions raised by companies and industry advocates as to the Act’s applicability and implementation. READ MORE