Search for:

Jonathan Tam

Jonathan Tam is a licensed attorney in California and Ontario. He focuses on privacy, advertising, intellectual property, content moderation and consumer protection laws. He is passionate about helping clients achieve their commercial objectives while managing legal risks associated with activities involving data, information technology and media. Jonathan regularly writes about information technology and privacy, and is the Vice Chair of the Cybersecurity and Privacy Law Section of the Bar Association of San Francisco. He has completed secondments at a global payment services provider based in London, England and a world-leading tech company based in Silicon Valley. He joined Baker McKenzie as a summer associate in 2012 and has also worked in the Firm's Toronto office.

US laws have traditionally given online services significant leeway to moderate user-generated content however they see fit. In particular, there is a long history of US courts relying on Section 230 of the Communications Decency Act (CDA 230) to reject a wide range of claims seeking to hold online services providers liable for hosting, displaying, removing or blocking third-party content, including under contract, defamation, tort and civil rights laws. CDA 230 does not protect online services providers from all claims related to third-party content. For example, there are statutory exceptions for IP infringements and criminal violations. But many commentators credit CDA 230 as one of the most important laws in the development of the internet by allowing online services providers to focus on growing their user base without having to discharge unduly burdensome duties to continuously review, assess and moderate user-generated content.

In brief Finalized regulations under the amended California Consumer Privacy Act (“CCPA”) are one step closer to becoming a reality. On February 3, 2023, the California Privacy Protection Agency (the “Agency”) voted to submit its proposed regulations to the Office of Administrative Law, which is one of the last steps before the…

Having to click through a gauntlet of screens to cancel recurring subscriptions. Being told you are foolish if you decline a service. Discovering you were charged extra fees that were not clearly brought to your attention earlier. Finding it hard or confusing to configure your privacy settings to high. These and similar experiences arise when you encounter “dark patterns”, a term that US authorities are increasingly using to refer to interface design strategies that manipulate users into making choices they likely wouldn’t have otherwise made and that may cause harm.

Companies around the world have to comply with the Virginia Consumer Data Protection Act (VCDPA) with respect to personal data of consumers in Virginia. With the VCDPA, Virginia follows the California Consumer Privacy Act of 2018, as amended by the California Consumer Rights Act of 2020, but excludes employee and business representative data from its scope.

On 1 January 2023, the California Consumer Privacy Act as revised by the California Privacy Rights Act will take effect fully in the job applicant and employment context.
And with respect to job applicants and personnel, businesses subject to the California Consumer Privacy Act will be required to (i) issue further revised privacy notices, (ii) be ready to respond to data subject requests, (iii) have determined if they sell or share for cross context behavioral advertising personal information about them, and (iv) have determined if they use or disclose sensitive personal information about them outside of specific purposes. If employers sell, share for cross-context behavioral advertising, or use or disclose sensitive personal information outside of limited purposes, numerous additional compliance obligations apply.

Businesses that have implemented measures to comply with the California Consumer Privacy Act of 2018, as amended by the California Consumer Rights Act of 2020 (CCPA) can leverage some of their existing vendor contract terms, website disclosures and data subject rights response processes to satisfy requirements under the Colorado Privacy Act (CPA). However, the CPA, and the recently published proposed CPA Rules, contain certain unique and prescriptive requirements that may warrant taking a CPA-specific approach to compliance. How the finalized CCPA regulations and CPA Rules look will largely dictate whether companies will need to expand or change the scope of their privacy compliance measures to meet the obligations set forth under both California’s and Colorado’s privacy regimes.

California recently enacted the California Age-Appropriate Design Code Act (“Act”) with the stated intention of requiring businesses to consider the best interests of minors under the age of 18 when designing, developing and providing online services. If your business currently offers online services that are likely to be accessed by minors in California, you should consider starting to prepare Data Protection Impact Assessments in accordance with the Act as soon as possible because the law will require covered businesses to undertake such assessments before offering these services to the public, and it will take time to address the risks identified by the assessments before the Act fully takes effect on 1 July 2024.

The California Privacy Rights Act of 2020 (CPRA) amended the California Consumer Privacy Act of 2018 (CCPA) with most changes taking effect on 1 January 2023 with a twelve-month look-back. Limited exceptions concerning the personal data of employees and business contacts will expire. The new California Privacy Protection Agency (CPPA) has published draft regulations that will, once finalized, expand on the rules in the statute and existing regulations from the California Attorney General.