Search for:
Author

Jonathan Tam

Browsing
Jonathan Tam is a licensed attorney in California and Ontario. He focuses on privacy, advertising, intellectual property, content moderation and consumer protection laws. He is passionate about helping clients achieve their commercial objectives while managing legal risks associated with activities involving data, information technology and media. Jonathan regularly writes about information technology and privacy, and is the Vice Chair of the Cybersecurity and Privacy Law Section of the Bar Association of San Francisco. He has completed secondments at a global payment services provider based in London, England and a world-leading tech company based in Silicon Valley. He joined Baker McKenzie as a summer associate in 2012 and has also worked in the Firm's Toronto office.

The early months of 2023 have brought a bumper crop of new state privacy legislation, with Tennessee and Montana legislatures poised to become the eighth and ninth states to enact comprehensive privacy laws. The Tennessee Information Protection Act and Montana Consumer Data Privacy Act, which both passed with unanimous votes out of their respective legislatures on 21 April 2023, follow the recent passage of privacy laws in Iowa and Indiana. The bills now land on their governors’ desks for signature. While the bills hew to broad trends in state privacy laws, each contains novel provisions.

Lawmakers have come to the conclusion that new regulations are needed to support the online protection and flourishing of children and young people. This has prompted the recent proliferation of codes, laws, bills and regulatory guidance documents aimed at governing how online service providers must interact with young people. Key examples are the UK Age-Appropriate Design Code and the California Age-Appropriate Design Code Act.

Companies around the world should start preparing for the Iowa Consumer Data Protection Act with respect to personal data of consumers in Iowa. With the Iowa Act, Iowa follows the California Consumer Privacy Act of 2018, as amended by the California Consumer Rights Act of 2020, but excludes consumers acting in a commercial or employment context. Businesses that have implemented measures to comply with the CCPA and other US state privacy laws can leverage some of their existing vendor contract terms, website disclosures and data subject rights response processes to satisfy requirements under the Iowa Act. The Iowa Act becomes effective January 1, 2025 and does not include a look-back period for violations.

If you sell goods and services to consumers through automatically renewing payment plans, free or discounted trials that convert into full plans, or other “negative option features” that interpret a consumer’s silence as permission to keep charging them, you should monitor and consider submitting comments on the Federal Trade Commission’s proposed Negative Option Rule. The proposed rule would impose detailed transparency, consent, simple cancellation and annual reminder requirements on companies that use any medium to offer recurring subscriptions for products or services, and allow the FTC to seek civil penalties of over USD 50,000 per violation and consumer redress for violations.

US laws have traditionally given online services significant leeway to moderate user-generated content however they see fit. In particular, there is a long history of US courts relying on Section 230 of the Communications Decency Act (CDA 230) to reject a wide range of claims seeking to hold online services providers liable for hosting, displaying, removing or blocking third-party content, including under contract, defamation, tort and civil rights laws. CDA 230 does not protect online services providers from all claims related to third-party content. For example, there are statutory exceptions for IP infringements and criminal violations. But many commentators credit CDA 230 as one of the most important laws in the development of the internet by allowing online services providers to focus on growing their user base without having to discharge unduly burdensome duties to continuously review, assess and moderate user-generated content.

In brief Finalized regulations under the amended California Consumer Privacy Act (“CCPA”) are one step closer to becoming a reality. On February 3, 2023, the California Privacy Protection Agency (the “Agency”) voted to submit its proposed regulations to the Office of Administrative Law, which is one of the last steps before the…

Having to click through a gauntlet of screens to cancel recurring subscriptions. Being told you are foolish if you decline a service. Discovering you were charged extra fees that were not clearly brought to your attention earlier. Finding it hard or confusing to configure your privacy settings to high. These and similar experiences arise when you encounter “dark patterns”, a term that US authorities are increasingly using to refer to interface design strategies that manipulate users into making choices they likely wouldn’t have otherwise made and that may cause harm.

Companies around the world have to comply with the Virginia Consumer Data Protection Act (VCDPA) with respect to personal data of consumers in Virginia. With the VCDPA, Virginia follows the California Consumer Privacy Act of 2018, as amended by the California Consumer Rights Act of 2020, but excludes employee and business representative data from its scope.

On 1 January 2023, the California Consumer Privacy Act as revised by the California Privacy Rights Act will take effect fully in the job applicant and employment context.
And with respect to job applicants and personnel, businesses subject to the California Consumer Privacy Act will be required to (i) issue further revised privacy notices, (ii) be ready to respond to data subject requests, (iii) have determined if they sell or share for cross context behavioral advertising personal information about them, and (iv) have determined if they use or disclose sensitive personal information about them outside of specific purposes. If employers sell, share for cross-context behavioral advertising, or use or disclose sensitive personal information outside of limited purposes, numerous additional compliance obligations apply.