California again leads the nation in privacy and cybersecurity regulation, this time passing a first of its kind law to regulate Internet-connected devices. On September 28, 2018, Governor Jerry Brown signed into law SB-327/AB-1906 (Information privacy: connected devices). The law follows on the heels of the enactment of a watershed consumer privacy law, the California Consumer Privacy Act (“CCPA”), which Governor Brown signed into law three months earlier to the day. Although lawmakers at the federal level had previously proposed legislation that would lay the groundwork for regulation of Internet-connected devices, California again beats federal policymakers to the punch with the enactment of this law.
The law requires manufacturers of “connected devices” to equip devices with a “reasonable security feature or features.” 1798.91.04(a) (Cal. Civ. Code). Connected device is defined broadly to include any device that can connect to the Internet and has an IP or Bluetooth address. 1798.91.05(b). This definition therefore applies to a wide variety of increasingly ubiquitous consumer electronics (i.e., everything from Alexa to the latest Internet-connected children’s toy or appliance), in addition to other Internet of things devices.
What is a reasonable security feature? The law includes a flexible standard as well as two specific password-based security features that are deemed to satisfy the law. The flexible standard explains that a reasonable security feature must be all of the following: (1) appropriate to the nature and function of the device; (2) appropriate to the information collected, contained, or transmitted; and (3) designed to protect the device and any information it has from unauthorized access, destruction, use, modification, or disclosure. 1798.91.04(a)(1)-(3). Although at first blush this flexible standard appears to mirror the Federal Trade Commission’s approach to data security—the touchstone of which is reasonableness—the law quickly puts to rest any doubt as to what a reasonable security feature is by providing two concrete ways to satisfy the law if the device can be logged into from outside a local area network: (1) the device either must have a unique preprogrammed password, or (2) require a user to set a new password the first time the device is used. 1798.91.04(b)(1)-(2).
Unlike the CCPA, the law does not create a private right of action. Instead, it explicitly gives enforcement power to the California Attorney General and local authorities. 1789.91.06(e).
The law will go into effect on January 1, 2020. 1789.91.06(i).