There is no dispute that California is the leading state when it comes to technology and privacy regulations. In June 2018, the California legislature enacted the California Consumer Privacy Act, which is the broadest privacy law in the country. This law, which is slated to go into effect in 2020, provides consumers with considerable control over their personal data. There is also no current federal law in effect that addresses data privacy in such a comprehensive manner.
Now California has decided to address another issue that other state and federal lawmakers have yet to formally address—the security problems associated with connected devices. California’s Civil code will gain a new section entitled “Security of Connected Devices” that will directly regulate the Internet of Things (“IoT”). While IoT can be a complicated topic, this generally refers to any devices that are connected to a network that can share and analyze data. Examples include smart phones, activity trackers, and smart medical devices. It is scheduled to become effective on January 1, 2020.
Summary of California’s IoT Law
The new law requires that manufacturers who sell “connected devices” in California install reasonable security features on these devices that are “appropriate to the nature and function of the device; appropriate to the information it may collect, contain, or transmit; and designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure.” Connected devices include “any device, or other physical object that is capable of connecting to the Internet, directly or indirectly, and that is assigned an Internet Protocol address or Bluetooth address.”
The law also offers some guidance on what meets the reasonableness standard. Having unique preprogrammed passwords or requiring that first-time users provide authentication to gain access to a device qualify as reasonable security features. Additionally, a manufacturer’s responsibilities end after the device is sold. A user can modify the software and firmware on the device without the manufacturer facing liability for these alterations.
While this law will tighten up security on many devices, its reach is not absolute. The following is excluded from the scope of this regulation:
• Devices subject to federal law, regulations, or agency guidance
• Any person or entity seeking information from a device pursuant to HIPAA or California’s Confidentiality of Medical Information Act
• Law enforcement agencies that are legally requesting data
• Manufacturers of unaffiliated third-party software and applications the user downloads
• Electronic store, gateway, and marketplace providers
Another interesting component of the law is that no private right of actions exists. The only avenue for enforcement is through the attorney general, city attorneys, county counsel, or district attorneys.
Internet of Things: What to Consider for Legal Practitioners
California’s IoT regulation will provide protection for connected devices and the data stored on them, making it harder for hackers to gain access. The law ensures that manufacturers address security and privacy concerns at the onset, which will put consumers at ease. This will surely decrease the number of security breaches and help safeguard personal information.
After the law’s enactment device manufacturers, legal professionals, and consumers need to take note of when the state decides to seek enforcement and how the courts interpret the law. This will provide further guidance on what types of security features manufacturers need to install in order to be compliant, which will likely depend on the type of device and information that users store on it. Future challenges will also determine what penalties manufactures should expect after a violation, which may include a combination of injunctive relief and fines. Regardless, manufacturers should start implementing tighter security features in order to reach compliance under the new law. It will be interesting to see if other states decide to follow suit and pass their own IoT regulations in the near future.