New California Connected Devices Law Dictates Security Features for Manufacturers

• Publication year: 2020
• Author: Aigerim Dyussenova, Esq.

New California Connected Devices Law Dictates Security Features for Manufacturers

Aigerim Dyussenova, Esq.

Aigerim Dyussenova is with Twitter's Legal Policy team, where she works on matters dealing with the U. S. and International laws regarding freedom of speech. She is the current Education Chair of the CLA BLS Internet and Privacy Law Committee. In her free time, she explores privacy laws and compliance and ubiquitous internet platform products that provide social networking.

The nation's first bill regulating the Internet of Things (IoT) became operative January 1, 2020, in California.¹ The law requires manufacturers of IoT devices sold in California to provide reasonable security features appropriate to the nature of the device. Gartner Research predicted IoT growth from 6.4 billion devices in 2019 to 25 billion devices in 2020.² Any device sold in California after January 1, 2020, needs to comply with the law. In the 1990s, John Romkey created a toaster that could be turned on and off over the Internet, but ever since then, manufacturers have had no laws holding them accountable for IoT security protection.

Passing the California law was an ongoing work-in-progress, beginning in 2017, when California State Senator Hannah-Beth Jackson introduced the first draft as Senate Bill 327.³ California Assemblywoman Jacqui Irwin sponsored similar IoT legislation, Assembly Bill 1906, and read her first draft of that bill in 2018.⁴ The California Legislature reconciled the language of both bills. Each bill was contingent on passage of the other and included a provision to become operative in January2020.

To Whom Does the Law Apply?

The law applies to device manufactures and third-party contractors who manufacture devices offered for sale in the state of California, even if the manufacturer or contractor is headquartered out of state. This could mean that companies might leave the California marketplace entirely or else adopt the changes required by the law across all states, because it would be cost-prohibitive to manufacture devices with different specifications for each state.

What Restrictions Have Been Implemented by the Law?

The restrictions contained in the law would help protect California consumers from IoT-related privacy breaches. The security measures imposed on manufacturers are as follows:

1. The law states that connected devices should be equipped with reasonable standards appropriate to the nature and function of the device. The law does not dictate one standard feature but uses generic terminology so that all classes of IoT devices can comply. Considering that there are billions of IoT devices and that number is expected to increase dramatically, this generalized standard may be appropriate.
2. The law also requires that privacy protection features be tailored to the type of information the device may collect, contain, or transmit. It appears that California legislators are finally understanding various nuances around IoT and have started taking them into account in adopting privacy-related security measures.
3. The law explicitly states that devices should be designed to protect from unauthorized access, destruction, use, modification, or disclosure; however, the law addresses...