First Internet of Things Regulation Passes in California

Advertising Law

California is ready to take the lead yet again, this time with first-of-its-kind legislation regulating the Internet of Things (IoT).

A pair of identical bills—Assembly Bill 1906 and Senate Bill 327, both of which were approved by both the Senate and the Assembly—are joined together, meaning that Governor Jerry Brown must sign both for either to take effect. The legislation is currently sitting on his desk, waiting for signature.

The bills would apply to “any device, or other physical object that is capable of connecting to the Internet, directly or indirectly, and that is assigned an IP or Bluetooth address,” such as thermostats, TVs, fitness trackers, refrigerators, automobiles, security cameras, and devices such as the Amazon Echo and Google Home.

Any manufacturer of connected devices (defined as “the person who manufactures, or contracts with another person to manufacture on the person’s behalf, connected devices that are sold or offered for sale in California”) would be required to implement “reasonable” security features that are appropriate to the nature and function of the device; appropriate to the information collected by, contained in or transmitted by the device; and designed to protect the device and information it contains from unauthorized access, destruction, use, modification or disclosure.

The legislation also requires that each connected device must be equipped with a password to authenticate the user before he/she is granted access to the device for the first time. The password can be either a unique preprogrammed password or a user-generated means of authentication.

Exemptions are available for entities and business associates covered by the Health Insurance Portability and Accountability Act, as well as “any connected device the functionality of which is subject to security requirements under federal law, regulations or guidance promulgated by a federal agency pursuant to its regulatory enforcement authority.”

The legislation explicitly states that it does not contain a private right of action, and places enforcement in the hands of government officials, including the state’s attorney general, a city attorney, county counsel or a district attorney. If enacted, the new law would take effect as of January 1, 2020.

To read SB 327, click here.

Why it matters: Governor Brown has until September 30 to sign the measures into law. If he does, California will once again forge a new path just months after the state made headlines with the California Consumer Privacy Act. Federal lawmakers have introduced IoT measures in recent years but have been unable to convince Congress to pass any legislation regulating the burgeoning industry.



pursuant to New York DR 2-101(f)

© 2024 Manatt, Phelps & Phillips, LLP.

All rights reserved