California has signed into law SB-327, which establishes new cybersecurity standards for devices capable of connecting (directly or indirectly) to the internet and that have a designated IP or Bluetooth address. By some estimates, nearly 12 billion of these internet-connected IoT units are already in use, from smart appliances to wearables, and together comprise what is commonly referred to as the “Internet of Things” (IoT).

The new law, effective January 1, 2020, applies to manufacturers of IoT devices—or to businesses who outsource the manufacturing of IoT devices—that are sold or offered for sale in California. Specifically, it requires covered parties to equip IoT devices with reasonable security that is “(1) appropriate for the nature and function of the device, (2) appropriate to the information it may collect, contain, transmit, and (3) designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure.”

Device manufacturers will not, however, have to satisfy these new security requirements in all situations.