The California Consumer Privacy Act (CCPA) went into effect on January 1, 2020. The CCPA is front page news, and rightfully so. While the major focus has been, and continues to be, on the CCPA, another piece of legislation went into effect on January 1, 2020, which deserves attention.
Bill SB-327 – “Information Privacy: Connected Devices” — is California’s new Internet of Things (IoT) security law, and it requires “manufacturers” of “connected devices” to equip those devices with “reasonable security features.” While the language of SB-327 gives some guidance on what may deemed “reasonable,” there is plenty of gray and likely much more in the way of interpretation up ahead.
The applicability of CA’s IoT law is massive. The definition of “connected device” is “any device, or other physical object that is capable of connecting to the Internet, directly or indirectly, and that is assigned an Internet Protocol address or Bluetooth address.” Use your imagination… just think about all of those connected devices that you have on you right now, in your office, waiting for you at home. And the law applies to all connected devices sold or offered for sale in California, regardless of where manufactured.
The law is clear that there is no private right of action and that the CA Attorney General, a city attorney, a county counsel, or a district attorney have exclusive authority to enforce the law. Good. What is absent from the legislation and, to date unknown, is the penalty for violating the law. Bad.