California is pressing forward with Internet of Things (IoT) legislation intended to help protect consumer privacy and safety from potential hacking of connected devices (that is, devices capable of connecting to the Internet). The legislation requires manufacturers of connected devices to equip those devices with reasonable security features appropriate to the nature of the device. The goal of the legislation is to protect consumers, but remain sufficiently flexible to accommodate disparate products and industries. Manufacturers that do not comply will face investigation and possible fines by California regulators.

Over the past several years, manufacturers have introduced connected versions of previously standalone devices such as thermostats, baby monitors, connected cars, smart watches and smart televisions, and fitness bands. Connecting a device to the Internet enables benefits such as better or more responsive service, real-time information, and increased consumer control.

However, in addition to these advantages, these devices’ direct connection to the Internet also exposes them to a wide variety of cyberattacks and may permit the compromise of potentially sensitive information stored on them. As the California Senate Floor Analysis explained in discussing the proposed legislation, connected devices collect “immense amount of private information . . . vulnerable to breaches” and may allow strangers to “conduct surreptitious surveillance on homes or to communicate through devices directly.”1 Data security issues, such as cyberattacks or reliability concerns, may also interfere in the functioning of a device, which may have harmful consequences where the device manages a critical process, such as the operation of a vehicle.2

Legislation potentially applies to manufacturers around the world. Like most privacy laws, because the legislation protects California consumers, the location of the device manufacturer is irrelevant. Therefore, the legislation could have extra-jurisdictional application to manufacturers around the world if they sell connected devices in California.

Legislation’s IoT data security requirements. Generally, the legislation requires manufacturers to implement security features for connected devices that must be: 

  1. Appropriate to the nature and function of the device
  2. Appropriate to the information it may collect, contain, or transmit, and
  3. Designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure.

The legislation is not limited to certain devices or types of information. Instead, the legislation’s emphasis on the appropriateness of the data security features is based on the facts and circumstances, comparable to the context-based approach to “reasonable data security” required by Federal Trade Commission (FTC) guidance and consent orders and by state consumer protection laws.3 For example, the legislation appears to adhere to the FTC’s recommendation that legislatures adopt “strong, flexible, and technology-neutral legislation” to enforce data security.4 Likewise, as the FTC IoT Report noted, “[r]easonable and appropriate security practices are critical to addressing the problem of data breaches and protecting consumers from identity theft and other harms.”5

Nevertheless, the California legislature thought it worth specifically targeting one type of data security measure. The legislation imposes a specific requirement that connected devices capable of authentication outside a local area network must have a preprogrammed password that is unique to each device or the device must contain a security feature that requires a user to generate a new password or authentication mechanism before its use. 

Exceptions to the legislation’s data security requirements. The legislation contains several limitations:

  1. The bill will not impose any duty upon the manufacturer of a connected device related to unaffiliated third-party software or applications that a user chooses to add to a connected device. This exception appears consistent with the FTC’s recent settlement with BLU, which held the manufacturing brand responsible for the data security measures implemented by the unaffiliated software vendors that BLU (and not the user) selected for installation on the device.
  2. App store providers are not covered by the legislation.
  3. Manufacturers can still permit consumers to exercise full control over the devices. For example, manufacturers may permit consumers to choose whether to modify the software or firmware running on the device.
  4. The legislation does not apply to connected devices already subject to security requirements under federal law, regulations, or guidance promulgated by a federal agency pursuant to its regulatory enforcement authority. Presumably, this would exclude medical devices covered by FDA regulations and/or guidance.6
  5. A covered entity or health provider subject to the federal Health Insurance Portability and Accountability Act of 1996 (HIPAA) (Public Law 104-191) or California’s Confidentiality of Medical Information Act is not subject to the legislation with respect to the activity already regulated by those health privacy and security laws.

Enforcement. Finally, the legislation vests enforcement authority solely with the California Attorney General’s Office, a city attorney, a country counsel, or a district attorney. The legislation does not provide for a private right of action.

Analysis

Frequency of and risks from data breaches

Proponents of the bill argue that this legislation both supports privacy rights and addresses the safety risks of potentially hackable connected devices. As discussed above, the California legislature concluded that many of these devices collect a vast amount of personal and intimate information and are used to manage critical processes. In addition, as noted by the Privacy Rights Clearinghouse, a proponent of the legislation, consumers are often unaware of the data being collected by their devices and the related safety risks. Therefore, consumers commonly do not take steps to protect the security of the information on the connected devices, which may leave them at risk. Believing that California consumers could not fend for themselves without legislative action, California created an express requirement for manufacturers to implement reasonable security measures.

Overlapping regulation

The detractors’ primary argument against the legislation is that existing law has already sufficiently regulated this area. The Entertainment Software Association submitted that this Bill’s requirements are “not necessary to provide protections to California residents.” It contended that “[e]xisting law already requires manufacturers to implement reasonable privacy protections appropriate to the nature of the information they collect.” Historically, the FTC investigates companies when it believes they have failed to implement reasonable security controls under its unfairness or deception authorities in section 5 of the FTC Act.7  Many states, including California, also have laws that expressly require companies to implement reasonable data security (although these typically only apply to companies that themselves collect “personal information”).8

Ambiguity

The legislation leaves open the ongoing question of how the law should treat connected devices that have parts and software manufactured and developed by multiple parties. “Manufacturer” means “the person who manufactures, or contracts with another person to manufacture on the person’s behalf, connected devices that are sold or offered for sale in California.” This definition may mean that the brand selling the product is responsible for compliance. It could also be interpreted to cover nearly any company involved in the manufacturing process. Fortunately for manufacturers, the legislation does not include a private right of action, so manufacturers would not be subject to class action litigation while courts clarify this ambiguity.

Next steps

Governor Jerry Brown signed the IoT legislation on September 28th. The legislation will take effect starting on January 1, 2020.

Implications for IoT products generally

Generally, implementing robust data security and privacy controls for consumer products requires an significant planning, design, and integration that remains flexible and takes into account security as a material product feature. Companies concerned about complying with the requirements of the new legislation should consider beginning to take the following steps now to improve and document security for their connected device products. Implement and document data security and privacy protections as part of the product development life cycle