Effective January 1, 2020, according to a new Cal. Civ. Code § 1798.91.04(a), manufacturers of connected devices offered for sale or sold in California must equip such devices with reasonable security features to protect the device and any information contained in them from unauthorized access, destruction, use, modification, or disclosure.
Unlike the GDPR and other data privacy laws, which impose obligations on data controllers and processors, the Californian law applies to organizations irrespective of whether they control or process personal data through the device. It requires manufacturers to make secure products, so that their customers can meet ‘data protection by design’ obligations. This is a very interesting and novel development – potentially directional for the automotive and other sectors (e.g. drones).
The term “connected device” is defined broadly and includes any “device, or other physical object that is capable of connecting to the Internet, directly or indirectly, and that is assigned an Internet Protocol address or Bluetooth address". This definition will catch products ranging from a cordless keyboard to a connected car (possibly subject to preemption by federal or more product-specific laws).
Reasonable security features
The security features must be appropriate to the nature and function of the device, as well as to the information the device may collect, contain, or transmit. The law expressly states that if a connected device is equipped with a means for authentication outside a local area network, it is a deemed a reasonable security feature if:
the pre-programmed password is unique to each device manufactured; or
the device contains a security feature that requires a user to generate a new means of authentication before access is granted to the device for the first time.
Manufacturers are free to opt for security features beyond these two alternatives, but if they opt for one of these alternatives, they can rely on the statutory safe harbor according to which one of these two measures would be sufficient.
Clarifications and limitations
The new law does not impose on manufacturers of connected devices any duty in relation to unaffiliated third-party software or applications that a user may choose to add to a connected device. Nor does it impose on them any duty to prevent a user from having full control over a connected device, including the ability to modify the software or firmware running on the device at the user’s discretion.
Moreover, the new law does not impose any duty upon a provider of an electronic store, gateway, marketplace, or other means of purchasing or downloading software or applications, to review or enforce compliance with the new data security requirements.
These clarifications and limitations are important as they discourage manufacturers from locking up devices. Rather they encourage manufacturers and after-market suppliers to keep device architectures, interfaces and add-on features open and interoperable in the interest of competition, sustainability and consumer welfare. See here for an article advocating for open devices in the automotive sector.
The new law will be enforced only by the California Attorney General, not private plaintiffs. But, private plaintiffs may nevertheless attempt to refer to the new law when they pursue other causes of action, for example, to show breach of a duty for purposes of asserting negligence.