California on the Verge of Passing Nation’s First “Internet of Things” Law

Published: Sep. 20, 2018

Updated: Oct. 05, 2020

Note: SB 327 was signed into law on September 28, 2018.

The California State Senate has passed a bill (SB 327) that would make California the first state to regulate the security of the Internet of Things (“IoT”). Coming on the heels of the California Consumer Privacy Act enacted in June, SB 327 awaits Governor Brown’s signature, which is required by September 30th if the bill is to become law. If signed, the bill would go into effect on January 1, 2020.

The bill would require manufacturers of connected devices to equip devices with reasonable security features that are (1) appropriate to the nature and function of the device; (2) appropriate to the information collected, contained in, or transmitted by the device; and (3) designed to protect the device and information it contains from unauthorized access, destruction, use, modification, or disclosure. It broadly defines a “connected device” as “any device, or other physical object that is capable of connecting to the Internet, directly or indirectly, and that is assigned an IP or Bluetooth address.”

Despite this broad obligation, the bill also arguably provides that manufacturers can comply with the “reasonable security feature” requirement by ensuring that each connected device that is equipped with a means for authentication outside a local area network either (1) contains a unique preprogrammed password (i.e., no standard default login credentials, like “admin”), OR (2) requires a user to generate a new means of authentication (presumably a new password) before being granted access to the device for the first time. However, due to some ambiguity in the drafting of the bill, it is unclear whether implementing these authentication measures is entirely sufficient to comply with the “reasonable security” requirement, or if it is merely a necessary component of compliance.

The bill’s “reasonable security features” requirement is similar to existing California law mandating that companies implement “reasonable security,” and the bill’s password requirement is similar a recommendation made by the FTC in its 2015 IoT Report to encourage companies to require that consumers change any default passwords.

Device manufacturers already regulated by the Health Insurance Portability and Accountability Act (“HIPAA”) or the California Confidentiality of Medical Information Act are exempt from compliance with the law. While there is no private right of action in the bill, the California Attorney General, a city attorney, a county counsel, or a district attorney have enforcement authority.

Both the U.S. House and the Senate have introduced bills focusing on IoT, though neither bill has gained traction. Should the California bill pass, it could prompt other states, as well as the federal government, to enact laws further regulating privacy and security.