Meyer Law
Close this search box.

Companies Must Prepare for California’s New IoT Law on Security for Connected Devices

Manufacturers of “smart devices” from cell phones to smart speakers to smart appliances to tablets need to prepare to comply. Last year, California enacted SB 327 to regulate internet of things (“IoT”) devices and manufacturers of IoT products.

By January 1, 2020, businesses that manufacture “connected devices” that are sold or offered for sale in California, or contract with another business to manufacture products on their behalf, are required to implement “reasonable security features”. A “connected device” is a device with an ‘Internet Protocol’ or ‘Bluetooth’ address, and capable of connecting directly or indirectly to the ‘Internet’. The law requires manufacturers to implement “reasonable security features”, which is broadly defined as (i) appropriate to the nature and function of the device, (ii) appropriate to the information the connected device collects, contains or transmits and (iii) designed to protect the device and any information contained therein from unauthorized access, destruction, modification, use and/or disclosure. Further, each manufactured connected device should be equipped with a unique, unpredictable preprogrammed password and the connected device shall contain a security feature that requires a user to generate a new means of authentication before the user is granted access to the connected device for the first time.

As with many laws, there are exclusions, such as manufactured connected devices related to health care and federally regulated devices. In addition, if a company is purchasing and branding a connected device from a third party manufacturer, then the company may not need to comply; however a careful of the analysis of the relationship is required.

Failing to comply with the new law may lead to fines and penalties from the state. Further, any vulnerability may lead to breach of the California Consumer Privacy Act (“CCPA”) and other state privacy laws, exposing your company to potential litigation. Learn how to prepare for CCPA, here, and avoid the scramble. As with any new law, it’s important to discuss with your counsel to understand how it will impact your business.

This blog was created as of the date set forth above and is based on laws, decisions, rulings and materials that existed at that time, and should not be construed as legal advice or legal opinions on specific facts. Please note, that this is not intended to be legal advice and this does not create an attorney-client relationship. If you need legal advice, please contact an attorney.

Tricia Meyer 301

Tricia Meyer is Founder + Managing Attorney of Meyer Law, one of the fastest growing law firms in the United States. Meyer helps entrepreneurs and technology companies from startups to large corporations with day-to-day matters and notable clients include companies that have appeared on Shark Tank to companies gracing the Inc. 500 to some of the largest companies in the world.

Tricia has been named on the Forbes Next 1000 list, is one of the Most Influential Female Lawyers in Chicago according to Crain’s Chicago Business and been recognized as a top 10 technology lawyer.

As an entrepreneur and a lawyer, Meyer has a unique perspective and has mentored thousands of startups and scaling companies at tech incubators and accelerators across the United States such as 1871, WeWork Labs and Techstars. Tricia has been featured in Inc., Crain’s, Chicago Tribune, NBC Chicago, American Express OPEN Forum, and more. Learn more at and follow Meyer Law’s story on Instagram @loveyourlawyer.