Companies Must Prepare for California’s New IoT Law on Security for Connected Devices

By: Tricia Meyer, Founder + Managing Attorney at Meyer Law

Manufacturers of “smart devices” from cell phones to smart speakers to smart appliances to tablets need to prepare to comply. Last year, California enacted SB 327 to regulate internet of things (“IoT”) devices and manufacturers of IoT products.

By January 1, 2020, businesses that manufacture “connected devices” that are sold or offered for sale in California, or contract with another business to manufacture products on their behalf, are required to implement “reasonable security features”. A “connected device” is a device with an ‘Internet Protocol’ or ‘Bluetooth’ address, and capable of connecting directly or indirectly to the ‘Internet’. The law requires manufacturers to implement “reasonable security features”, which is broadly defined as (i) appropriate to the nature and function of the device, (ii) appropriate to the information the connected device collects, contains or transmits and (iii) designed to protect the device and any information contained therein from unauthorized access, destruction, modification, use and/or disclosure. Further, each manufactured connected device should be equipped with a unique, unpredictable preprogrammed password and the connected device shall contain a security feature that requires a user to generate a new means of authentication before the user is granted access to the connected device for the first time.

As with many laws, there are exclusions, such as manufactured connected devices related to health care and federally regulated devices. In addition, if a company is purchasing and branding a connected device from a third party manufacturer, then the company may not need to comply; however a careful of the analysis of the relationship is required.

Failing to comply with the new law may lead to fines and penalties from the state. Further, any vulnerability may lead to breach of the California Consumer Privacy Act (“CCPA”) and other state privacy laws, exposing your company to potential litigation. Learn how to prepare for CCPA, here, and avoid the scramble. As with any new law, it’s important to discuss with your counsel to understand how it will impact your business.

This blog was created as of the date set forth above and is based on laws, decisions, rulings and materials that existed at that time, and should not be construed as legal advice or legal opinions on specific facts. Please note, that this is not intended to be legal advice and this does not create an attorney-client relationship. If you need legal advice, please contact an attorney.

We use cookies and similar technologies to enhance the navigation of our website, analyze usage and assist in our marketing efforts, and you agree to this by viewing and accessing our website. Please see our Privacy Policy for more information.