Hey, Alexa, California's New IoT Law Requires Data Protections
“The lack of basic security features on internet connected devices undermines the privacy and security of California's consumers," a California lawmaker says.
September 28, 2018 at 11:32 PM
3 minute read
New mobile phones, refrigerators, children's toys and a range of other Internet-connected consumer products sold in California will have to contain “reasonable security features” starting in 2020, under legislation signed Friday by Gov. Jerry Brown.
Senate Bill 327 and Assembly Bill 1906 do not dictate specific steps manufacturers must take to block hackers or shield owners' personal information. Instead, the legislation says protections should be “appropriate to the nature and function of the device” and “appropriate to the information it may collect, contain, or transmit.”
The new law, which the authors say is the first in the nation, contains no private right of action and leaves enforcement in the hands of the attorney general, city and county counsel and district attorneys. There are no mandated penalties.
“The lack of basic security features on internet connected devices undermines the privacy and security of California's consumers, and allows hackers to turn everyday consumer electronics against us,” said Sen. Hannah-Beth Jackson, D-Santa Barbara, who authored the Senate bill. The Assembly bill, nearly identical, was enacted simultaneously.
The legislation “ensures that technology serves the people of California, and that security is not an afterthought but rather a key component of the design process,” Jackson said.
Jackson introduced connected-device privacy legislation in early 2017. The much broader terms of that bill would have mandated that manufacturers update owners about security patches and to design their products to alert consumers when their information was being collected.
The legislation drew immediate criticism from the tech industry's trade associations, including Technet and The Internet Association, as a potential roadblock to future product development.
Jackson scaled back her bill to focus on data security. Many tech groups dropped their opposition to the bill, easing its passage through the Legislature. The legislation was still opposed by the Entertainment Software Association and the National Electrical Manufacturers Association.
In a letter to the Senate, the Entertainment Software Association said the legislation wasn't needed. “Existing law already requires manufacturers to implement reasonable privacy protections appropriate to the nature of the information they collect,” the letter said.
The bill was backed by privacy rights organizations and consumer groups, including the Electronic Frontier Foundation and Privacy Rights Clearinghouse.
The new connected-device requirements are slated to take effect at the same time as the California Consumer Privacy Act. That legislation, derived from a would-be ballot initiative, requires companies to tell customers what information they gather about them and who they share it with. It also forces companies to delete that information upon a consumer's request.
Tech companies and their trade associations are expected to launch a major lobbying campaign in the next legislative sessions to weaken those provisions.
Read more:
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllAs AI-Generated Fraud Rises, Financial Companies Face a Long Cybersecurity Battle
AI Adoption, Data Center Building Boom Opening More Doors for Cybercriminals, Many of Them Teenagers
Less Is More: The Risks of Excessive Data Collection from Mobile Devices
6 minute readTrending Stories
- 1The Crypto Guys Seem to Like Paul Atkins as a New SEC Commissioner, but Will He Be Good for the Securities Industry?
- 2Lawsuits, AI Accuracy and Debt: Legal Tech Companies that Ran Into Trouble in 2024
- 3Preemptive Litigation: A Potential Approach for a Precise Situation
- 4Paxton's 2024 Agenda: Immigration, Climate, Transgender Issues, Social Media, Abortion, Elections
- 5Let’s Hear It One Last Time!: One More Bow for 2024’s Litigators of the Week
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250