California Passes Bill Requiring Reasonable Security Features for Connected Devices
Yesterday, the California legislature passed SB-327, a bill intended to regulate the security of internet-connected devices. Unlike the California Consumer Privacy Act (CCPA), SB-327 is significantly more narrow. As enacted, the bill is a “lighter” version of what was first introduced and amended in 2017 (which, at that time, would have included certain disclosure and consent requirements for connected devices).
At its core, SB-327 requires connected devices to be equipped with “reasonable security features” that are:
- appropriate to the nature and function of the device;
- appropriate to the information it may collect, contain, or transmit; and
- designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure.
The term “connected device” is defined as “any device, or other physical object that is capable of connecting to the Internet, directly or indirectly, and that is assigned an Internet Protocol address or Bluetooth address.” Pretty much every device connected to the Internet is assigned either an IP address or Bluetooth address when it is connected. This can include, for example, anything from computers, tablets, and mobile devices, to smart watches, smart home hubs, or app-controlled toys.
The bill does not provide a private right of action. Only the Attorney General, a city attorney, a county counsel, or a district attorney can enforce the law, and the bill does not address (either directly or by implication) any specific penalties or remedies that may be sought by these entities. However, it’s possible that we see the requirement to implement reasonable security measures asserted as a basis for a legal duty in conjunction with other claims (either by the AG or consumers).
The bill was ordered to engrossing and enrolling. If signed by Governor Brown, the law would become effective on January 1, 2020 (same day as the CCPA).