New mobile phones, refrigerators, children’s toys and a range of other Internet-connected consumer products sold in California will have to contain “reasonable security features” starting in 2020, under legislation signed Friday by Gov. Jerry Brown.
Senate Bill 327 and Assembly Bill 1906 do not dictate specific steps manufacturers must take to block hackers or shield owners’ personal information. Instead, the legislation says protections should be “appropriate to the nature and function of the device” and “appropriate to the information it may collect, contain, or transmit.”
The new law, which the authors say is the first in the nation, contains no private right of action and leaves enforcement in the hands of the attorney general, city and county counsel and district attorneys. There are no mandated penalties.
“The lack of basic security features on internet connected devices undermines the privacy and security of California’s consumers, and allows hackers to turn everyday consumer electronics against us,” said Sen. Hannah-Beth Jackson, D-Santa Barbara, who authored the Senate bill. The Assembly bill, nearly identical, was enacted simultaneously.
The legislation “ensures that technology serves the people of California, and that security is not an afterthought but rather a key component of the design process,” Jackson said.
Jackson introduced connected-device privacy legislation in early 2017. The much broader terms of that bill would have mandated that manufacturers update owners about security patches and to design their products to alert consumers when their information was being collected.
The legislation drew immediate criticism from the tech industry’s trade associations, including Technet and The Internet Association, as a potential roadblock to future product development.
Jackson scaled back her bill to focus on data security. Many tech groups dropped their opposition to the bill, easing its passage through the Legislature. The legislation was still opposed by the Entertainment Software Association and the National Electrical Manufacturers Association.
In a letter to the Senate, the Entertainment Software Association said the legislation wasn’t needed. “Existing law already requires manufacturers to implement reasonable privacy protections appropriate to the nature of the information they collect,” the letter said.
The bill was backed by privacy rights organizations and consumer groups, including the Electronic Frontier Foundation and Privacy Rights Clearinghouse.
The new connected-device requirements are slated to take effect at the same time as the California Consumer Privacy Act. That legislation, derived from a would-be ballot initiative, requires companies to tell customers what information they gather about them and who they share it with. It also forces companies to delete that information upon a consumer’s request.
Tech companies and their trade associations are expected to launch a major lobbying campaign in the next legislative sessions to weaken those provisions.