Client Alert

New California IoT Law Requires Security for Connected Devices

24 Jan 2020

Update: As of January 1, 2020, a new California law requires manufacturers of “connected devices” to include “reasonable security feature[s]” in all such devices sold or offered for sale in California, specifically those devices capable of connecting directly or indirectly to the internet and that have an IP or Bluetooth address.[1] Notably, this law is not limited to consumer devices, nor to devices that collect personal information.


What the new law requires

This “Security of Connected Devices” law focuses in particular on user authentication, requiring the manufacturer of a connected device to equip the device with reasonable measures “appropriate to the nature and function of the device, appropriate to the information it may collect, contain, or transmit, [and] designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure.”[2] This requirement is not limited to devices that collect personal information; in fact, the legislation makes no reference to the concept of personal information.

For devices “equipped with a means for authentication outside a local area network,” the law provides that either of the following will be deemed a reasonable security feature: (1) the preprogrammed password is unique to each device manufactured, or (2) the device contains a security feature that requires a user to create a new means of authentication before access is first granted.[3] Beyond this, the legislation gives no guidance to manufacturers in determining what security measures will be considered “reasonable.”

The law does not include a private right of action and can only be enforced by the state attorney general, a county counsel or a district attorney.[4] It does not regulate medical devices, nor does it apply to manufacturers who are already regulated by HIPAA or California’s health privacy law, with respect to any activity regulated by those laws.[5] Connected devices whose functionality is subject to federal security requirements and regulations are also not subject to the new law.[6]

A new direction for data security law

California’s new IoT data security law sets the standard that all connected devices need to include security measures for authentication, not only devices that handle personal information. In this respect, this law is a significant departure from California’s approach to data security legislation to date, such as California’s general data security law (Cal. Civ. Code § 1798.71.5), which requires reasonable data security measures but only for higher-risk types of personal information covered by California’s security breach notification law. This new law requires reasonable security measures regardless of whether a device processes any personal information at all. While the law may seem narrow on its face, it is a noteworthy new direction for security laws and could be the first of many efforts to shape data security requirements for emerging technologies. Indeed, Oregon has adopted a similar law[7] and this may become an area of legislative interest in other states as well.

[1] “Security of Connected Devices,” Cal. Civil Code §§ 1798.91.04-1798.91.05(b).

[2] Cal. Civil Code § 1798.91.04(a).

[3] Cal. Civil Code § 1798.91.04(b) (“Subject to all of the requirements of subdivision (a), if a connected device is equipped with a means for authentication outside a local area network, it shall be deemed a reasonable security feature under subdivision (a) if either of the following requirements are met: (1) The preprogrammed password is unique to each device manufactured. (2) The device contains a security feature that requires a user to generate a new means of authentication before access is granted to the device for the first time.”).

[4] Cal. Civil Code § 1798.91.04(e).

[5] Cal. Civil Code § 1798.91.04(h).

[6] Cal. Civ. Code § 1798.91.06.

[7] ORS § 646.607.  Unlike the California law, the Oregon law is limited to devices that are used primarily for personal, family, or household purposes.



Unsolicited e-mails and information sent to Morrison & Foerster will not be considered confidential, may be disclosed to others pursuant to our Privacy Policy, may not receive a response, and do not create an attorney-client relationship with Morrison & Foerster. If you are not already a client of Morrison & Foerster, do not include any confidential information in this message. Also, please note that our attorneys do not seek to practice law in any jurisdiction in which they are not properly authorized to do so.