New California IoT Law Requires Security for Connected Devices

10/01/2018
Client Alert

When Governor Jerry Brown signed Assembly Bill 1906 and Senate Bill 327 into law on Friday, California took major strides toward regulating the Internet of Things, the network of internet-connected devices that includes everything from televisions and cars, to refrigerators, fitness trackers, and baby monitors.[1]  As of January 1, 2020, “reasonable security feature[s]” must be included in all “connected devices” sold or offered for sale in California, specifically those devices capable of connecting directly or indirectly to the internet and that have an IP or Bluetooth address.[2]

What the new law requires

The legislation focuses in particular on user authentication, requiring the manufacturer of a connected device to equip the device with reasonable measures “appropriate to the nature and function of the device, appropriate to the information it may collect, contain, or transmit, [and] designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure.”[3]  Notably, this requirement is not limited to devices that collect personal information; in fact, the legislation makes no reference to the concept of personal information. For devices “equipped with a means for authentication outside a local area network,” the law provides that either of the following will be deemed a reasonable security feature: the preprogrammed password is unique to each device manufactured, or the device contains a security feature that requires a user to create a new means of authentication before access is first granted.[4] Beyond this, the legislation gives no guidance to manufacturers in determining what security measures will be considered “reasonable.”

The legislation does not include a private right of action and can only be enforced by the state attorney general, a county counsel or a district attorney.[5] It does not regulate medical devices, nor does it apply to manufacturers who are already regulated by HIPAA or California’s health privacy law, with respect to any activity regulated by those laws.[6] Connected devices whose functionality is subject to federal security requirements and regulations are also not subject to the new law.[7]

A new direction for data security law

The legislation sets the standard that all connected devices need to include security measures for authentication, not only devices that handle personal information. In this respect, the bills are a significant departure from California’s approach to data security legislation to date, such as California’s general data security law (Cal. Civ. Code § 1798.71.5), which requires reasonable data security measures but only for higher-risk types of personal information covered by California’s security breach notification law. This new legislation requires reasonable security measures regardless of whether a device processes any personal information at all. While the bills may seem narrow on their face, they are a noteworthy new direction for security laws and could be the first of many efforts to shape data security requirements for emerging technologies.[8]


[1] The bills, which are identical, required that the governor sign both pieces of legislation.

[2] Cal. Civil Code §§ 1798.91.04; 1798.91.05(b).

[3] Cal. Civil Code § 1798.91.04(a).

[4] Cal. Civil Code § 1798.91.04(b) (“Subject to all of the requirements of subdivision (a), if a connected device is equipped with a means for authentication outside a local area network, it shall be deemed a reasonable security feature under subdivision (a) if either of the following requirements are met: (1) The preprogrammed password is unique to each device manufactured. (2) The device contains a security feature that requires a user to generate a new means of authentication before access is granted to the device for the first time.”).

[5] Cal. Civil Code § 1798.91.04(e).

[6] Cal. Civil Code § 1798.91.04(h).

[7] Cal. Civ. Code § 1798.91.06.

[8] https://www.law360.com/cybersecurity-privacy/articles/1083079/calif-starts-ball-rolling-with-novel-internet-of-things-law.

Email Disclaimer

Unsolicited e-mails and information sent to Morrison & Foerster will not be considered confidential, may be disclosed to others pursuant to our Privacy Policy, may not receive a response, and do not create an attorney-client relationship with Morrison & Foerster. If you are not already a client of Morrison & Foerster, do not include any confidential information in this message. Also, please note that our attorneys do not seek to practice law in any jurisdiction in which they are not properly authorized to do so.

©1996-2019 Morrison & Foerster LLP. All rights reserved.