United States: Connecting The Dots Between Security Practices And Legal Obligations: California's Connected Devices Bill

Turning on the lights, hearing the weather forecast, learning fun facts, and playing your favorite song in the kitchen are simple when one can give short voice commands to a personal assistant device that is connected to the internet and to other devices in your home. Connected devices are increasingly being used in the home, not just for everyday tasks, but for babysitting children, securing the home, tracking fitness, and acting as marital aids. There are even connected devices marketed for use in the office or while traveling. It's almost unavoidable to encounter a device that cannot connect to the internet, a smartphone, or other devices. However, as we have reported previously, these devices can present serious privacy and security issues.

In light of these privacy and security issues, U.S. and international regulators alike have published guidance with the goal of standardizing internet of things ("IoT") device privacy and security. Mandatory regulations, however, are lacking, leaving companies to rely on best practices to minimize privacy and security risks.

California, though, in its usual trend to be a first mover in regulating new technology, has had an information privacy connected devices bill in the works since Feb. 13, 2017. In March 2017, we identified the bill and privacy concerns the state and regulators may be considering when it comes to connected devices. Less than a year later, in January 2018, the bill moved from the state's Senate to being considered in the state's Assembly. It has been read once and is currently being "held at desk" in the Assembly, waiting to be referred to a committee.

After being introduced, the bill was transformed substantially, with several of its proposed requirements for connected devices stripped entirely before it entered the Assembly. The bill at one point had both privacy and security related requirements, but now largely calls for security obligations.

Despite these changes, California seems to be attempting to further develop IoT privacy and security standards. The bill does not seem to be inconsistent with standard-making efforts, as it sets a reasonableness standard, and such standards have been historically determined by reference to industry standards and best practices.

As it stands, the bill applies to manufacturers that "sell or offer to sell a connected device to a consumer" in California. Connected device is defined as a "device, sensor, or other physical object that is capable of connecting to the Internet, directly or indirectly, or to another connected device." The bill obligates manufacturers to "equip the device with reasonable security features appropriate to the nature of the device and the information it may collect, contain, or transmit, that protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure."

This obligation may seem to cover security broadly, but the hook is the standard of "reasonable[ness]," the same standard the Federal Trade Commission (FTC) applies to data security generally. The bill would not obligate manufacturers to seek out the highest level of security measures on the market, but rather creates a floor of at least the most "basic security standards," according to the latest Senate Floor Analyses. It seems that the purpose of the bill is not so much to force companies to heighten their levels of security, but rather to ensure that IoT devices have some sort of security in place, such as basic encryption, as soon as they hit the market.

It is important to note that the bill defines "consumer" as a "person who purchases or obtains a connected device for personal or household use." It is unclear whether this would include companies that purchase connected products for their employees for work (rather than personal) use. It is also unclear whether the inclusion of the description of "obtaining" a device and possibly differentiating it from the action of "purchasing" is purposeful. For example, this inclusion may place liability on manufacturers to ensure that security measures are in place that would prevent initial purchasers from customizing the device in a way that may suit their personal needs but would lower the security in some way, before giving it or donating it to someone else once their use of the device runs its course. Perhaps an adult purchases a connected toy for personal use, recodes or tinkers with it in some way to make it do things it was not originally programmed to do, subsequently lowers its security measures via the tinkering (deliberately or accidentally), and gives it to a child as a gift. Under the current language of the bill, there may be some obligation on manufacturers to ensure that such tinkering cannot happen. This may clash with the needs of the hacker and tinkering community, which sometimes includes a company's most devoted users, customers, and followers.

The bill does state, "This title shall not be construed to impose any duty upon the manufacturer of a connected device to prevent a user from having full control over a connected device, including the ability to modify the software or firmware running on the device at the user's discretion." Although this makes it clear that a manufacturer is not obligated to bar a user's tinkering, read with the previous language, it also does not assure that companies do not have the obligation to at least ensure that such modifications to a device do not lead to a dilution of security measures.

That being said, the bill also carves out specific wiggle room for manufacturers. The bill states, "This title shall not be construed to impose any duty upon the manufacturer of a connected device related to unaffiliated third-party software or applications that a user chooses to add to a connected device." This may not put companies at ease that they are not required to prevent tinkering, but it certainly allows companies to not worry about compliance with the law if changes by a consumer are made by applying third-party software.

Another interesting carveout is the following:

A covered entity, provider of health care, business associate, health care service plan, contractor, employer, or any other person subject to the federal Health Insurance Portability and Accountability Act of 1996 (HIPAA) (Public Law 104-191) or the Confidentiality of Medical Information Act (Part 2.6 (commencing with Section 56) of Division 1) shall not be subject to this title with respect to any activity regulated by those acts.

There is a market for connected devices to be used in the context of collecting and processing of health data. This includes connected toys being used in hospitals to calm children who may be going through health procedures. This carveout is perhaps the outcome of the desire to not have clashing security obligations, especially considering that HIPAA already contains stringent security requirements.

The law also states:

This title shall not be construed to impose any duty upon a provider of an electronic store, gateway, marketplace, or other means of purchasing or downloading software or applications, to review or enforce compliance with this title.

What companies may also want to take note of is the evolution of the bill itself. As previously mentioned, the bill has undergone several changes, and used to include several privacy obligations and other definitions that were then stricken.

Some strikes make sense in the context of current privacy and security legal trends.

Legislators recently struck the following: "'Connected device' shall not include a motor vehicle as defined in Section 415 of the Vehicle Code." This may make sense, as legislators realized that the purpose of the law was to instill basic security measures in the connected device market. Considering that vehicles can connect to phones and other devices, it seems odd to explicitly exclude them as a device. Vehicle manufacturers should note the difference between a connected car and an autonomous car. A connected car may allow users to connect a phone to its speakers to stream songs for a road trip, but an autonomous car may provide that ability as well as the ability to self-drive and self-navigate to the user's destination point. An autonomous vehicle is likely a connected vehicle, but a connected vehicle is not necessarily autonomous. This difference is important to understand in light of recent regulations passed in California. The California Department of Motor Vehicles recently adopted, on Feb. 26, 2018, regulations that specifically govern the testing and deployment of autonomous vehicles, including standards of privacy and security. While these regulations cover autonomous vehicles, the only legislation in consideration in California that may cover nonautonomous connected vehicles is the very bill discussed here. Therefore, the decision not to exclude vehicles from this bill is of note, considering that other legislation and regulations about the security of vehicles are focused specifically on autonomous vehicles.

Legislators also struck a definition of "deidentified information" as well as a short provision on an exclusion of deidentified information from the law. This may be because there is too much contention in technical and legal communities over whether deidentification of personal information is even possible. The idea is that deidentifying personal information would strip the information in a way that would effectively prevent reidentification to occur. In privacy and security circles there are groups that argue that there will always be technical ways to render reidentification, no matter how complicated the deidentification process.

The provision may also have been struck because if it had been included, this bill would have broadened the current scope of the application of deidentified data. Currently, the Health Insurance Portability and Accountability Act ("HIPAA") is the only U.S. privacy-centric regulation that mentions the term. HIPAA, however, applies only to health data and also explicitly provides strict approaches as to how organizations using deidentification measures can avoid liability under the regulation. Should the deidentification provision remain in this connected device bill, deidentification could be applied in contexts beyond health data. The inclusion of the provision may even have led to a dilution of what proper deidentification measures entail, as California legislators had yet to add in a provision explicitly explaining how appropriate deidentification may occur, which contrasts with HIPAA's strict and narrow approach, and the approach of Europeans on the issue.

Additionally, legislators may have struck this provision to further tailor the bill to focus on security rather than privacy. As discussed below, certain provisions that would have protected consumers' privacy were also struck. Deidentification is related more to privacy of data than to security of such data, since deidentification is a method of stripping certain aspects of data in order to protect the identity of a person, rather than to protect the data from being misused. By striking the provision on deidentification, the California legislators may have been opting for a more security-centric bill.

Indeed, probably the most notable provisions of the bill concerned privacy transparency, which is now totally absent. The bill used to state that manufacturers "shall provide notice through the use of words or icons on the device's packaging, or on the product's, or on the manufacturer's Internet Web site, of all of the following:

  1. Whether the device is capable of collecting audio, video, location, biometric, health, or other personal or sensitive user information, including specifying which type or types of information the device may collect, if that information is not otherwise indicated by packaging or by the stated functionality of the device.
  2. The process by which a connected device collects the information specified in subdivision (a), as well as the frequency of collection and what types of interactions with the device may trigger collection.
  3. If and how the consumer can obtain information about security patches and feature updates for the connected device."

IoT manufacturers should closely watch the bill to see if this or other privacy notice requirements find a way back into the bill as it progresses.

Overall, the California bill on IoT devices, as currently written, does not do much more than the obligation security standards that the FTC already applies under Section 5 of the FTC Act. It raises interesting questions, such as what it may change for manufacturers due to its definition of "consumer," and the bill does not expressly describe what it considers as "reasonable security features."

These questions may become clear with time, but what is clear now is that this bill, if passed, will provide consumers another outlet, beyond relying on FTC enforcement, for protecting their security. The bill states that existing law "authorizes a customer injured by a violation of [the bill's] provisions to institute a civil action to recover damages." As the bill will be added to "Part 4 of Division 3 of the Civil Code, relating to information privacy," the bill is likely referring to potential civil actions outlined in Division 4 of California's Civil Code. Division 3 creates obligations, or legal duties, that must be followed in California, while Division 4 (sections 3274-3428) describe what relief may be sought in the event of a breach of obligation. The relief ranges from compensatory relief to specific and preventive relief.

Additionally, despite certain privacy obligations being stricken from the bill, companies should still consider the benefits of employing privacy by design, following the Fair Information Practice Principles, and consider the FTC's general guidance on IoT devices and comments on draft guidance regarding communicating upgradability, security patches, and transparency.

Companies should also consider the evolving efforts to develop international standards, such as guidance published by the IoT Security Foundation from the United Kingdom, security best practices published by the Institute of Electrical and Electronics Engineers, a global nonprofit, and the National Institute of Standards and Technology's current draft of its Interagency Report on international cybersecurity IoT standardization. With the General Data Protection Regulation ("GDPR") becoming effective on May 25, 2018, companies with ties to Europe should also look to what European Data Protection Supervisors have discussed regarding IoT devices in each European member state.

While such best practices should be followed, maintaining such practices may not be feasible. For example, if a company decides to retire IoT device manufacturing and move into a different industry area, such as solely developing software, it would find difficulty in doing so if it were required to keep its IoT business running. Whether companies should be required to maintain data security indefinitely is an interesting policy question that legislators may consider in the future.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Similar Articles
Relevancy Powered by MondaqAI
Sheppard Mullin Richter & Hampton
In association with
Related Topics
Similar Articles
Relevancy Powered by MondaqAI
Sheppard Mullin Richter & Hampton
Related Articles
Related Video
Up-coming Events Search
Font Size:
Mondaq on Twitter
Mondaq Sign Up
Gain free access to lawyers expertise from more than 250 countries.
Email Address
Company Name
Confirm Password
Mondaq Newsalert
Select Topics
Select Regions
Registration (please scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions

Mondaq.com (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of www.mondaq.com

To Use Mondaq.com you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.


The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.


Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions