Two identical bills, to be signed by Governor of California Jerry Brown (D), have made provisions for internet-connected devices sold in California, such as thermostats, televisions, and security cameras, would need reasonable security features by January 2020.
The two identical bills would apply to devices that can connect directly or indirectly to the internet and are assigned internet protocol or Bluetooth addresses. Smart home devices, such as Amazon Echo, Google Home, and Apple HomePod would come under the bills’ provisions. The proposals come amidst a rise in privacy and security concerns about Internet of Things (IoT) devices, particularly concerns about data collection from users.
The bills are purposefully vague about what “reasonable security features” refer to in particularly, according to California State Senator Hannah-Beth Jackson (D), who authored one of the bills, S.B. 327. It is up to the manufacturers to decide what steps to take. Another bill, A.B. 1906, authored by Jacqui Irwin (D) is identical to S.B. 327 and both be sent to Governor Brown’s desk to be signed or vetoed by September 30th, 2018. At current, Governor Brown has yet to take a position on the bills.
The responsibility for reasonable security for the devices would be on manufacturers or those who contract with manufacturers who make those kinds of devices offered for sale in California. Exempt from the bill are medical devices and other items subject standards.
Manufacturers argue that the purposefully vague nature of the bill, and would be fodder for litigation, leaving no private right of action. They also contend that the bills do not apply to companies that import and resell connected devices made in other countries under their own labels, potentially opening up a loophole for companies to bypass the law by simply importing other devices.
Opposed to the bills are the Custom Electronic Design and Installation Association, Entertainment Software Association, and National Election Electrical Manufacturers Association. They are sponsored by Common Sense Kids Action and have support from the Consumer Federation of America, Electronic Frontier Foundation and Privacy Rights Clearinghouse, to name a few.
The Bottom Line
State Senator Jackson’s S.B. 327 and Assemblywoman Irwin’s A.B. 1906 have both passed the California State Senate and State Assembly, respectively, and are on Governor Brown’s desk awaiting a signature or a veto by the end of September, 2018. Both bills, identical in language, call for IoT device manufacturers to provide “reasonable security measures” on their devices. However, the purposefully vague language of both bills has raised the concern that companies might be open to litigation through interpretation of such vague language, not to mention the loopholes for companies that import devices from other countries to take advantage of.