August 13, 2020

Volume X, Number 226

August 13, 2020

Subscribe to Latest Legal News and Analysis

August 12, 2020

Subscribe to Latest Legal News and Analysis

August 11, 2020

Subscribe to Latest Legal News and Analysis

August 10, 2020

Subscribe to Latest Legal News and Analysis

California Bill Poised to Change Regime Governing the Internet of Things

A bill pending in the California legislature, if passed, would create new obligations for manufacturers of “connected devices.” S.B. 327 (also known as the “Teddy Bear and Toaster Act”) would operate somewhat differently than existing laws, such as the California Online Privacy Protection Act (“CalOPPA”).

Security obligations. Manufacturers of connected devices that sell those devices in California would be required to equip the device with “reasonable security features appropriate to the nature of the device and the information it may collect, contain, or transmit, that protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure.”

Notice obligations. Connected devices would be required to provide notice about information the device is capable of collecting “through the use of words or icons on the device’s packaging, or on the product’s, or on the manufacturer’s Internet Web site.” The notice itself would describe whether the device is capable of collectingcertain information (compared to CalOPPA, which requires notice of what personally identifiable information the operator “collects”). It also would describe the process for collecting that information, the frequency of the collection, and if and how the consumer can obtain information about security patches and feature updates. The notice requirement contrasts with a prior version of the bill, which would have required devices to indicate “through visual, auditory, or other means” when they are collecting information.

Consent obligations. Manufacturers that sell connected devices to California consumers would be required to “obtain consumer consent” before collecting or transmitting “information beyond what is necessary in order to fulfill a user transaction or for the stated functionality of the connected device.” The bill does not specify whether this consent is opt-in or opt-out consent, but it does note that the consent shall remain in effect until the consumer revokes it.

Exceptions. The bill seems to exempt from consent requirements manufacturers’ collection or use of “deidentified information” collected from a connected device for certain purposes, such as developing, diagnosing, or improving the device, among others. Notably, “deidentified information” is defined as information that does not contain “any link or connection to the consumer or user of the device.” And, in order for information to be deidentified, the bill sets forth a three-part test that must be satisfied, including among other things that deidentification procedures occur locally on the device.

The bill’s author, Senator Hannah-Beth Jackson, tabled the bill until the next legislative year. Thus, as a so-called “two-year bill,” consideration and debate will resume in January 2018.

© 2020 Covington & Burling LLPNational Law Review, Volume VII, Number 215


About this Author

Theodore J. Karch, Covington, intellectual property attorney

Ted Karch advises clients in a range of industries on the legal and reputational risks inherent in today’s data-driven world. His practice involves advising on US federal and state data privacy and cybersecurity laws as well as international privacy rules, including the EU General Data Protection Regulation (GDPR) and China’s Cybersecurity Law.

Mr. Karch helps clients navigate issues that arise in developing and launching innovative products. He has advised clients on practical solutions for approaching issues implicated by laws involving biometric data, online...