California Bill Poised to Change Regime Governing the Internet of Things
A bill pending in the California legislature, if passed, would create new obligations for manufacturers of “connected devices.” S.B. 327 (also known as the “Teddy Bear and Toaster Act”) would operate somewhat differently than existing laws, such as the California Online Privacy Protection Act (“CalOPPA”).
Security obligations. Manufacturers of connected devices that sell those devices in California would be required to equip the device with “reasonable security features appropriate to the nature of the device and the information it may collect, contain, or transmit, that protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure.”
Notice obligations. Connected devices would be required to provide notice about information the device is capable of collecting “through the use of words or icons on the device’s packaging, or on the product’s, or on the manufacturer’s Internet Web site.” The notice itself would describe whether the device is capable of collectingcertain information (compared to CalOPPA, which requires notice of what personally identifiable information the operator “collects”). It also would describe the process for collecting that information, the frequency of the collection, and if and how the consumer can obtain information about security patches and feature updates. The notice requirement contrasts with a prior version of the bill, which would have required devices to indicate “through visual, auditory, or other means” when they are collecting information.
Consent obligations. Manufacturers that sell connected devices to California consumers would be required to “obtain consumer consent” before collecting or transmitting “information beyond what is necessary in order to fulfill a user transaction or for the stated functionality of the connected device.” The bill does not specify whether this consent is opt-in or opt-out consent, but it does note that the consent shall remain in effect until the consumer revokes it.
Exceptions. The bill seems to exempt from consent requirements manufacturers’ collection or use of “deidentified information” collected from a connected device for certain purposes, such as developing, diagnosing, or improving the device, among others. Notably, “deidentified information” is defined as information that does not contain “any link or connection to the consumer or user of the device.” And, in order for information to be deidentified, the bill sets forth a three-part test that must be satisfied, including among other things that deidentification procedures occur locally on the device.
The bill’s author, Senator Hannah-Beth Jackson, tabled the bill until the next legislative year. Thus, as a so-called “two-year bill,” consideration and debate will resume in January 2018.