California Enacts Anti-Bot and IoT Laws
On September 28, 2018, the Governor of California signed S.B. 1001 into law. In the absence of a clear and conspicuous disclosure, the legislation makes it unlawful "for any person to use a bot to communicate or interact with another person in California online, with the intent to mislead the other person about its artificial identity for the purpose of knowingly deceiving the person about the content of the communication in order to incentivize a purchase or sale of goods or services in a commercial transaction or to influence a vote in an election."
A "bot" is statutorily defined as "an automated online account where all or substantially all of the actions or posts of that account are not the result of a person." An "online platform" is defined as "any public-facing Internet Web site, Web application, or digital application, including a social network or publication, that has 10,000,000 or more unique monthly United States visitors or users for a majority of months during the preceding 12 months." A duty is not imposed on service providers of online platforms, including, but not limited to, Web hosting and Internet service providers.
The law takes effect until July 1, 2019. It will be enforced by the California attorney general and perhaps private plaintiffs via the state’s unfair competition law.
Also on September 28, Governor Brown approved California Senate Bill 327, making California the first state in the nation to regulate the security of the Internet of Things devices. The law primarily focuses upon security features of IoT devices. It requires the manufacturer to ensure that “reasonable” and appropriate security features are utilized, including remediating existing vulnerabilities.
The law applies to manufacturers of connected devices sold or offered for sale in California, or entities that contract with others to manufacture products on their behalf. Exemptions include, without limitation, third-party software or applications that consumers may add to connected devices, and businesses already regulated by the Health Insurance Portability and Accountability Act of 1996.
The IoT law takes effect on January 1, 2020. It with be enforced California attorney general and district attorneys.