The new California Consumer Privacy Act is not the only California privacy law that companies will have to prepare for in 2019. Beginning on January 1, 2020, California will also require a manufacturer of a “connected device” (i.e., an IoT device) to equip that device with reasonable security features.

Until now, states had not specifically regulated Internet of Things (“IoT”) manufacturers and their data security practices related to the device. Instead, California (among other states) generally requires businesses to dispose of records containing personal information when records are no longer needed and to implement and maintain reasonable security procedures to protect such records from unauthorized access and use.

Under this new law, manufacturers will need to design appropriate security features to help protect the device and information from unauthorized access, destruction, modification, disclosure and use. The California law is a de facto national standard for IoT manufacturers that offer their IoT devices for sale in California.

What is a “connected device”?

The law specifically regulates “connected devices” which means “any device or other physical object that is capable of connecting to the internet, directly or indirectly, and that is assigned an Internet Protocol address or Bluetooth address.”

Who is a “manufacturer”?

A manufacturer is an entity that manufacturers (or contracts with an entity to manufacture on its behalf) connected devices sold or offered for sale in California. It does not include contracts with third parties only to purchase a connected device or to only purchase and brand a connected device.

What are “reasonable security features?”

Manufacturers of connected devices must equip the device with reasonable security features that are all of the following:

• Appropriate to the nature and function of the device;

• Appropriate to the information it may collect, contain or transmit; and

• Designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification or disclosure.

The law does not mandate specific requirements of what a “reasonable security feature” must look like; however, the following two options are explicitly deemed “reasonable security features”:

• Preprogrammed passwords that are unique to each device manufactured or

• Devices containing security features that require the user to generate a new means of authentication before access is granted to the device for the first time.