Skip to main content
Top Button

California Governor Signs Country’s First IoT Law

California Governor Signs Country’s First IoT Law
October 2, 2018 by

California legislation introduced in March 2017 has been signed into law by the Governor. Senate Bill 327 (“SB-327”), “Information privacy: connected devices”, will make California the first U.S. state to regulate Internet of Things (“IoT”) devices, even ahead of the federal government.

SB-327 provides security requirements for “connected devices,” defined as “any device that connects directly or indirectly to the internet and has an Internet Protocol address or Bluetooth address.”

Federal law already requires that any device that is capable of emitting radio frequency energy (“RF device”) must be properly authorized by the Office of Engineering and Technology at the Federal Communications Commission (“FCC” or “Commission”) before being marketed or imported in the United States. Under the Communications Act, violators of the FCC Equipment Authorization rules may be subject to significant penalties, which can include monetary fines.

The U.S. government also has several pieces of IoT legislation underway, such as the SMART IoT Act, the DIGIT Act, and the IoT Cybersecurity Improvement Act of 2017; however these provisions only apply to federal government purchasers.

In California, beginning January 1, 2020, manufacturers will be required to equip connected devices with security features that are: reasonable, as defined in the bill; appropriate to the nature and function of the connected device; appropriate to the information the connected device may collect, contain, or transmit; and designed to protect the connected device and any information it contains from unauthorized access, destruction, use, modification, or disclosure.

Although a sign of progress, SB-327 has been criticized for being a “cursory and incomplete definition of security” for not including other measures, such as device attestation and code signing and failing to promote the hardening of IoT devices by removing unnecessary features.

The IoT landscape is rapidly changing. Moving forward, IoT equipment manufacturers, retailers, vendors, and purchasers will need to be cognizant that both state and federal requirements may apply to their devices and ensure the requisite compliance.

Lindsay Miller is an attorney in Ice Miller’s Public Affairs and Government Law Group, with a focus on broadband and technology. Read more about Ice Miller’s Broadband and Telecommunications Industry Group here.

Ice Miller's IoT team brings together lawyers from all disciplines who combine their traditional legal experience with in-depth knowledge about the IoT and how it impacts business. Learn more about our IoT Practice here.

This publication is intended for general information purposes only and does not and is not intended to constitute legal advice. The reader should consult with legal counsel to determine how laws or decisions discussed herein apply to the reader’s specific circumstances.

View Full Site View Mobile Optimized