Foundry Law Group Blog

IoT Privacy and Data Security – Impact of New CA Laws

IoT (or Internet of Things) has seen a boom in the past several years. Connected devices such as Alexa or Siri are well known, but many more products feature connected functionality. In general, IoT has been far less understood and far less regulated from a privacy and data security standpoint. This year California has passed laws affecting connected devices.


IoT Law – Two New California Privacy and Data Security Laws


The new laws concerning IoT comes generally under two new pieces of legislation, the Security of Connected Devices Act and the California Consumer Privacy Act of 2018.


Security of Connected Devices


Signed into law September 28, 2018, the so-called Security of Connected Devices SB-327 seeks to require manufacturers of connected devices to incorporate certain security features. The law, which goes into effect January 1, 2020, sets forth what might be considered a baseline of security features.

The law requires manufacturers to equip devices with reasonable security features or features that are related to the functionality of the device. This includes the information the device collects, contains, or transmits.  The device must protect information contained on the device from unauthorized access, destruction, use, modification, or disclosure.

Further, if the device authenticates outside of a local network, it must feature a preprogrammed unique password and require a new means of authentication after first use.


California Consumer Privacy Act of 2018


In addition to Security of Connected Devices law, the CA Consumer Privacy Act of 2018 creates additional compliance obligations. While a larger topic of conversation, companies selling connected devices must also comply with additional requirements placed on those who collect personal information on users.


Why New Laws Now?


Cloud service providers such as AWS, Azure, and Bluemix all feature out-of-the-box solutions for developing and deploying IoT devices. Coupled with a variety of natural language processing tools, the barriers to entry for new devices is lower than it’s ever been.  There are currently around 26 billion connected devices worldwide and there is to be an expected 75 billion by 2025.

IoT enables an exciting world of smart gardens, self-cooking food, and endlessly personalized experiences. CA lawmakers have sought to provide a baseline of privacy and data security to establish guardrails in future development. The laws may provide a model for other states or the federal government coming to terms connected devices.


Understanding the Needs of IoT Companies


Foundry Law Group understands both the excitement and the complexity of launching an IoT company. If you have an IoT company or are considering a new venture, please contact us now to schedule a consultation. For additional reading, I’ve been featured speaking about the new IoT laws in Hewlett Packard Enterprise’s enterprise.nxt.



Leave a Reply