California in the United States has become the first state to pass a law, The California Consumer Privacy Act (CCPA), regulating the security of connected gadgets that are commonly referred to as the Internet of things (IoT) devices. The law took into effect from January 1, 2020.

The law requires all IoT devices sold in California to be equipped with reasonable security measures. The bill covers all personal information contained in the IoT devices as well. Governor Jerry Brown signed the legislation for the bill in September 2018.

Under the law, a connected device is defined as any device or object that can be connected to the Internet and has an IP address or Bluetooth capability. This definition includes not only consumer devices but industrial IoT devices, those used in the health field and retail point of sale products (condition to their not being covered under other Federal laws).

What is at the heart of The California Consumer Privacy Act (CCPA)?

The act mandates that anyone selling or dealing with the IoT devices needs to follow specific rules to make them safe:

"(1) Appropriate to the nature and function of the device. (2) Appropriate to the information it may collect, contain, or transmit. (3) Designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure." 2018 Cal. Legis. Serv. Ch. 886 (S.B. 327) (to be codified at Cal. Civ. Code § 1798.91.04(a)).

California Consumer Act IoT Privacy law

California Consumer Act IoT Privacy law

Another critical point to note is that the law cannot be enforced by private action but needs a government attorney to take action. Only an attorney general, a city attorney, a county counsel, or a district attorney can bring action. The law also does not exclude police and other enforcement agencies from getting information from connected devices.

 Further, all manufacturers of such products are covered under this law irrespective of the fact where the products are made. This will include all out -sourcing of the devices too.

The legislation is not clear on how far third-party sourcing of software will come under its gambit.

So what does reasonable security mean?

It means that the device with security features safeguard any information it may collect or transmit. And it should also be able to protect the device from any unauthorized attempts at taking control of it.

The order also says a password authentication layer should be added for any devices controlled by a non-local IP address.

This law has come into enforcement due to the high number of data breaches witnessed by the state in the last few years. The California Department of Justice (CDOJ) released the California Data Breach Report in 2016 and an analysis of over 657 data breaches reported between 2012 and 2015. It has come up with certain measures to be followed for the prevention of violations. The report lists 20 security compliance measures. It says the criteria set by the National Institute of Standards and Technology should be the standard benchmarks

The legislation clarifies a whole range of equipment under its purview, including Copy machines, Printers Fax machines, VoIP-enabled phones, Televisions, Bluetooth headsets, Cash registers (point-of-sale terminals generally), Handheld barcode readers, Smart thermostats, Keycard readers (for doors)Security cameras, Light bulbs, Environmental control panels, Lab equipment, Medical diagnostic equipment, Warehouse inventory scanners, Refrigerators, Personal fitness monitors, Wristwatches (iWatch), Armbands, Glasses, Connected vehicles.