California is pressing forward with Internet of Things (IoT) legislation intended to help protect consumer privacy and safety from potential hacking of connected devices (that is, devices capable of connecting to the Internet). The legislation requires manufacturers of connected devices to equip those devices with reasonable security features appropriate to the nature of the device. The goal of the legislation is to protect consumers, but remain sufficiently flexible to accommodate disparate products and industries. Manufacturers that do not comply will face investigation and possible fines by California regulators.
Over the past several years, manufacturers have introduced connected versions of previously standalone devices such as thermostats, baby monitors, connected cars, smart watches and smart televisions, and fitness bands. Connecting a device to the Internet enables benefits such as better or more responsive service, real-time information, and increased consumer control.
However, in addition to these advantages, these devices’ direct connection to the Internet also exposes them to a wide variety of cyberattacks and may permit the compromise of potentially sensitive information stored on them. As the California Senate Floor Analysis explained in discussing the proposed legislation, connected devices collect “immense amount of private information . . . vulnerable to breaches” and may allow strangers to “conduct surreptitious surveillance on homes or to communicate through devices directly.”1 Data security issues, such as cyberattacks or reliability concerns, may also interfere in the functioning of a device, which may have harmful consequences where the device manages a critical process, such as the operation of a vehicle.2