October 5, 2018
California continues to lead the United States in focusing attention on privacy and security of user data and devices. Last week, Governor Jerry Brown signed into law two identical bills requiring manufacturers to include “reasonable security feature[s]” on all devices which are “capable of connecting to the Internet” (commonly known as the Internet of Things). The law is described as the first of its kind in the United States, and comes just three months after passage of the California Consumer Privacy Act of 2018 (“CCPA”); both laws are set to take effect January 1, 2020. Collectively, these laws represent a dramatic expansion of data privacy law that will impact the products and processes of many companies.
Also last week, Governor Brown signed into law Senate Bill 1121, which implemented amendments to the CCPA relating primarily to enforcement of the provisions, and clarification of exemptions relating to medical information.
The new law is aimed at protecting “connected devices” from unauthorized access, and requires “reasonable security feature[s]” proportional to the device’s “nature and function” and the “information it may collect, contain, or transmit.” There are various notable exclusions, particularly where the devices are covered by certain other laws, or when a company merely purchases devices for resale (or for branding and resale) in California. Nonetheless, the law is unique in that it may require security for Internet-connected products regardless of the type of information or data at issue—a contrast to the CCPA and other data privacy and security laws.
Anyone “who manufactures, or contracts with another person to manufacture on the person’s behalf, connected devices that are sold or offered for sale in California” is subject to the statute. However, the law includes an explicit carve-out that “contract[ing] with another person to manufacture on the person’s behalf” does not include a “contract only to purchase a connected device, or only to purchase and brand a connected device.” Thus, if a company is merely purchasing whole units, and reselling, or even branding and reselling—effectively without the ability to indicate specifications for the device—it will likely not be subject to the new law.
The law applies to manufacturers of “connected devices.” A “connected device” is defined as “capable of connecting to the Internet . . . and . . . assigned an Internet Protocol address or Bluetooth address.” The number of products falling into this category is increasing at a remarkable rate, and the products span a multitude of applications, from consumer products (such as smart home features, including automatic lights or thermostats controlled remotely), to commercial use cases (such as electronic toll systems and “smart agriculture”).
The law requires that such manufacturers “equip the device with a reasonable security feature or features” that is:
The law does not specify what is “reasonable,” and relies upon the manufacturer to determine what is appropriate to the device. As a result, “reasonable” will likely be further refined through enforcement actions (described below) .
However, the law does provide that a device will satisfy the provisions if it is “equipped with a means for authentication outside a local area network,” and (1) each device is preprogrammed with a unique password, or (2) the user must create a “new means of authentication” (such as a password) before the device may be used. 
Notably, the law excludes certain devices or manufacturers, particularly where they are covered by other existing laws, and makes clear statements of what this law does not do. For example, the law does not apply to:
The law expressly does not provide for a private right of action, and it may only be enforced by the “Attorney General, a city attorney, a county counsel, or a district attorney.” It further does not set forth any criminal penalty, include a maximum civil fine, or specify any other authorized relief. Nonetheless, the authorization of the enumerated entities to enforce it presumably includes the authority for those entities to seek civil fines, as they can under other consumer protection statutes (for example, Section 17206 of the California Business & Professions Code).
If your company sells, or intends to sell, a product in California that connects to the Internet, consider:
Many connected devices on the market today already have authentication and security features, but even those that do may benefit from an evaluation of their sufficiency in preparation for this new law. Because the law may require actual product changes, rather than merely policy changes, addressing these issues early is important. Consultation with legal and information security professionals may be helpful.
As anticipated, the California Legislature has begun to pass amendments to the CCPA, though the current changes are relatively modest. Governor Brown signed the latest amendments to the CCPA on September 23, 2018, which included:
The foregoing amendments may not have been of major significance—they were passed on the last day of the most recent legislative session. The California Legislature is expected to consider more substantive changes to the law when it reconvenes for the 2019 – 2020 session in January 2019, including addressing additional concerns regarding enforcement mechanisms, the law’s broad scope, and the sweeping disclosure obligations.
Companies that may be impacted by the CCPA should continue to monitor legislative and regulatory developments relating to the CCPA, and should begin planning for the implementation of this broad statute.
 The California Consumer Privacy Act was the subject of a detailed analysis in a client alert issued by Gibson Dunn on July 12, 2018. That publication is available here.
The following Gibson Dunn lawyers assisted in the preparation of this client alert: Joshua A. Jessen, Benjamin B. Wagner, and Cassandra L. Gaedt-Sheckter.
Gibson Dunn’s lawyers are available to assist with any questions you may have regarding these issues. For further information, please contact the Gibson Dunn lawyer with whom you usually work or the following leaders and members of the firm’s Privacy, Cybersecurity and Consumer Protection practice group:
Alexander H. Southwell – Co-Chair, New York (+1 212-351-3981, firstname.lastname@example.org)
M. Sean Royall – Dallas (+1 214-698-3256, email@example.com)
Debra Wong Yang – Los Angeles (+1 213-229-7472, firstname.lastname@example.org)
Christopher Chorba – Los Angeles (+1 213-229-7396, email@example.com)
Richard H. Cunningham – Denver (+1 303-298-5752, firstname.lastname@example.org)
Howard S. Hogan – Washington, D.C. (+1 202-887-3640, email@example.com)
Joshua A. Jessen – Orange County/Palo Alto (+1 949-451-4114/+1 650-849-5375, firstname.lastname@example.org)
Kristin A. Linsley – San Francisco (+1 415-393-8395, email@example.com)
H. Mark Lyon – Palo Alto (+1 650-849-5307, firstname.lastname@example.org)
Shaalu Mehra – Palo Alto (+1 650-849-5282, email@example.com)
Karl G. Nelson – Dallas (+1 214-698-3203, firstname.lastname@example.org)
Eric D. Vandevelde – Los Angeles (+1 213-229-7186, email@example.com)
Benjamin B. Wagner – Palo Alto (+1 650-849-5395, firstname.lastname@example.org)
Michael Li-Ming Wong – San Francisco/Palo Alto (+1 415-393-8333/+1 650-849-5393, email@example.com)
Ryan T. Bergsieker – Denver (+1 303-298-5774, firstname.lastname@example.org)
Ahmed Baladi – Co-Chair, Paris (+33 (0)1 56 43 13 00, email@example.com)
James A. Cox – London (+44 (0)207071 4250, firstname.lastname@example.org)
Patrick Doris – London (+44 (0)20 7071 4276, email@example.com)
Bernard Grinspan – Paris (+33 (0)1 56 43 13 00, firstname.lastname@example.org)
Penny Madden – London (+44 (0)20 7071 4226, email@example.com)
Jean-Philippe Robé – Paris (+33 (0)1 56 43 13 00, firstname.lastname@example.org)
Michael Walther – Munich (+49 89 189 33-180, email@example.com)
Nicolas Autet – Paris (+33 (0)1 56 43 13 00, firstname.lastname@example.org)
Kai Gesing – Munich (+49 89 189 33-180, email@example.com)
Sarah Wazen – London (+44 (0)20 7071 4203, firstname.lastname@example.org)
Alejandro Guerrero – Brussels (+32 2 554 7218, email@example.com)
© 2018 Gibson, Dunn & Crutcher LLP
Attorney Advertising: The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.