California Signs the First IoT Security Bill into Law, and the FTC Submits Comments to the Consumer Product Safety Commission Regarding the IoT
California’s New IoT Law
On September 28, 2018, California Governor Jerry Brown signed into law a cybersecurity bill governing Internet of Things (IoT) devices, the first law of its kind in the nation. SB 327 requires manufacturers of internet-connected, or “smart” devices, to ensure the devices have “reasonable” security features by January 1, 2020.
The law applies to any “device, or other physical object that is capable of connecting to the Internet, directly or indirectly, and that is assigned an Internet Protocol address or Bluetooth address.” This definition is broad and includes not only smart TVs, smart speakers, and other smart home devices, but also computers (laptops and desktops), connected cars, smartphones, smartwatches, and many other modern electronics.
The law does not contemplate further rulemaking, and it is unclear whether revisions to the law will be sought.
Continue Reading Key Developments in Internet of Things Law
The expanding use of mobile technologies, cloud computing, and the Internet of Things has greatly increased the amount of available consumer data. The ability to efficiently process this information has the potential to provide countless consumer benefits. Nevertheless, companies must navigate an ever-expanding patchwork of domestic and foreign laws and uncertainty regarding the application of existing laws to new technologies. In addition, although regulators have commended the advancement and development of new consumer lending technologies, they also have warned that these new tools “carry the risk of disparate impact in credit outcomes and the potential for fair lending violations[.]” For companies under the authority of the Consumer Financial Protection Bureau (CFPB), the CFPB’s no-action letter (NAL) program offers a potential tool to help navigate these challenges. As described in the following article, however, the tool is not without risk for companies seeking regulatory guidance.
As connected devices become ubiquitous, it comes as no surprise that interactive toys that connect to the internet are more popular than ever. At the same time, regulators have taken note of the privacy and security concerns raised by lawmakers and privacy advocates about the proliferation of smart toys that collect personal information from kids. Recent guidance issued by both the Federal Trade Commission (FTC) and the Federal Bureau of Investigation (FBI) suggests that the agencies may be taking a closer look at the rapidly expanding connected toy market, a small part of the largely unregulated “Internet of Things.”
The European data protection regulators, the Article 29 Working Party (WP29), recently issued two guidance papers which clarify the data protection legal framework applicable to the Internet of Things (IoT) and to the use of device fingerprinting. Both opinions underline WP29’s current focus on data-driven innovations. This article highlights the key takeaways from these two opinions.