Main Menu
Print PDF

California IoT Security Law Cheat Sheet

Cyber Law and Data Protection Alert | December 17, 2019
By: Joshua Mooney and Richard Borden

Perhaps forgotten in coverage on the California Consumer Privacy Act (CCPA), also effective January 1, 2020 is the California Internet of Things Security Law (the Act). The first IoT security law in the nation, the Act requires all “connected devices” sold or offered for sale in California to have “reasonable security” measures. Thus, this law applies to any Bluetooth or other device assigned an IP address, including medical devices, copy machines, headsets, automobile entertainment centers, smart watches, smart appliances, etc.

What is the California Internet of Things (IoT) Security Law?

Signed into law on September 28, 2018, the California IoT Security Law is the first IoT law in the nation that requires all “connected devices” sold or offered for sale in California to have “reasonable security” measures. The law does not create a private cause of action. Instead, the Act’s requirements are to be enforced by the California Attorney General, or by a city attorney, a county counsel, or a district attorney. The law goes into effect January 1, 2020.

What Businesses are Regulated by the California IoT Security Law?

The statute has a broad definition for “connected device,” defining the term as “any device, or other physical object that is capable of connecting to the Internet, directly or indirectly, and that is assigned an Internet Protocol address or Bluetooth address.” This may include copy machines, Bluetooth devices, personal fitness devices, medical devices, televisions, printers, appliances, and more. The Act defines “manufacturer” as a “person who manufactures, or contracts with another person to manufacture on the person’s behalf, connected devices that are sold or offered for sale in California.”

The Act does not impose duties upon a provider of an electronic store, gateway, marketplace, or other means of purchasing or downloading software or applications to review or enforce compliance” under the Act. Nevertheless, companies who buy or sell any devices that may include IoT should review and negotiate their contracts to address these requirements to demonstrate their own reasonable cybersecurity measures, and in fact, may be required to under other laws and regulations.

Reasonable Security Requirements

The California IoT Security Law requires manufacturers of connected devices to equip such devices “with a reasonable security feature or features that are all of the following:

  • Appropriate to the nature and function of the device.
  • Appropriate to the information it may collect, contain, or transmit.
  • Designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure.

Subject to these requirements, if a connected device is equipped with a means for authentication outside a local area network, to be deemed a “reasonable security” measure, the feature must meet one of the following requirements:

  • The preprogrammed password is unique to each device manufactured; or
  • The device contains a security feature that requires a user to generate a new means of authentication before access is granted to the device for the first time.

If you have questions or would like further information, please contact Joshua Mooney (; 215.864.6345) or Richard Borden (; 212.631.4439).

This correspondence should not be construed as legal advice or legal opinion on any specific facts or circumstances. The contents are intended for general informational purposes only, and you are urged to consult a lawyer concerning your own situation and legal questions.
Back to Page