In typical California fashion, the state is leading the charge toward developing law that would regulate the Internet of Things (“IoT”). IoT devices typically include any device that connects to the internet, such as phones, tablets, home security systems, Amazon “Alexa” and other similar convenience items, thermostats, baby monitors, and even connected home security systems.California SB-327 has passed the California House and Senate and looks like it may soon be signed into law by the Governor. Although not effective until January 1, 2020, the law requires that manufacturers of IoT devices implement certain reasonable security measures into the devices themselves. It also requires manufacturers to force users to customize the password for their device, among other things.
While the law has been recently criticized for being too broad (i.e. not defining “reasonable” security measures), lawyers and tech specialists recognize that a law that is too specific in dictating tech measures may not be a “fit” for all devices. Not to mention that such measures may be outdated solutions by the time the device enters the market. Thus, it seems a balance between vagueness and specificity in the law must be struck. We expect to see some tweaks to this law prior to the final version going into effect in 2020.
Though no other state has yet passed any similar laws to the California bill, Congress has proposed an IoT bill called the SMART IoT Act (H.R. 6032) which would force the Department of Commerce to conduct a study of the IoT industry, providing the precursor to perhaps a federal IoT law.
If you have additional questions about navigating the laws relating to IoT devices, or any other cyber security legal issue, please do not hesitate to contact us at 312-368-0100 or email@example.com
On May 25, 2018, the European General Data Protection Regulation (“GDPR”) went into effect. US-based companies that had offices in the European Union or European Economic Area (collectively, “EU”) or those companies whose target market consisted of persons living in the EU were forced to take both IT and legal measures to ensure compliance, or face heavy fines or potential court damages. However, many US-based companies simply decided that they would disable their e-commerce websites to the EU, and discontinue selling products to the EU, as a means of avoiding compliance with the GDPR.
While this strategy of avoidance may be successful for certain companies to avoid taking compliance measures required by GDPR, it will not be successful as a long term strategy as more States (and potentially the federal government) adopt privacy laws similar to the California Consumer Privacy Act of 2018 (“CCPA”).
Passed in June, 2018, the CCPA will become effective January 1, 2020. Once effective, US companies will have additional regulations with which to comply regarding the processing of personal information (“PI”) of California residents. PI is defined broadly to include “any information that …relates to … a particular consumer or household”. The law was designed to provide California consumers with a means of controlling their personal information, putting them in a better position to protect their privacy and autonomy. Specifically, the CCPA:
- Gives California consumers the right to know what PI a business has collected about them or their children;
- Gives California consumers the right to know if such PI has been sold or disclosed for a business purpose, and if so, to whom;
- Gives California consumers a right to have their PI deleted;
- Requires businesses to disclose to California consumers if it sells any of the consumer’s PI has been sold, and if so, allows California consumers to request that the business cease any sales of the consumer’s PI;
- Prevents a business from denying, changing, or charging more for a service if a California consumer requests information about the sale of the consumer’s PI, or refuses to allow the business to sell the consumer’s PI; and
- Requires businesses to safeguard California consumers’ PI and hold them accountable if such PI is compromised as a result of a security breach arising from the business’s failure to take reasonable steps to protect the security of consumers’ sensitive information.
Who Must Comply? Companies must comply if, in the course of their business, they receive PI from any California residents and if they or their parent or subsidiary either: (1) generate annual gross revenues in excess of $25 million, (2) collect PI of 50,000 or more California residents, households or devices annually, or (3) generate 50% or more of its annual revenue from selling California residents’ PI. Interestingly, parent companies and subsidiaries using the same branding are covered by the definition of “business” even if they themselves do not meet or exceed these parameters. Thus, essentially, most all US companies whose websites collect PI (even though obtaining IP addresses) are subject to the CCPA, unless they can ensure that less than 50,000 California residents or less than 50,000 of their devices visit the company’s site annually.
What about Companies Who Do Not Do Business in California?
Many US companies may have difficulty showing that they do not do business in California. According to the California Civil Code, only companies whose “commercial conduct takes place wholly outside of California” would be able to avoid the CCPA. Further, a company outside California is deemed to be “doing business” in California if it actively engages in any transaction for the purpose of financial or pecuniary gain or profit in California”. Those companies outside California but that are qualified to do business in California may be subject to the CCPA if they enter into “repeated and successive transactions” in California, including online transactions. However, while this is only limited to California, it is very probably that other states will adopt similar legislation.
Whose Information Is Affected?
The new law defines “consumer” broadly to include not only customers, but also employees, patients, tenants, students, parents and children. (Cal. Civ. Code Sec. 1798.140(g). A “resident” includes natural persons who are in California for anything other than a temporary or transitory purpose, and, those natural persons who are domiciled in California who are out of the State for a temporary or transitory purpose.
What Are The Penalties of Non-Compliance?
If a business is not incompliance with CCPA, the California Attorney General’s Office may bring a civil action against the business. The Office may levy penalties for non-compliance of up to $7500 per intentional violation of any provision or $2500 per violation for unintentional violations that are not cured within 30 days of notification.
What are Companies To Do?
Moving forward, all US Companies must engage in data mapping to determine what PI it collects, and then put in place updated privacy notices, and other procedures to comply with all relevant regulations. While California is often the ringleader, certainly other states are also developing similar laws aimed at the protecting PI of its residents. Until such time as a federal privacy regulation is put into place, US companies will need to analyze carefully where they do business and comply with a patchwork of state laws.
To learn more about the CCPA and other privacy related matters, please contact the author:
Natalie A. Remien, CIPP/US at:
firstname.lastname@example.org or (312) 368-0100.