Now that the January 1, 2020 compliance deadline for the California Consumer Privacy Act (“CCPA”) has passed and the dust has settled, it may be worth taking a look at how a few other changes in California may impact privacy law. More specifically, in the chaos caused by CCPA compliance, several privacy experts have overlooked California’s steps to regulate the Internet of Things (“IoT”).
THE INTERNET OF THINGS GETS MORE DANGEROUS
While we were all focused on the impeding CCPA deadline, we can be forgiven for missing a recent incident where a Ring security camera was hacked to harass a child in her bedroom. On December 12, 2019, the Washington Post reported on 8-year-old Alyssa LeMay who went to her bedroom when she heard music. Once inside her bedroom, the music stopped and a man’s voice said: “Hello there.” The hacked Ring camera allowed the stranger to view Alyssa’s room and speak directly to her. The man also told Alyssa that he was Santa Claus. The remarkable exchange between Alyssa and the stranger allowed the man to use a racial slur with the child and prompt her to misbehave. The video on the Washington Post website has to be watched to be believed and to fully understand the significant danger created by the “Internet of Things” devices. Further, while this incident did not cause long-term damage, it is easy to see the dangers created by these devices in our homes.
This incident with the Ring camera makes parents long for simpler times, such as in December of 2015, when they only needed to worry about pictures and data saved on children’s toys that were breached by a toymaker.
LEGISLATION ADDRESSES THE DANGERS RELATED TO THE INTERNET OF THINGS
While the CCPA deadline was important, California lawmakers imposed another deadline on January 1, 2020, that requires a manufacturer of a connected device, such as the Ring camera, to take steps that would make IoT devices collect and safely store data. Specifically, the “Security of Connected Devices” law may provide a model for other state and federal laws as IoT devices become more ingrained in our lives. And, while the law may contain several significant holes and only applies to manufacturers, it provides a decent first step in regulating this new technology with the following:
- First, the new law states that “Manufacturer” “means the person who manufactures, or contracts with another person to manufacture on the person’s behalf, connected devices that are sold or offered for sale in California. For the purposes of this subdivision, a contract with another person to manufacture on the person’s behalf does not include a contract only to purchase a connected device, or only to purchase and brand a connected device.” This definition will have an immediate impact to the extent this will create more security outside of California as manufacturers bring all devices in compliance with California’s laws rather than lose access to the California market. Therefore, while this law is limited to California, we can expect all IoT devices in all states will get more secure.
- Next, the law requires “[a] manufacturer of a connected device…equip the device with a reasonable security feature or features that are all of the following: (1) Appropriate to the nature and function of the device. (2) Appropriate to the information it may collect, contain, or transmit. (3) Designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure.” Once again, because the California market is so large, we can expect to see all IoT devices integrate “reasonable security features” regardless of whether the device will be sold in California.
- Further, many of the other definitions found in this law are broad and will most likely result in manufacturers increasing security features. For example, the term “connected device” is used in the law to mean “any device, or other physical objects that are capable of connecting to the Internet, directly or indirectly, and that is assigned an Internet Protocol address or Bluetooth address.” Therefore, while it is clear that a Ring camera would fall under this law, we may see manufacturers of printers make sure they are in compliance.
- Finally, while the law is broad, it does not create a private cause of action. The California Attorney General will need to enforce this law. Additionally, it is clear that this law is limited to manufacturers and does not apply to individuals that install and use IoT devices.
THE INTERNET OF THINGS IS WITH US FOR GOOD
At present, the dangers presented by interconnected devices must be addressed by manufacturers of the products and law enforcement such as the California Attorney General. California’s Security of Connected Devices law does not create a private cause of action. That being said, this technology, and the laws that control the use of this technology, are quickly evolving. In the matter of a few years, we have gone from speculating how these devices could cause harm to see children harassed in their own bedrooms. The Economist recently reported: “One forecast is that by 2035 the world will have a trillion connected computers, built into everything from food packaging to bridges and clothes.” (The January 10, 2020 edition of the Wall Street Journal also addresses these issues in great detail.) Based on this significant increase in interconnected devices in both residential and industrial settings, the Economist article concludes: “As a result, a series of unresolved arguments about ownership, data, surveillance, competition and security will spill over from the virtual world into the real one.” Therefore, as these dangers become clear and we see the potential for property damage or bodily injury, we can expect to see state and federal governments step up the regulation of the Internet of Things.