California’s governor recently signed into law a bill requiring connected device manufacturers to include “reasonable” security features for connected devices sold in California. The law doesn’t go into effect until January 1, 2020, and requires that the devices have security “appropriate to the nature and function of the device” and appropriate to the type of information collected. The security measures should also guard against breaches. Reasonable measures include, where appropriate, having a unique, preprogrammed password or making people create a password before using the device the first time.

The law specifically states that it is not imposing obligations on IoT manufacturers with regard to third-party software or applications that a user might choose to add to their connected device. Although the law follows many recent data breaches, it does not include a private right of action.

Putting it Into Practice: Manufacturers of connected devices should take note of this law, which shows that regulators are concerned that appropriate measures are taken to ensure consumer security.