By Toma Cristian, Cristian Ciurea and Ion Ivan -, CC BY 3.0,

New California Law Regulates “Internet of Things”

“Internet of Things”
Is getting regulated;
California leads

On January 1, 2020, California became the first state to specifically regulate the security of web-connected devices – commonly called “Internet of Things” (IoT) devices.

The new law, Cal. Civ. Code § 1798.91.04, says that:

A manufacturer of a connected device shall equip the device with a reasonable security feature or features that are all of the following:

  1. Appropriate to the nature and function of the device.
  2. Appropriate to the information it may collect, contain, or transmit.
  3. Designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure.

It’s deemed a “reasonable” security feature if either of the following requirements are met:

  1. The preprogrammed password is unique to each device manufactured.
  2. The device contains a security feature that requires a user to generate a new means of authentication before access is granted to the device for the first time.

A “connected devices” is “any device or other physical object that’s capable of connecting to the Internet, directly or indirectly, and that’s assigned an Internet Protocol address or Bluetooth address.”

This includes a broad range of devices, including “old school” technology like printers as well as newer technology such as “smart” refrigerators and digital assistants like Alexa.

(The hacking of a smart fridge network was a plot point on HBO’s Silicon Valley.)

The new California IoT law doesn’t apply to devices that are regulated by federal law, such as medical devices.

(The hacking of the Vice-President’s internet-connected pacemaker was a plot point in the series Homeland.)

The new law will be enforced by California’s Attorney General and does not provide for private rights of action by consumers affected by failures to comply with the law.

An Oregon IoT law, passed after California’s, also took effect on January 1. The Oregon law applies only to devices used primarily for family, personal, or household purposes.

The UK is also apparently planning to provide similar IoT device regulations.

Just like the haiku above, we like to keep our posts short and sweet. Hopefully, you found this bite-sized information helpful. If you would like more information, please do not hesitate to contact us here.

Related Articles

Do AI content generators violate underlying IP rights?

IP owners sue
AI art generators.
What counts as “fair use”?

Read More

Patent Wars Come to Crypto

Brings lawsuit against Circle
In patent dispute

Read More

Is this the end of the employee non-compete?

FTC issues
A notice of rulemaking
To ban non-competes

Read More

Stay Informed

Sign up to receive Patent Poetry—a monthly roundup of key IP issues in our signature haiku format. Four articles (only 68 syllables); zero hassle.