CALL US: 206.533.3854
CALL US  206.533.3854
AEON Law logo full color transparent
By Toma Cristian, Cristian Ciurea and Ion Ivan -, CC BY 3.0,

New California Law Regulates “Internet of Things”

“Internet of Things”
Is getting regulated;
California leads

On January 1, 2020, California became the first state to specifically regulate the security of web-connected devices – commonly called “Internet of Things” (IoT) devices.

The new law, Cal. Civ. Code § 1798.91.04, says that:

A manufacturer of a connected device shall equip the device with a reasonable security feature or features that are all of the following:

  1. Appropriate to the nature and function of the device.
  2. Appropriate to the information it may collect, contain, or transmit.
  3. Designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure.

It’s deemed a “reasonable” security feature if either of the following requirements are met:

  1. The preprogrammed password is unique to each device manufactured.
  2. The device contains a security feature that requires a user to generate a new means of authentication before access is granted to the device for the first time.

A “connected devices” is “any device or other physical object that’s capable of connecting to the Internet, directly or indirectly, and that’s assigned an Internet Protocol address or Bluetooth address.”

This includes a broad range of devices, including “old school” technology like printers as well as newer technology such as “smart” refrigerators and digital assistants like Alexa.

(The hacking of a smart fridge network was a plot point on HBO’s Silicon Valley.)

The new California IoT law doesn’t apply to devices that are regulated by federal law, such as medical devices.

(The hacking of the Vice-President’s internet-connected pacemaker was a plot point in the series Homeland.)

The new law will be enforced by California’s Attorney General and does not provide for private rights of action by consumers affected by failures to comply with the law.

An Oregon IoT law, passed after California’s, also took effect on January 1. The Oregon law applies only to devices used primarily for family, personal, or household purposes.

The UK is also apparently planning to provide similar IoT device regulations.

Just like the haiku above, we like to keep our posts short and sweet. Hopefully, you found this bite-sized information helpful. If you would like more information, please do not hesitate to contact us here.

Related Articles

Just Because It’s on the Internet Doesn’t Mean It’s “Publicly Accessible”

The Patent Trial and Appeal Board (PTAB or Board) has denied institution of a petition for inter partes review (IPR) because the petitioner failed to ...
Read More

Trademark Denied for “ChatGPT”

The US Patent and Trademark Office (USPTO) has denied OpenAI’s applications to trademark “ChatGPT” and “GPT.” The Final Office Action states, “Registration is refused because the applied-for mark ...
Read More

Federal Circuit: “Improving User Experience” Isn’t Patentable

The Federal Circuit has affirmed a lower court decision that patent claims for methods and systems for improving how search results are displayed to users ...
Read More

Stay Informed

Sign up to receive Patent Poetry—a monthly roundup of key IP issues in our signature haiku format. Four articles (only 68 syllables); zero hassle.



Artificial Intelligence

Blockchain & Cryptocurrency

Computer Technology & Software

Consumer Electronics

Electrical Devices



Mechanical Devices

Consumer & Retail Products

Hardware & Tools

Toys & Games



Chemical Compounds

Digital Health

Healthcare Products



Books & Publications

Brand Creation

Luxury Products

Photography & Video

Product Design