Today's Law As Amended

PDF |Add To My Favorites |Track Bill | print page

SB-327 Information privacy: connected devices.(2017-2018)



SECTION 1.

 Title 1.81.26 (commencing with Section 1798.91.01) is added to Part 4 of Division 3 of the Civil Code, to read:

TITLE 1.81.26. Security of Connected Devices

1798.91.01.
 A manufacturer that sells or offers to sell a connected device to a consumer in California shall equip the device with reasonable security features appropriate to the nature of the device and the information it may collect, contain, or transmit, that protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure.
1798.91.02.
 For purposes of this title, the following terms have the following meanings:
(a) “Connected device” means any device, sensor, or other physical object that is capable of connecting to the Internet, directly or indirectly, or to another connected device.
(b) “Consumer” means a person who purchases or obtains a connected device for personal or household use.
(c) “Unauthorized access, destruction, use, modification, or disclosure” means access, destruction, use, modification, or disclosure that is not authorized by the consumer.
1798.91.03.
 (a) This title shall not be construed to impose any duty upon the manufacturer of a connected device related to unaffiliated third-party software or applications that a user chooses to add to a connected device.
(b) This title shall not be construed to impose any duty upon a provider of an electronic store, gateway, marketplace, or other means of purchasing or downloading software or applications, to review or enforce compliance with this title.
(c) This title shall not be construed to impose any duty upon the manufacturer of a connected device to prevent a user from having full control over a connected device, including the ability to modify the software or firmware running on the device at the user’s discretion.
(d) The duties and obligations imposed by this title are cumulative with any other duties or obligations imposed under other law, and shall not be construed to relieve any party from any duties or obligations imposed under other law.
(e) This section shall not be construed to limit the authority of a law enforcement agency to obtain connected device information from a manufacturer as authorized by law or pursuant to an order of a court of competent jurisdiction.
(f) A covered entity, provider of health care, business associate, health care service plan, contractor, employer, or any other person subject to the federal Health Insurance Portability and Accountability Act of 1996 (HIPAA) (Public Law 104-191) or the Confidentiality of Medical Information Act (Part 2.6 (commencing with Section 56) of Division 1) shall not be subject to this title with respect to any activity regulated by those acts.