Today's Law As Amended

PDF |Add To My Favorites |Track Bill | print page

SB-327 Information privacy: connected devices.(2017-2018)


 Title 1.81.26 (commencing with Section 1798.91.01) is added to Part 4 of Division 3 of the Civil Code, to read:

TITLE 1.81.26. Security of Connected Devices

 A manufacturer that sells or offers to sell a connected device in California shall equip the device with reasonable security features appropriate to the nature of the device and the information it may collect, contain, or transmit, that protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure.
 Any connected device sold or provided in this state to a consumer shall provide notice through the use of words or icons on the device’s packaging, or on the product’s, or on the manufacturer’s Internet Web site, of all of the following:
(a) Whether the device is capable of collecting audio, video, location, biometric, health, or other personal or sensitive user information, including specifying which type or types of information the device may collect, if that information is not otherwise indicated by packaging or by the stated functionality of the device.
(b) The process by which a connected device collects the information specified in subdivision (a), as well as the frequency of collection and what types of interactions with the device may trigger collection.
(c) If and how the consumer can obtain information about security patches and feature updates for the connected device.
 (a) A manufacturer that sells or offers to sell a connected device to a consumer in California shall
obtain consumer consent before it collects or transmits information beyond what is necessary in order to fulfill a user transaction or for the stated functionality of the connected device.
(b) Consent granted in accordance with subdivision (a) shall remain in effect until it is revoked by the consumer.
(c) Consent granted in accordance with subdivision (a) may be revoked by the consumer at any time.
(d) Nothing in subdivision (a) shall be construed to prohibit a manufacturer from collecting or using deidentified information collected from a connected device for purposes of maintaining, developing, supporting, improving, or diagnosing the device, or from providing location information concerning a user under any of the following circumstances:
(1) The information is provided a public safety answering point, emergency medical service provider or emergency dispatch provider, public safety, fire service, or law enforcement official, or hospital emergency or trauma care facility, in order to respond to the user’s request for emergency services.
(2) The information is provided to inform the user’s legal guardian, members of the user’s family, or to a person reasonably believed by the manufacturer to be a close personal friend of the user, of the user’s location in an emergency situation that involves the risk of death or life threatening harm.
(3) The information is provided to providers of information or database management services solely for purposes of assisting in the delivery of emergency services in response to an emergency.
 For purposes of this title, the following terms have the following meanings:
(a) (1) “Connected device” means any device, sensor, or other physical object that is capable of connecting to the Internet, directly or indirectly, or to another connected device.
(2) “Connected device” shall not include a motor vehicle as defined in Section 415 of the Vehicle Code.
(b) “Consumer” means a person who purchases or obtains a connected device for personal or household use.
(c) “Deidentified information” means information that does not contain any link or connection to the consumer or user of the device. In order for information to be deidentified, the manufacturer or another party must do all of the following:
(1) Make a reasonable determination that the information does not contain, or cannot be linked to, a consumer’s or user’s identity, taking into account other pertinent information that may be reasonably available to the manufacturer, the public, or an advertiser seeking to associate the deidentified information with a specific consumer or user.
(2) Lack actual knowledge that the deidentified information could be used alone or in combination with other information to link the deidentified information to an individual.
(3) Ensure that all deidentification procedures occur on the device.
(d) “Stated functionality” means the functionality of the device as understood by a reasonable person based on the manufacturer’s marketing of the device.
(e) “Unauthorized access, destruction, use, modification, or disclosure” means access, destruction, use, modification, or disclosure that is not authorized by the consumer.
 (a) This title shall not be construed to impose any duty upon the manufacturer of a connected device related to unaffiliated third-party software or applications that a user chooses to add to a connected device.
(b) This title shall not be construed to impose any duty upon a provider of an electronic store, gateway, marketplace, or other means of purchasing or downloading software or applications, to review or enforce compliance with this title.
(c) This title shall not be construed to impose any duty upon the manufacturer of a connected device to prevent a user from having full control over a connected device, including the ability to modify the software or firmware running on the device at the user’s discretion.
(d) The duties and obligations imposed by this title are cumulative with any other duties or obligations imposed under other law, and shall not be construed to relieve any party from any duties or obligations imposed under other law.
(e) This section shall not be construed to limit the authority of a law enforcement agency to obtain connected device information from a manufacturer as authorized by law or pursuant to an order of a court of competent jurisdiction.
(f) A covered entity, provider of health care, business associate, health care service plan, contractor, employer, or any other person subject to the federal Health Insurance Portability and Accountability Act of 1996 (HIPAA) (Public Law 104-191) or the Confidentiality of Medical Information Act (Part 2.6 (commencing with Section 56) of Division 1) shall not be subject to this title with respect to any activity regulated by those acts.