Bill Text

PDF |Add To My Favorites |Track Bill | print page

SB-327 Information privacy: connected devices.(2017-2018)

SHARE THIS:share this bill in Facebookshare this bill in Twitter
Date Published: 05/17/2017 09:00 PM
SB327:v97#DOCUMENT

Amended  IN  Senate  May 17, 2017
Amended  IN  Senate  March 20, 2017

CALIFORNIA LEGISLATURE— 2017–2018 REGULAR SESSION

Senate Bill No. 327


Introduced by Senator Jackson

February 13, 2017


An act to add Title 1.81.26 (commencing with Section 1798.91.01) to Part 4 of Division 3 of the Civil Code, relating to information privacy.


LEGISLATIVE COUNSEL'S DIGEST


SB 327, as amended, Jackson. Information privacy: connected devices.
Existing law requires a business to take all reasonable steps to dispose of customer records within its custody or control containing personal information when the records are no longer to be retained by the business by shredding, erasing, or otherwise modifying the personal information in those records to make it unreadable or undecipherable. Existing law also requires a business that owns, licenses, or maintains personal information about a California resident to implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure. Existing law authorizes a customer injured by a violation of these provisions to institute a civil action to recover damages.
This bill bill, commencing on January 1, 2019, would require a manufacturer that sells or offers to sell a connected device, defined as any device, sensor, or other physical object that is capable of connecting to the Internet, directly or indirectly, or to another connected device, to equip the device with reasonable security features appropriate to the nature of the device and the information it may collect, contain, or transmit, that protect it from unauthorized access, destruction, use, modification, or disclosure, and to design the device to indicate when it is collecting information audio, video, or location information, or when it is collecting biometric or health information beyond the stated functionality of the connected device and to obtain consumer user consent before it collects or transmits information, as specified. The bill would also require a person who sells or offers to sell a connected device sold in California to provide a short, plainly written notice of whether the connected device’s information collection functions at the point of sale, as specified. The bill would require a manufacturer of a connected device to provide direct notification of device is capable of collecting specified types of information and how the consumer can obtain information about security patches and updates to a consumer who purchases the device. feature updates.
Vote: MAJORITY   Appropriation: NO   Fiscal Committee: NO   Local Program: NO  

The people of the State of California do enact as follows:


SECTION 1.

 Title 1.81.26 (commencing with Section 1798.91.01) is added to Part 4 of Division 3 of the Civil Code, to read:

TITLE 1.81.26. Security of Connected Devices

1798.91.01.
 (a)A manufacturer that sells or offers to sell a connected device in this state California shall equip the device with reasonable security features appropriate to the nature of the device and the information it may collect, contain, or transmit, that protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure.

(b)A manufacturer that sells or offers to sell a connected device in this state shall design the device to indicate through visual, auditory, or other means when it is collecting information.

(c)A manufacturer that sells or offers to sell a connected device in this state shall design the device to obtain consumer consent before it collects or transmits information beyond what is necessary in order to fulfill a consumer transaction or for the stated functionality of the connected device.

1798.91.02.
 (a) A manufacturer that sells or offers to sell a connected device in California shall design the device to indicate through visual, auditory, or other means when it is collecting audio, video, or location information, or when it is collecting biometric or health information beyond the stated functionality of the connected device.
(b) A manufacturer that sells or offers to sell a connected device in California shall design the device to obtain user consent before it collects or transmits information beyond what is necessary in order to fulfill a user transaction or for the stated functionality of the connected device.
(c) Nothing in subdivision (b) shall be construed to prohibit a manufacturer from collecting or using information collected from a connected device for purposes of maintaining, developing, supporting, improving, or diagnosing the device or for protecting the safety of a user or the security of a connected device or network.

1798.91.02.

(a)A person who sells or offers to sell a

1798.91.03.
 A connected device sold in this state California to a consumer shall provide a short, plainly written notice through the use of words or icons on the device’s packaging, or if the device is being sold online, on the product’s Internet Web site, of the connected device’s information collection functions at the point of sale that contains, but is not limited to, all both of the following:

(1)

(a) Whether the device is capable of collecting audio, video, location, biometric, health, or other personal or sensitive consumer information. user information, including specifying which types of information the device may collect, if that information is not otherwise indicated by packaging or by the stated functionality of the device.

(2)Where a consumer can find the applicable privacy policy for the connected device.

(3)

(b) How the consumer will be notified directly of can obtain information about security patches and feature updates applicable to for the connected device.

(b)Direct notification of security patches and updates shall be provided to a consumer who purchases a connected device by the manufacturer of that device in addition to any other notices required by law.

1798.91.03.1798.91.04.
 For purposes of this title, the following terms have the following meanings:
(a) “Connected device” means any device, sensor, or other physical object that is capable of connecting to the Internet, directly or indirectly, or to another connected device. On and after January 1, 2021, the term “connected device” shall include a medical device that meets the definition of a “device” in subsection (h) of Section 321 of Title 21 of the United States Code.

(b)“Person” means an individual, partnership, corporation, association, or other group, however organized.

(b) “Consumer” means a person who purchases a connected device for personal or household use.

1798.91.05.
 (a) This title shall not be construed to impose any duty upon the manufacturer of a connected device related to unaffiliated third-party software or applications that a user chooses to add to a connected device.
(b) This title shall not be construed to impose any duty upon a provider of an electronic store, gateway, marketplace, or other means of purchasing or downloading software or applications, to review or enforce compliance with this title.
(c) The duties and obligations imposed by this title are cumulative with any other duties or obligations imposed under other law, and shall not be construed to relieve any party from any duties or obligations imposed under other law.
(d) This section shall not be construed to limit the authority of a law enforcement agency to obtain connected device information from a manufacturer as authorized by law or pursuant to an order of a court of competent jurisdiction.

1798.91.06.
 This title shall become operative on January 1, 2019.