Bill Text

PDF |Add To My Favorites |Track Bill | print page

SB-327 Information privacy: connected devices.(2017-2018)

SHARE THIS:share this bill in Facebookshare this bill in Twitter
Date Published: 05/26/2017 02:00 PM
SB327:v96#DOCUMENT

Amended  IN  Senate  May 26, 2017
Amended  IN  Senate  May 17, 2017
Amended  IN  Senate  March 20, 2017

CALIFORNIA LEGISLATURE— 2017–2018 REGULAR SESSION

Senate Bill No. 327


Introduced by Senator Jackson

February 13, 2017


An act to add Title 1.81.26 (commencing with Section 1798.91.01) to Part 4 of Division 3 of the Civil Code, relating to information privacy.


LEGISLATIVE COUNSEL'S DIGEST


SB 327, as amended, Jackson. Information privacy: connected devices.
Existing law requires a business to take all reasonable steps to dispose of customer records within its custody or control containing personal information when the records are no longer to be retained by the business by shredding, erasing, or otherwise modifying the personal information in those records to make it unreadable or undecipherable. Existing law also requires a business that owns, licenses, or maintains personal information about a California resident to implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure. Existing law authorizes a customer injured by a violation of these provisions to institute a civil action to recover damages.
This bill, commencing on January 1, 2019, bill would require a manufacturer that sells or offers to sell a connected device, device in this state, defined as any device, sensor, or other physical object that is capable of connecting to the Internet, directly or indirectly, or to another connected device, to equip the device with reasonable security features appropriate to the nature of the device and the information it may collect, contain, or transmit, that protect it from unauthorized access, destruction, use, modification, or disclosure, and to design the device to indicate when it is disclosure. The bill would also require any connected device sold or provided in this state to provide notice of whether it is capable of collecting audio, video, or location information, or when it is collecting biometric or health information beyond location, biometric, health, or other personal or sensitive user information if that information is not otherwise indicated by the packaging or by the stated functionality of the connected device and to obtain user consent before it collects or transmits information, as specified. The bill would also require a connected device sold in California to provide notice of whether the connected device is capable of collecting specified types of information and if and how the consumer can obtain information about security patches and feature updates. The bill would require a manufacturer that sells or offers to sell a connected device to a consumer in this state to obtain consumer consent before it collects or transmits information beyond what is necessary in order to fulfill a user transaction or for the stated functionality of the connected device, as specified.
Vote: MAJORITY   Appropriation: NO   Fiscal Committee: NO   Local Program: NO  

The people of the State of California do enact as follows:


SECTION 1.

 Title 1.81.26 (commencing with Section 1798.91.01) is added to Part 4 of Division 3 of the Civil Code, to read:

TITLE 1.81.26. Security of Connected Devices

1798.91.01.
 A manufacturer that sells or offers to sell a connected device in California shall equip the device with reasonable security features appropriate to the nature of the device and the information it may collect, contain, or transmit, that protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure.

1798.91.02.
 Any connected device sold or provided in this state to a consumer shall provide notice through the use of words or icons on the device’s packaging, or on the product’s, or on the manufacturer’s Internet Web site, of all of the following:
(a) Whether the device is capable of collecting audio, video, location, biometric, health, or other personal or sensitive user information, including specifying which type or types of information the device may collect, if that information is not otherwise indicated by packaging or by the stated functionality of the device.
(b) The process by which a connected device collects the information specified in subdivision (a), as well as the frequency of collection and what types of interactions with the device may trigger collection.
(c) If and how the consumer can obtain information about security patches and feature updates for the connected device.

1798.91.02.1798.91.03.
 (a) A manufacturer that sells or offers to sell a connected device to a consumer in California shall design the device to indicate through visual, auditory, or other means when it is collecting audio, video, or location information, or when it is collecting biometric or health information beyond the stated functionality of the connected device.
(b)A manufacturer that sells or offers to sell a connected device in California shall design the device to obtain user consumer consent before it collects or transmits information beyond what is necessary in order to fulfill a user transaction or for the stated functionality of the connected device.
(b) Consent granted in accordance with subdivision (a) shall remain in effect until it is revoked by the consumer.
(c) Consent granted in accordance with subdivision (a) may be revoked by the consumer at any time.

(c)

(d) Nothing in subdivision (b) (a) shall be construed to prohibit a manufacturer from collecting or using deidentified information collected from a connected device for purposes of maintaining, developing, supporting, improving, or diagnosing the device or for protecting the safety of a user or the security of a connected device or network. device, or from providing location information concerning a user under any of the following circumstances:
(1) The information is provided a public safety answering point, emergency medical service provider or emergency dispatch provider, public safety, fire service, or law enforcement official, or hospital emergency or trauma care facility, in order to respond to the user’s request for emergency services.
(2) The information is provided to inform the user’s legal guardian, members of the user’s family, or to a person reasonably believed by the manufacturer to be a close personal friend of the user, of the user’s location in an emergency situation that involves the risk of death or life threatening harm.
(3) The information is provided to providers of information or database management services solely for purposes of assisting in the delivery of emergency services in response to an emergency.

1798.91.03.

A connected device sold in California to a consumer shall provide notice through the use of words or icons on the device’s packaging, or if the device is being sold online, on the product’s Internet Web site, of both of the following:

(a)Whether the device is capable of collecting audio, video, location, biometric, health, or other personal or sensitive user information, including specifying which types of information the device may collect, if that information is not otherwise indicated by packaging or by the stated functionality of the device.

(b)How the consumer can obtain information about security patches and feature updates for the connected device.

1798.91.04.
 For purposes of this title, the following terms have the following meanings:
(a) (1) “Connected device” means any device, sensor, or other physical object that is capable of connecting to the Internet, directly or indirectly, or to another connected device. On and after January 1, 2021, the term “connected device” shall include a medical device that meets the definition of a “device” in subsection (h) of Section 321 of Title 21 of the United States Code.
(2) “Connected device” shall not include a motor vehicle as defined in Section 415 of the Vehicle Code.
(b) “Consumer” means a person who purchases or obtains a connected device for personal or household use.
(c) “Deidentified information” means information that does not contain any link or connection to the consumer or user of the device. In order for information to be deidentified, the manufacturer or another party must do all of the following:
(1) Make a reasonable determination that the information does not contain, or cannot be linked to, a consumer’s or user’s identity, taking into account other pertinent information that may be reasonably available to the manufacturer, the public, or an advertiser seeking to associate the deidentified information with a specific consumer or user.
(2) Lack actual knowledge that the deidentified information could be used alone or in combination with other information to link the deidentified information to an individual.
(3) Ensure that all deidentification procedures occur on the device.
(d) “Stated functionality” means the functionality of the device as understood by a reasonable person based on the manufacturer’s marketing of the device.
(e) “Unauthorized access, destruction, use, modification, or disclosure” means access, destruction, use, modification, or disclosure that is not authorized by the consumer.

1798.91.05.
 (a) This title shall not be construed to impose any duty upon the manufacturer of a connected device related to unaffiliated third-party software or applications that a user chooses to add to a connected device.
(b) This title shall not be construed to impose any duty upon a provider of an electronic store, gateway, marketplace, or other means of purchasing or downloading software or applications, to review or enforce compliance with this title.
(c) This title shall not be construed to impose any duty upon the manufacturer of a connected device to prevent a user from having full control over a connected device, including the ability to modify the software or firmware running on the device at the user’s discretion.

(c)

(d) The duties and obligations imposed by this title are cumulative with any other duties or obligations imposed under other law, and shall not be construed to relieve any party from any duties or obligations imposed under other law.

(d)

(e) This section shall not be construed to limit the authority of a law enforcement agency to obtain connected device information from a manufacturer as authorized by law or pursuant to an order of a court of competent jurisdiction.
(f) A covered entity, provider of health care, business associate, health care service plan, contractor, employer, or any other person subject to the federal Health Insurance Portability and Accountability Act of 1996 (HIPAA) (Public Law 104-191) or the Confidentiality of Medical Information Act (Part 2.6 (commencing with Section 56) of Division 1) shall not be subject to this title with respect to any activity regulated by those acts.

1798.91.06.

This title shall become operative on January 1, 2019.