CHAPTER
35.5. Connected Devices
22948.30.
For purposes of this chapter, the following definitions apply: (a) “Account manager” means a person or entity that provides an individual an internet-based or app-based user account, or a third party that manages those user accounts on behalf of that person or entity, that has authority to make decisions regarding user access to those user accounts.
(b) “Connected device” means any device, or other physical object that is capable of connecting to the internet, directly or indirectly, and that is assigned an internet protocol address or Bluetooth address.
address or enables a person to remotely obtain data from or send commands to a connected device or account, which may be accomplished through a software application that is designed to be operated on a mobile device, computer, or other technology.
(c) (1) “Covered act” means conduct that constitutes any of the following:
(A) A crime described in Chapter 8 (commencing with Section 236) of Title 8 of Part 1 of the Penal Code.
(B) A crime described in Chapter 1 (commencing with Section 261), Chapter 2 (commencing with Section 270), Chapter 2.5 (commencing with Section 273.8), Chapter 4 (commencing with Section 277), Chapter 5 (commencing with Section 281), Chapter 5.5
(commencing with Section 290), Chapter 7.5 (commencing with Section 311), Chapter 7.6 (commencing with Section 313), or Chapter 8 (commencing with Section 314) of Title 9 of Part 1 of the Penal Code.
(C) An act under federal law, tribal law, or the Uniform Code of Military Justice that is similar to an offense described in subparagraph (A) or (B).
(D) Domestic violence, as defined in Section 6211 of the Family Code.
(E) A misdemeanor described in subdivision (e) of Section 243 of the Penal Code.
(2) Nothing in paragraph (1) shall be construed to require a criminal conviction or any other determination of a court in order for conduct to constitute a covered act.
(c)
(d) “Device access” means the ability to remotely control a connected device, remotely change the characteristics of a connected device, or remotely view or manipulate data collected
by or through a connected device, by accessing a user account or accounts associated with the connected device. Acts that require device access include, but are not limited to, remotely manipulating an audio system, security system, light fixture, or other home appliance or fixture and accessing camera or location data from a motor vehicle.
(e) “Device protection request” means a request by a survivor to terminate or disable a perpetrator’s access to a connected device or account, including, but is not limited to, the ability of a person to obtain data from or send commands to a connected device or account.
(f) “Perpetrator” means an individual who has committed or allegedly committed a covered act against a survivor or an individual under
the care of a survivor.
(d)
(g) “Remote vehicle technology” means any technology that allows a person who is outside of a vehicle to access the activity, track the location, or control any operation of the vehicle or its parts, that includes, but is not limited to, any of the following:
(1) A Global Positioning System (GPS).
(2) An app-based technology.
(3) Any other remote wireless connectivity
technology.
(h) “Survivor” means an individual who has had a covered act committed, or allegedly committed, against the individual, or who cares for another individual against whom a covered act has been committed or allegedly committed, provided that the individual providing care did not commit or allegedly commit the covered act.
(i) “User account or account” means an account or other means by which a person enrolls in or obtains access to a connected device or online service.
22948.31.
(a) (1) Commencing no later than two business days after receiving a device protection request that meets the requirements of from a survivor pursuant to subdivision (b), an account manager shall deny a person’s device access, terminate or disable a connected device or account access to a
perpetrator, as identified in the request.(b)A device protection request shall include all of the following:
(2) After receiving a device protection request from a survivor pursuant to subdivision (b), a vehicle manufacturer shall immediately terminate or disable remote vehicle technology, as identified in the request.
(b) In the case of a survivor seeking to deny a perpetrator device access, the survivor shall submit to the account manager a device protection request that includes all of the following:
(1) A verification that the perpetrator has committed or allegedly committed a covered act against the survivor or an individual in the survivor’s care, by providing either of the following:
(A) A copy of a signed affidavit from a licensed medical or mental health care provider, licensed military medical or mental health care provider, licensed social worker, victim services provider, licensed military victim services provider, temporary restraining order, emergency protective order, or protective order lawfully issued pursuant to Section 527.6 of the Code of Civil Procedure, Part 3 (commencing with Section 6240) or Part 4 (commencing with Section 6300) of Division 10 of the Family Code, or Section 136.2 of the Penal Code, documentation from a qualified third party based on information received by that third party while acting in the third party’s professional capacity to indicate that
the individual is seeking assistance for physical or mental injuries or abuse resulting from an act or crime.
(B) A copy of a police report, statements provided by police, including military police, to magistrates or judges, charging documents, protective or restraining orders, military protective orders, or any other official record that documents the covered act. A copy of a written report by a peace officer employed by a state or local law enforcement agency acting in the peace officer’s official capacity stating that the individual has filed a report alleging victimization of an act or crime.
(1)
(2) Verification of the requester’s survivor’s exclusive legal possession or control of the connected device, including, but not limited to, a dissolution decree, temporary restraining order, protective order, domestic violence restraining order, or other document indicating the requester’s survivor’s exclusive use care, possession, or control of the connected device.
(2)
(3) Identification of the connected device or devices.
(3)
(4) Identification of the person that the requester seeks to deny device access.
(c) An account manager shall offer a survivor the ability to submit a device protection request under subdivision (b) through secure remote means that are easily
navigable. Except as specified under subdivision (b), an account manager shall not require a specific form of documentation to submit a device protection request.
(d) An account manager shall make information about the options and process described in subdivision (b) publicly available on the internet website and mobile application, if applicable, of the account manager.
(e)The account manager may contact the requester or their designated representative to confirm that device access is denied, or to notify the requester that the device protection request is incomplete.
(e) An account manager shall notify the survivor of both of the following:
(1) The date on which the account manager intends to give any formal notice to the perpetrator that has had their device access denied.
(2) That the account manager may contact the survivor, or designated representative of the survivor, to confirm that the perpetrator’s device access is denied, or to notify the survivor that the device protection request is incomplete.
(f) An account manager shall not condition a device protection request submitted in accordance with subdivision (b) upon any of the following:
(1) Payment of a fee, penalty, or other charge.
(2) Approval of the device protection request by any other person who is not a legal owner or in legal possession of the device. person who has device access that is not the survivor.
(3) A prohibition or limitation on the ability to deny device access to a perpetrator as a result of arrears accrued by the account or associated with the connected device.
(4) An increase in the rate charged for the account if any subscription fee or other recurring charge for
account access applies.
(5) Any other limitation or requirement not listed under subdivision (b).
(g) (1) An account manager and any officer, director, employee, vendor, or agent thereof shall treat any information submitted by a survivor under this section as confidential and securely dispose of the information not later than 90 days after receiving the information.
(2) Nothing in paragraph (1) shall be construed to prohibit an account manager from maintaining, for longer than the period specified in that paragraph, a record that verifies that a requester
survivor fulfilled the conditions of a device protection request under subdivision (b).
22948.31.5.
(a) (1) An account manager that fails to deny a perpetrator access in compliance with subdivision (a) of Section 22948.31 or otherwise does not comply with the requirements described in Section 22948.31 shall be deemed in violation of this chapter.(2) A perpetrator that maintains or exercises device access, including by disturbing the peace of the other party, as described in subdivision (c) of Section 6320 of the Family Code, despite having their device access denied pursuant to subdivision (a) of Section 22948.31, shall be deemed in violation of this chapter.
(b) (1) Actions for relief pursuant to this chapter may be
prosecuted exclusively in a court of competent jurisdiction in a civil action brought by any person injured by the violation or in the name of the people of the State of California by the Attorney General, a district attorney, county counsel, a city attorney or a city prosecutor.
(2) A court may enjoin a person or entity who engages, has engaged, or proposes to engage in a violation of this chapter. The court may make any orders or judgments as may be necessary to prevent a violation of this chapter.
(3) A person or entity who engages, has engaged, or proposes to engage in a violation of this chapter shall be liable for a civil penalty not to exceed two thousand five hundred dollars ($2,500) for each connected device in violation of this chapter. If the action is brought by the Attorney General, the penalty shall be deposited into the General Fund. If the action is brought by a
district attorney or county counsel, the penalty shall be paid to the treasurer of the county in which the judgment was entered. If the action is brought by a city attorney or city prosecutor, the penalty shall be paid to the treasurer of the city in which the judgment was entered. If the action is brought by a person injured by the violation, the penalty shall be awarded to that person.
22948.32.
(a) A vehicle manufacturer that offers a vehicle for sale, rent, or lease in the state that includes remote vehicle technology shall do all of the following:(1) Ensure that the remote vehicle technology can be immediately manually disabled by a driver of the vehicle while that driver is inside the vehicle by a method that meets all of the following criteria:
(A) The method of manually disabling the remote vehicle technology is prominently located and easy to use and does not require access to a remote, online application.
(B) Upon its use,
the method of manually disabling the remote vehicle technology informs the user of the requirements of subdivision (b).
(C) The method of manually disabling the remote vehicle technology does not require a password or any login information.
(D) Upon its use, the method of manually disabling the remote vehicle technology does not result in the remote vehicle technology, vehicle manufacturer, or a third-party service provider sending to the registered owner of the car an email, telephone call, or any other notification related to the remote vehicle technology being disabled.
(E) Upon its use, the method of manually disabling the remote vehicle technology causes the remote vehicle technology to be disabled for a
minimum of seven days and capable of being reenabled only by the vehicle manufacturer pursuant to paragraph (4).
(2) Offer secure remote means via the internet for a requester survivor to submit a vehicle separation notice that includes a prominent link on the vehicle manufacturer’s internet website.
(3) Upon request, reset the remote vehicle technology with a new secure account and delete all data from the original account.
(4) Reenable the remote vehicle technology only if the registered owner of the car notifies the manufacturer that the remote vehicle technology
was disabled in error, and a requester survivor has not contacted the vehicle manufacturer to provide the information required by subdivision (b) within seven days of the remote vehicle technology being disabled.
(b) A requester survivor shall submit a vehicle separation notice to a vehicle manufacturer through the means provided by the vehicle manufacturer pursuant to paragraph (2) of subdivision (a) within seven days of the date on which the requester
survivor used the method of manually disabling remote vehicle technology required by subdivision (a), which shall include the vehicle identification number of the vehicle and a copy of either of the following documents that supports that the perpetrator has committed, or allegedly committed, a covered act against the requester survivor or an individual in the requester’s survivor’s care:
(1) A signed affidavit from any of the following individuals acting within the
scope of that person’s employment:
(A) A licensed medical or mental health care provider.
(B) A licensed military medical or mental health care provider.
(C) A licensed social worker.
(D) A victim services provider.
(E) A licensed military victim services provider.
(2) A copy of any of the following documents:
(A) A police report.
(B) A statement provided by the police, including military police, to a magistrate judge or other
judge.
(C) A charging document.
(D) A protective or restraining order, including military protective orders.
(E) Any other relevant document that is an official record.
(c) Only if, for technological reasons, a vehicle manufacturer is unable to comply with paragraph (1) of subdivision (a), the vehicle manufacturer shall disable remote vehicle technology within one business day after receiving a request that includes the information required by subdivision (b) and is submitted pursuant to the mechanism required by subdivision (a).
22948.33.
Any waiver of the provisions of this chapter is contrary to public policy and void and unenforceable.22948.34.
(a) The duties and obligations imposed by this chapter are cumulative with any other duties or obligations imposed under other law, and shall not be construed to relieve any party from any duties or obligations imposed under other law.(b) The remedies or penalties provided by this chapter are cumulative to each other and to the remedies or penalties available under all other laws of the state.
22948.34.5.
Notwithstanding any other provision of this chapter, any entity that is subject to the federal Safe Connections Act of 2022 (Public Law 117-223) or regulations of the Federal Communications Commission adopted pursuant to the authority of that law, shall not be subject to this chapter.22948.35.
The provisions of this chapter are severable. If any provision of this chapter or its application is held invalid, that invalidity shall not affect other provisions or applications that can be given effect without the invalid provision or application.22948.36.
This chapter shall become operative on January 1, 2026.