Home Internet of Things Aerospace Apparel Energy Defense Health Care Logistics Manufacturing Retail

Two New State IoT Laws Go Into Effect on Jan. 1

In 2020, manufacturers of Internet of Things devices will need to comply with new laws in California and Oregon.
By David Stauss, Bob Bowman and Malia Rogers
Dec 01, 2019

It may be hard to believe, but the California Consumer Privacy Act is not the only new law that will go into effect on Jan. 1, 2020. Rather, new laws in California and Oregon that regulate Internet of Things (IoT) devices will go into effect on that date as well. Below is an overview of those laws.

In September 2018, California became the first state to enact legislation directed at securing IoT devices. The California legislation requires "manufacturers" of "connected devices" to equip them with "a reasonable security feature or features" that are appropriate to the nature and function of the device; appropriate to the information the device may collect, contain or transmit; and designed to protect the device and any information contained in it from unauthorized access, destruction, use, modification or disclosure.

The law further provides that if a connected device is equipped with a means for authentication outside a local area network, it shall be deemed a "reasonable security feature" if the preprogrammed password is unique to each device or if the device contains a security feature that requires a user to generate a new means of authentication before access is granted to the device for the first time.

The law defines a "connected device" as "any device, or other physical object that is capable of connecting to the internet, directly or indirectly, and that is assigned an internet protocol address or Bluetooth address." It defines "manufacturer" as "the person who manufactures, or contracts with another person to manufacture on the person's behalf, connected devices that are sold or offered for sale in California."

Notably, the law exempts certain activities from its requirements. For example, it does not impose a "duty upon the manufacturer of a connected device related to unaffiliated third-party software or applications that a user chooses to add to a connected device." It also does not apply "to any connected device the functionality of which is subject to security requirements under federal law, regulations or guidance promulgated by a federal agency pursuant to its regulatory enforcement authority." And the law exempts HIPAA-covered entities and business associates to the extent that the activity in question is covered by that act.

Oregon's legislation was modeled on California's law and, therefore, shares many similarities. One notable difference is that Oregon's legislation defines "connected device" to mean "a device or other physical object" that "connects, directly or indirectly, to the Internet and is used primarily for personal, family or household purposes" and "is assigned an internet protocol address or another address or number that identifies the connected device for the purpose of making a short-range wireless connection to another device." The inclusion of the phrase "used primarily for personal, family or household purposes" is a potentially significant limitation for IoT manufacturers.

The Oregon legislation also contains a different definition of "manufacturer," stating that the term "means a person that makes a connected device and sells or offers to sell the connected device in this state." In comparison, California's law defines manufacturers to include any entity that "contracts with another person to manufacture [the connected device] on the person's behalf."

Login and post your comment!

Not a member?

Signup for an account now to access all of the features of RFIDJournal.com!

Case Studies Features Best Practices How-Tos
Live Events Virtual Events Webinars
Simply enter a question for our experts.
RFID Journal LIVE! RFID in Health Care LIVE! LatAm LIVE! Brasil LIVE! Europe RFID Connect Virtual Events RFID Journal Awards Webinars Presentations