California’s 'Other' Game-Changer: Complying with the New IoT Cybersecurity Law

When California Governor Jerry Brown signed Senate Bill 327 on September 28, California became the first state to enact legislation expressly governing cybersecurity measures that must be employed by manufacturers of Internet-connected “smart” devices, collectively known as the Internet of Things (IoT). The law, to be codified at California Civil Code Sections 1798.91.04–06, became effective on January 1, 2020. The new law applies to any “manufacturer of a connected device,” which is defined as “the person who manufactures, or contracts with another person to manufacture on the person’s behalf, connected devices that are sold or offered for sale in California.” A “connected device” is “any device, or other physical object, that is capable of connecting to the Internet, directly or indirectly, and that is assigned an Internet Protocol address or Bluetooth address,” a definition that is broad enough to encompass most devices that are commonly considered part of the IoT.