Amended IN Senate May 17, 2017 Amended IN Senate March 20, 2017 CALIFORNIA LEGISLATURE 20172018 REGULAR SESSION Senate Bill No. 327Introduced by Senator JacksonFebruary 13, 2017 An act to add Title 1.81.26 (commencing with Section 1798.91.01) to Part 4 of Division 3 of the Civil Code, relating to information privacy. LEGISLATIVE COUNSEL'S DIGESTSB 327, as amended, Jackson. Information privacy: connected devices.Existing law requires a business to take all reasonable steps to dispose of customer records within its custody or control containing personal information when the records are no longer to be retained by the business by shredding, erasing, or otherwise modifying the personal information in those records to make it unreadable or undecipherable. Existing law also requires a business that owns, licenses, or maintains personal information about a California resident to implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure. Existing law authorizes a customer injured by a violation of these provisions to institute a civil action to recover damages.This bill bill, commencing on January 1, 2019, would require a manufacturer that sells or offers to sell a connected device, defined as any device, sensor, or other physical object that is capable of connecting to the Internet, directly or indirectly, or to another connected device, to equip the device with reasonable security features appropriate to the nature of the device and the information it may collect, contain, or transmit, that protect it from unauthorized access, destruction, use, modification, or disclosure, and to design the device to indicate when it is collecting information audio, video, or location information, or when it is collecting biometric or health information beyond the stated functionality of the connected device and to obtain consumer user consent before it collects or transmits information, as specified. The bill would also require a person who sells or offers to sell a connected device sold in California to provide a short, plainly written notice of whether the connected devices information collection functions at the point of sale, as specified. The bill would require a manufacturer of a connected device to provide direct notification of device is capable of collecting specified types of information and how the consumer can obtain information about security patches and updates to a consumer who purchases the device. feature updates.Digest Key Vote: MAJORITY Appropriation: NO Fiscal Committee: NO Local Program: NO Bill TextThe people of the State of California do enact as follows:SECTION 1. Title 1.81.26 (commencing with Section 1798.91.01) is added to Part 4 of Division 3 of the Civil Code, to read:TITLE 1.81.26. Security of Connected Devices1798.91.01. (a)A manufacturer that sells or offers to sell a connected device in this state California shall equip the device with reasonable security features appropriate to the nature of the device and the information it may collect, contain, or transmit, that protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure.(b)A manufacturer that sells or offers to sell a connected device in this state shall design the device to indicate through visual, auditory, or other means when it is collecting information.(c)A manufacturer that sells or offers to sell a connected device in this state shall design the device to obtain consumer consent before it collects or transmits information beyond what is necessary in order to fulfill a consumer transaction or for the stated functionality of the connected device.1798.91.02. (a) A manufacturer that sells or offers to sell a connected device in California shall design the device to indicate through visual, auditory, or other means when it is collecting audio, video, or location information, or when it is collecting biometric or health information beyond the stated functionality of the connected device.(b) A manufacturer that sells or offers to sell a connected device in California shall design the device to obtain user consent before it collects or transmits information beyond what is necessary in order to fulfill a user transaction or for the stated functionality of the connected device.(c) Nothing in subdivision (b) shall be construed to prohibit a manufacturer from collecting or using information collected from a connected device for purposes of maintaining, developing, supporting, improving, or diagnosing the device or for protecting the safety of a user or the security of a connected device or network.1798.91.02.(a)A person who sells or offers to sell a1798.91.03. A connected device sold in this state California to a consumer shall provide a short, plainly written notice through the use of words or icons on the devices packaging, or if the device is being sold online, on the products Internet Web site, of the connected devices information collection functions at the point of sale that contains, but is not limited to, all both of the following:(1)(a) Whether the device is capable of collecting audio, video, location, biometric, health, or other personal or sensitive consumer information. user information, including specifying which types of information the device may collect, if that information is not otherwise indicated by packaging or by the stated functionality of the device.(2)Where a consumer can find the applicable privacy policy for the connected device.(3)(b) How the consumer will be notified directly of can obtain information about security patches and feature updates applicable to for the connected device.(b)Direct notification of security patches and updates shall be provided to a consumer who purchases a connected device by the manufacturer of that device in addition to any other notices required by law.1798.91.03.1798.91.04. For purposes of this title, the following terms have the following meanings:(a) Connected device means any device, sensor, or other physical object that is capable of connecting to the Internet, directly or indirectly, or to another connected device. On and after January 1, 2021, the term connected device shall include a medical device that meets the definition of a device in subsection (h) of Section 321 of Title 21 of the United States Code.(b)Person means an individual, partnership, corporation, association, or other group, however organized.(b) Consumer means a person who purchases a connected device for personal or household use.1798.91.05. (a) This title shall not be construed to impose any duty upon the manufacturer of a connected device related to unaffiliated third-party software or applications that a user chooses to add to a connected device.(b) This title shall not be construed to impose any duty upon a provider of an electronic store, gateway, marketplace, or other means of purchasing or downloading software or applications, to review or enforce compliance with this title.(c) The duties and obligations imposed by this title are cumulative with any other duties or obligations imposed under other law, and shall not be construed to relieve any party from any duties or obligations imposed under other law.(d) This section shall not be construed to limit the authority of a law enforcement agency to obtain connected device information from a manufacturer as authorized by law or pursuant to an order of a court of competent jurisdiction.1798.91.06. This title shall become operative on January 1, 2019.
Amended IN Senate May 17, 2017 Amended IN Senate March 20, 2017 CALIFORNIA LEGISLATURE 20172018 REGULAR SESSION Senate Bill No. 327Introduced by Senator JacksonFebruary 13, 2017 An act to add Title 1.81.26 (commencing with Section 1798.91.01) to Part 4 of Division 3 of the Civil Code, relating to information privacy. LEGISLATIVE COUNSEL'S DIGESTSB 327, as amended, Jackson. Information privacy: connected devices.Existing law requires a business to take all reasonable steps to dispose of customer records within its custody or control containing personal information when the records are no longer to be retained by the business by shredding, erasing, or otherwise modifying the personal information in those records to make it unreadable or undecipherable. Existing law also requires a business that owns, licenses, or maintains personal information about a California resident to implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure. Existing law authorizes a customer injured by a violation of these provisions to institute a civil action to recover damages.This bill bill, commencing on January 1, 2019, would require a manufacturer that sells or offers to sell a connected device, defined as any device, sensor, or other physical object that is capable of connecting to the Internet, directly or indirectly, or to another connected device, to equip the device with reasonable security features appropriate to the nature of the device and the information it may collect, contain, or transmit, that protect it from unauthorized access, destruction, use, modification, or disclosure, and to design the device to indicate when it is collecting information audio, video, or location information, or when it is collecting biometric or health information beyond the stated functionality of the connected device and to obtain consumer user consent before it collects or transmits information, as specified. The bill would also require a person who sells or offers to sell a connected device sold in California to provide a short, plainly written notice of whether the connected devices information collection functions at the point of sale, as specified. The bill would require a manufacturer of a connected device to provide direct notification of device is capable of collecting specified types of information and how the consumer can obtain information about security patches and updates to a consumer who purchases the device. feature updates.Digest Key Vote: MAJORITY Appropriation: NO Fiscal Committee: NO Local Program: NO
Amended IN Senate May 17, 2017 Amended IN Senate March 20, 2017
Amended IN Senate May 17, 2017
Amended IN Senate March 20, 2017
CALIFORNIA LEGISLATURE 20172018 REGULAR SESSION
Senate Bill No. 327
Introduced by Senator JacksonFebruary 13, 2017
Introduced by Senator Jackson
February 13, 2017
An act to add Title 1.81.26 (commencing with Section 1798.91.01) to Part 4 of Division 3 of the Civil Code, relating to information privacy.
LEGISLATIVE COUNSEL'S DIGEST
## LEGISLATIVE COUNSEL'S DIGEST
SB 327, as amended, Jackson. Information privacy: connected devices.
Existing law requires a business to take all reasonable steps to dispose of customer records within its custody or control containing personal information when the records are no longer to be retained by the business by shredding, erasing, or otherwise modifying the personal information in those records to make it unreadable or undecipherable. Existing law also requires a business that owns, licenses, or maintains personal information about a California resident to implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure. Existing law authorizes a customer injured by a violation of these provisions to institute a civil action to recover damages.This bill bill, commencing on January 1, 2019, would require a manufacturer that sells or offers to sell a connected device, defined as any device, sensor, or other physical object that is capable of connecting to the Internet, directly or indirectly, or to another connected device, to equip the device with reasonable security features appropriate to the nature of the device and the information it may collect, contain, or transmit, that protect it from unauthorized access, destruction, use, modification, or disclosure, and to design the device to indicate when it is collecting information audio, video, or location information, or when it is collecting biometric or health information beyond the stated functionality of the connected device and to obtain consumer user consent before it collects or transmits information, as specified. The bill would also require a person who sells or offers to sell a connected device sold in California to provide a short, plainly written notice of whether the connected devices information collection functions at the point of sale, as specified. The bill would require a manufacturer of a connected device to provide direct notification of device is capable of collecting specified types of information and how the consumer can obtain information about security patches and updates to a consumer who purchases the device. feature updates.
Existing law requires a business to take all reasonable steps to dispose of customer records within its custody or control containing personal information when the records are no longer to be retained by the business by shredding, erasing, or otherwise modifying the personal information in those records to make it unreadable or undecipherable. Existing law also requires a business that owns, licenses, or maintains personal information about a California resident to implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure. Existing law authorizes a customer injured by a violation of these provisions to institute a civil action to recover damages.
This bill bill, commencing on January 1, 2019, would require a manufacturer that sells or offers to sell a connected device, defined as any device, sensor, or other physical object that is capable of connecting to the Internet, directly or indirectly, or to another connected device, to equip the device with reasonable security features appropriate to the nature of the device and the information it may collect, contain, or transmit, that protect it from unauthorized access, destruction, use, modification, or disclosure, and to design the device to indicate when it is collecting information audio, video, or location information, or when it is collecting biometric or health information beyond the stated functionality of the connected device and to obtain consumer user consent before it collects or transmits information, as specified. The bill would also require a person who sells or offers to sell a connected device sold in California to provide a short, plainly written notice of whether the connected devices information collection functions at the point of sale, as specified. The bill would require a manufacturer of a connected device to provide direct notification of device is capable of collecting specified types of information and how the consumer can obtain information about security patches and updates to a consumer who purchases the device. feature updates.
## Digest Key
## Bill Text
The people of the State of California do enact as follows:SECTION 1. Title 1.81.26 (commencing with Section 1798.91.01) is added to Part 4 of Division 3 of the Civil Code, to read:TITLE 1.81.26. Security of Connected Devices1798.91.01. (a)A manufacturer that sells or offers to sell a connected device in this state California shall equip the device with reasonable security features appropriate to the nature of the device and the information it may collect, contain, or transmit, that protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure.(b)A manufacturer that sells or offers to sell a connected device in this state shall design the device to indicate through visual, auditory, or other means when it is collecting information.(c)A manufacturer that sells or offers to sell a connected device in this state shall design the device to obtain consumer consent before it collects or transmits information beyond what is necessary in order to fulfill a consumer transaction or for the stated functionality of the connected device.1798.91.02. (a) A manufacturer that sells or offers to sell a connected device in California shall design the device to indicate through visual, auditory, or other means when it is collecting audio, video, or location information, or when it is collecting biometric or health information beyond the stated functionality of the connected device.(b) A manufacturer that sells or offers to sell a connected device in California shall design the device to obtain user consent before it collects or transmits information beyond what is necessary in order to fulfill a user transaction or for the stated functionality of the connected device.(c) Nothing in subdivision (b) shall be construed to prohibit a manufacturer from collecting or using information collected from a connected device for purposes of maintaining, developing, supporting, improving, or diagnosing the device or for protecting the safety of a user or the security of a connected device or network.1798.91.02.(a)A person who sells or offers to sell a1798.91.03. A connected device sold in this state California to a consumer shall provide a short, plainly written notice through the use of words or icons on the devices packaging, or if the device is being sold online, on the products Internet Web site, of the connected devices information collection functions at the point of sale that contains, but is not limited to, all both of the following:(1)(a) Whether the device is capable of collecting audio, video, location, biometric, health, or other personal or sensitive consumer information. user information, including specifying which types of information the device may collect, if that information is not otherwise indicated by packaging or by the stated functionality of the device.(2)Where a consumer can find the applicable privacy policy for the connected device.(3)(b) How the consumer will be notified directly of can obtain information about security patches and feature updates applicable to for the connected device.(b)Direct notification of security patches and updates shall be provided to a consumer who purchases a connected device by the manufacturer of that device in addition to any other notices required by law.1798.91.03.1798.91.04. For purposes of this title, the following terms have the following meanings:(a) Connected device means any device, sensor, or other physical object that is capable of connecting to the Internet, directly or indirectly, or to another connected device. On and after January 1, 2021, the term connected device shall include a medical device that meets the definition of a device in subsection (h) of Section 321 of Title 21 of the United States Code.(b)Person means an individual, partnership, corporation, association, or other group, however organized.(b) Consumer means a person who purchases a connected device for personal or household use.1798.91.05. (a) This title shall not be construed to impose any duty upon the manufacturer of a connected device related to unaffiliated third-party software or applications that a user chooses to add to a connected device.(b) This title shall not be construed to impose any duty upon a provider of an electronic store, gateway, marketplace, or other means of purchasing or downloading software or applications, to review or enforce compliance with this title.(c) The duties and obligations imposed by this title are cumulative with any other duties or obligations imposed under other law, and shall not be construed to relieve any party from any duties or obligations imposed under other law.(d) This section shall not be construed to limit the authority of a law enforcement agency to obtain connected device information from a manufacturer as authorized by law or pursuant to an order of a court of competent jurisdiction.1798.91.06. This title shall become operative on January 1, 2019.
The people of the State of California do enact as follows:
## The people of the State of California do enact as follows:
SECTION 1. Title 1.81.26 (commencing with Section 1798.91.01) is added to Part 4 of Division 3 of the Civil Code, to read:TITLE 1.81.26. Security of Connected Devices1798.91.01. (a)A manufacturer that sells or offers to sell a connected device in this state California shall equip the device with reasonable security features appropriate to the nature of the device and the information it may collect, contain, or transmit, that protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure.(b)A manufacturer that sells or offers to sell a connected device in this state shall design the device to indicate through visual, auditory, or other means when it is collecting information.(c)A manufacturer that sells or offers to sell a connected device in this state shall design the device to obtain consumer consent before it collects or transmits information beyond what is necessary in order to fulfill a consumer transaction or for the stated functionality of the connected device.1798.91.02. (a) A manufacturer that sells or offers to sell a connected device in California shall design the device to indicate through visual, auditory, or other means when it is collecting audio, video, or location information, or when it is collecting biometric or health information beyond the stated functionality of the connected device.(b) A manufacturer that sells or offers to sell a connected device in California shall design the device to obtain user consent before it collects or transmits information beyond what is necessary in order to fulfill a user transaction or for the stated functionality of the connected device.(c) Nothing in subdivision (b) shall be construed to prohibit a manufacturer from collecting or using information collected from a connected device for purposes of maintaining, developing, supporting, improving, or diagnosing the device or for protecting the safety of a user or the security of a connected device or network.1798.91.02.(a)A person who sells or offers to sell a1798.91.03. A connected device sold in this state California to a consumer shall provide a short, plainly written notice through the use of words or icons on the devices packaging, or if the device is being sold online, on the products Internet Web site, of the connected devices information collection functions at the point of sale that contains, but is not limited to, all both of the following:(1)(a) Whether the device is capable of collecting audio, video, location, biometric, health, or other personal or sensitive consumer information. user information, including specifying which types of information the device may collect, if that information is not otherwise indicated by packaging or by the stated functionality of the device.(2)Where a consumer can find the applicable privacy policy for the connected device.(3)(b) How the consumer will be notified directly of can obtain information about security patches and feature updates applicable to for the connected device.(b)Direct notification of security patches and updates shall be provided to a consumer who purchases a connected device by the manufacturer of that device in addition to any other notices required by law.1798.91.03.1798.91.04. For purposes of this title, the following terms have the following meanings:(a) Connected device means any device, sensor, or other physical object that is capable of connecting to the Internet, directly or indirectly, or to another connected device. On and after January 1, 2021, the term connected device shall include a medical device that meets the definition of a device in subsection (h) of Section 321 of Title 21 of the United States Code.(b)Person means an individual, partnership, corporation, association, or other group, however organized.(b) Consumer means a person who purchases a connected device for personal or household use.1798.91.05. (a) This title shall not be construed to impose any duty upon the manufacturer of a connected device related to unaffiliated third-party software or applications that a user chooses to add to a connected device.(b) This title shall not be construed to impose any duty upon a provider of an electronic store, gateway, marketplace, or other means of purchasing or downloading software or applications, to review or enforce compliance with this title.(c) The duties and obligations imposed by this title are cumulative with any other duties or obligations imposed under other law, and shall not be construed to relieve any party from any duties or obligations imposed under other law.(d) This section shall not be construed to limit the authority of a law enforcement agency to obtain connected device information from a manufacturer as authorized by law or pursuant to an order of a court of competent jurisdiction.1798.91.06. This title shall become operative on January 1, 2019.
SECTION 1. Title 1.81.26 (commencing with Section 1798.91.01) is added to Part 4 of Division 3 of the Civil Code, to read:
### SECTION 1.
TITLE 1.81.26. Security of Connected Devices1798.91.01. (a)A manufacturer that sells or offers to sell a connected device in this state California shall equip the device with reasonable security features appropriate to the nature of the device and the information it may collect, contain, or transmit, that protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure.(b)A manufacturer that sells or offers to sell a connected device in this state shall design the device to indicate through visual, auditory, or other means when it is collecting information.(c)A manufacturer that sells or offers to sell a connected device in this state shall design the device to obtain consumer consent before it collects or transmits information beyond what is necessary in order to fulfill a consumer transaction or for the stated functionality of the connected device.1798.91.02. (a) A manufacturer that sells or offers to sell a connected device in California shall design the device to indicate through visual, auditory, or other means when it is collecting audio, video, or location information, or when it is collecting biometric or health information beyond the stated functionality of the connected device.(b) A manufacturer that sells or offers to sell a connected device in California shall design the device to obtain user consent before it collects or transmits information beyond what is necessary in order to fulfill a user transaction or for the stated functionality of the connected device.(c) Nothing in subdivision (b) shall be construed to prohibit a manufacturer from collecting or using information collected from a connected device for purposes of maintaining, developing, supporting, improving, or diagnosing the device or for protecting the safety of a user or the security of a connected device or network.1798.91.02.(a)A person who sells or offers to sell a1798.91.03. A connected device sold in this state California to a consumer shall provide a short, plainly written notice through the use of words or icons on the devices packaging, or if the device is being sold online, on the products Internet Web site, of the connected devices information collection functions at the point of sale that contains, but is not limited to, all both of the following:(1)(a) Whether the device is capable of collecting audio, video, location, biometric, health, or other personal or sensitive consumer information. user information, including specifying which types of information the device may collect, if that information is not otherwise indicated by packaging or by the stated functionality of the device.(2)Where a consumer can find the applicable privacy policy for the connected device.(3)(b) How the consumer will be notified directly of can obtain information about security patches and feature updates applicable to for the connected device.(b)Direct notification of security patches and updates shall be provided to a consumer who purchases a connected device by the manufacturer of that device in addition to any other notices required by law.1798.91.03.1798.91.04. For purposes of this title, the following terms have the following meanings:(a) Connected device means any device, sensor, or other physical object that is capable of connecting to the Internet, directly or indirectly, or to another connected device. On and after January 1, 2021, the term connected device shall include a medical device that meets the definition of a device in subsection (h) of Section 321 of Title 21 of the United States Code.(b)Person means an individual, partnership, corporation, association, or other group, however organized.(b) Consumer means a person who purchases a connected device for personal or household use.1798.91.05. (a) This title shall not be construed to impose any duty upon the manufacturer of a connected device related to unaffiliated third-party software or applications that a user chooses to add to a connected device.(b) This title shall not be construed to impose any duty upon a provider of an electronic store, gateway, marketplace, or other means of purchasing or downloading software or applications, to review or enforce compliance with this title.(c) The duties and obligations imposed by this title are cumulative with any other duties or obligations imposed under other law, and shall not be construed to relieve any party from any duties or obligations imposed under other law.(d) This section shall not be construed to limit the authority of a law enforcement agency to obtain connected device information from a manufacturer as authorized by law or pursuant to an order of a court of competent jurisdiction.1798.91.06. This title shall become operative on January 1, 2019.
TITLE 1.81.26. Security of Connected Devices1798.91.01. (a)A manufacturer that sells or offers to sell a connected device in this state California shall equip the device with reasonable security features appropriate to the nature of the device and the information it may collect, contain, or transmit, that protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure.(b)A manufacturer that sells or offers to sell a connected device in this state shall design the device to indicate through visual, auditory, or other means when it is collecting information.(c)A manufacturer that sells or offers to sell a connected device in this state shall design the device to obtain consumer consent before it collects or transmits information beyond what is necessary in order to fulfill a consumer transaction or for the stated functionality of the connected device.1798.91.02. (a) A manufacturer that sells or offers to sell a connected device in California shall design the device to indicate through visual, auditory, or other means when it is collecting audio, video, or location information, or when it is collecting biometric or health information beyond the stated functionality of the connected device.(b) A manufacturer that sells or offers to sell a connected device in California shall design the device to obtain user consent before it collects or transmits information beyond what is necessary in order to fulfill a user transaction or for the stated functionality of the connected device.(c) Nothing in subdivision (b) shall be construed to prohibit a manufacturer from collecting or using information collected from a connected device for purposes of maintaining, developing, supporting, improving, or diagnosing the device or for protecting the safety of a user or the security of a connected device or network.1798.91.02.(a)A person who sells or offers to sell a1798.91.03. A connected device sold in this state California to a consumer shall provide a short, plainly written notice through the use of words or icons on the devices packaging, or if the device is being sold online, on the products Internet Web site, of the connected devices information collection functions at the point of sale that contains, but is not limited to, all both of the following:(1)(a) Whether the device is capable of collecting audio, video, location, biometric, health, or other personal or sensitive consumer information. user information, including specifying which types of information the device may collect, if that information is not otherwise indicated by packaging or by the stated functionality of the device.(2)Where a consumer can find the applicable privacy policy for the connected device.(3)(b) How the consumer will be notified directly of can obtain information about security patches and feature updates applicable to for the connected device.(b)Direct notification of security patches and updates shall be provided to a consumer who purchases a connected device by the manufacturer of that device in addition to any other notices required by law.1798.91.03.1798.91.04. For purposes of this title, the following terms have the following meanings:(a) Connected device means any device, sensor, or other physical object that is capable of connecting to the Internet, directly or indirectly, or to another connected device. On and after January 1, 2021, the term connected device shall include a medical device that meets the definition of a device in subsection (h) of Section 321 of Title 21 of the United States Code.(b)Person means an individual, partnership, corporation, association, or other group, however organized.(b) Consumer means a person who purchases a connected device for personal or household use.1798.91.05. (a) This title shall not be construed to impose any duty upon the manufacturer of a connected device related to unaffiliated third-party software or applications that a user chooses to add to a connected device.(b) This title shall not be construed to impose any duty upon a provider of an electronic store, gateway, marketplace, or other means of purchasing or downloading software or applications, to review or enforce compliance with this title.(c) The duties and obligations imposed by this title are cumulative with any other duties or obligations imposed under other law, and shall not be construed to relieve any party from any duties or obligations imposed under other law.(d) This section shall not be construed to limit the authority of a law enforcement agency to obtain connected device information from a manufacturer as authorized by law or pursuant to an order of a court of competent jurisdiction.1798.91.06. This title shall become operative on January 1, 2019.
TITLE 1.81.26. Security of Connected Devices
TITLE 1.81.26. Security of Connected Devices
1798.91.01. (a)A manufacturer that sells or offers to sell a connected device in this state California shall equip the device with reasonable security features appropriate to the nature of the device and the information it may collect, contain, or transmit, that protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure.(b)A manufacturer that sells or offers to sell a connected device in this state shall design the device to indicate through visual, auditory, or other means when it is collecting information.(c)A manufacturer that sells or offers to sell a connected device in this state shall design the device to obtain consumer consent before it collects or transmits information beyond what is necessary in order to fulfill a consumer transaction or for the stated functionality of the connected device.
1798.91.01. (a)A manufacturer that sells or offers to sell a connected device in this state California shall equip the device with reasonable security features appropriate to the nature of the device and the information it may collect, contain, or transmit, that protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure.
(b)A manufacturer that sells or offers to sell a connected device in this state shall design the device to indicate through visual, auditory, or other means when it is collecting information.
(c)A manufacturer that sells or offers to sell a connected device in this state shall design the device to obtain consumer consent before it collects or transmits information beyond what is necessary in order to fulfill a consumer transaction or for the stated functionality of the connected device.
1798.91.02. (a) A manufacturer that sells or offers to sell a connected device in California shall design the device to indicate through visual, auditory, or other means when it is collecting audio, video, or location information, or when it is collecting biometric or health information beyond the stated functionality of the connected device.(b) A manufacturer that sells or offers to sell a connected device in California shall design the device to obtain user consent before it collects or transmits information beyond what is necessary in order to fulfill a user transaction or for the stated functionality of the connected device.(c) Nothing in subdivision (b) shall be construed to prohibit a manufacturer from collecting or using information collected from a connected device for purposes of maintaining, developing, supporting, improving, or diagnosing the device or for protecting the safety of a user or the security of a connected device or network.
1798.91.02. (a) A manufacturer that sells or offers to sell a connected device in California shall design the device to indicate through visual, auditory, or other means when it is collecting audio, video, or location information, or when it is collecting biometric or health information beyond the stated functionality of the connected device.
(b) A manufacturer that sells or offers to sell a connected device in California shall design the device to obtain user consent before it collects or transmits information beyond what is necessary in order to fulfill a user transaction or for the stated functionality of the connected device.
(c) Nothing in subdivision (b) shall be construed to prohibit a manufacturer from collecting or using information collected from a connected device for purposes of maintaining, developing, supporting, improving, or diagnosing the device or for protecting the safety of a user or the security of a connected device or network.
(a)A person who sells or offers to sell a
1798.91.03. A connected device sold in this state California to a consumer shall provide a short, plainly written notice through the use of words or icons on the devices packaging, or if the device is being sold online, on the products Internet Web site, of the connected devices information collection functions at the point of sale that contains, but is not limited to, all both of the following:(1)(a) Whether the device is capable of collecting audio, video, location, biometric, health, or other personal or sensitive consumer information. user information, including specifying which types of information the device may collect, if that information is not otherwise indicated by packaging or by the stated functionality of the device.(2)Where a consumer can find the applicable privacy policy for the connected device.(3)(b) How the consumer will be notified directly of can obtain information about security patches and feature updates applicable to for the connected device.(b)Direct notification of security patches and updates shall be provided to a consumer who purchases a connected device by the manufacturer of that device in addition to any other notices required by law.
1798.91.03. A connected device sold in this state California to a consumer shall provide a short, plainly written notice through the use of words or icons on the devices packaging, or if the device is being sold online, on the products Internet Web site, of the connected devices information collection functions at the point of sale that contains, but is not limited to, all both of the following:
(1)
(a) Whether the device is capable of collecting audio, video, location, biometric, health, or other personal or sensitive consumer information. user information, including specifying which types of information the device may collect, if that information is not otherwise indicated by packaging or by the stated functionality of the device.
(2)Where a consumer can find the applicable privacy policy for the connected device.
(3)
(b) How the consumer will be notified directly of can obtain information about security patches and feature updates applicable to for the connected device.
(b)Direct notification of security patches and updates shall be provided to a consumer who purchases a connected device by the manufacturer of that device in addition to any other notices required by law.
1798.91.03.1798.91.04. For purposes of this title, the following terms have the following meanings:(a) Connected device means any device, sensor, or other physical object that is capable of connecting to the Internet, directly or indirectly, or to another connected device. On and after January 1, 2021, the term connected device shall include a medical device that meets the definition of a device in subsection (h) of Section 321 of Title 21 of the United States Code.(b)Person means an individual, partnership, corporation, association, or other group, however organized.(b) Consumer means a person who purchases a connected device for personal or household use.
1798.91.03.1798.91.04. For purposes of this title, the following terms have the following meanings:
(a) Connected device means any device, sensor, or other physical object that is capable of connecting to the Internet, directly or indirectly, or to another connected device. On and after January 1, 2021, the term connected device shall include a medical device that meets the definition of a device in subsection (h) of Section 321 of Title 21 of the United States Code.
(b)Person means an individual, partnership, corporation, association, or other group, however organized.
(b) Consumer means a person who purchases a connected device for personal or household use.
1798.91.05. (a) This title shall not be construed to impose any duty upon the manufacturer of a connected device related to unaffiliated third-party software or applications that a user chooses to add to a connected device.(b) This title shall not be construed to impose any duty upon a provider of an electronic store, gateway, marketplace, or other means of purchasing or downloading software or applications, to review or enforce compliance with this title.(c) The duties and obligations imposed by this title are cumulative with any other duties or obligations imposed under other law, and shall not be construed to relieve any party from any duties or obligations imposed under other law.(d) This section shall not be construed to limit the authority of a law enforcement agency to obtain connected device information from a manufacturer as authorized by law or pursuant to an order of a court of competent jurisdiction.
1798.91.05. (a) This title shall not be construed to impose any duty upon the manufacturer of a connected device related to unaffiliated third-party software or applications that a user chooses to add to a connected device.
(b) This title shall not be construed to impose any duty upon a provider of an electronic store, gateway, marketplace, or other means of purchasing or downloading software or applications, to review or enforce compliance with this title.
(c) The duties and obligations imposed by this title are cumulative with any other duties or obligations imposed under other law, and shall not be construed to relieve any party from any duties or obligations imposed under other law.
(d) This section shall not be construed to limit the authority of a law enforcement agency to obtain connected device information from a manufacturer as authorized by law or pursuant to an order of a court of competent jurisdiction.
1798.91.06. This title shall become operative on January 1, 2019.
1798.91.06. This title shall become operative on January 1, 2019.