Amended IN Senate May 26, 2017 Amended IN Senate May 17, 2017 Amended IN Senate March 20, 2017 CALIFORNIA LEGISLATURE 20172018 REGULAR SESSION Senate Bill No. 327Introduced by Senator JacksonFebruary 13, 2017 An act to add Title 1.81.26 (commencing with Section 1798.91.01) to Part 4 of Division 3 of the Civil Code, relating to information privacy. LEGISLATIVE COUNSEL'S DIGESTSB 327, as amended, Jackson. Information privacy: connected devices.Existing law requires a business to take all reasonable steps to dispose of customer records within its custody or control containing personal information when the records are no longer to be retained by the business by shredding, erasing, or otherwise modifying the personal information in those records to make it unreadable or undecipherable. Existing law also requires a business that owns, licenses, or maintains personal information about a California resident to implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure. Existing law authorizes a customer injured by a violation of these provisions to institute a civil action to recover damages.This bill, commencing on January 1, 2019, bill would require a manufacturer that sells or offers to sell a connected device, device in this state, defined as any device, sensor, or other physical object that is capable of connecting to the Internet, directly or indirectly, or to another connected device, to equip the device with reasonable security features appropriate to the nature of the device and the information it may collect, contain, or transmit, that protect it from unauthorized access, destruction, use, modification, or disclosure, and to design the device to indicate when it is disclosure. The bill would also require any connected device sold or provided in this state to provide notice of whether it is capable of collecting audio, video, or location information, or when it is collecting biometric or health information beyond location, biometric, health, or other personal or sensitive user information if that information is not otherwise indicated by the packaging or by the stated functionality of the connected device and to obtain user consent before it collects or transmits information, as specified. The bill would also require a connected device sold in California to provide notice of whether the connected device is capable of collecting specified types of information and if and how the consumer can obtain information about security patches and feature updates. The bill would require a manufacturer that sells or offers to sell a connected device to a consumer in this state to obtain consumer consent before it collects or transmits information beyond what is necessary in order to fulfill a user transaction or for the stated functionality of the connected device, as specified.Digest Key Vote: MAJORITY Appropriation: NO Fiscal Committee: NO Local Program: NO Bill TextThe people of the State of California do enact as follows:SECTION 1. Title 1.81.26 (commencing with Section 1798.91.01) is added to Part 4 of Division 3 of the Civil Code, to read:TITLE 1.81.26. Security of Connected Devices1798.91.01. A manufacturer that sells or offers to sell a connected device in California shall equip the device with reasonable security features appropriate to the nature of the device and the information it may collect, contain, or transmit, that protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure.1798.91.02. Any connected device sold or provided in this state to a consumer shall provide notice through the use of words or icons on the devices packaging, or on the products, or on the manufacturers Internet Web site, of all of the following:(a) Whether the device is capable of collecting audio, video, location, biometric, health, or other personal or sensitive user information, including specifying which type or types of information the device may collect, if that information is not otherwise indicated by packaging or by the stated functionality of the device.(b) The process by which a connected device collects the information specified in subdivision (a), as well as the frequency of collection and what types of interactions with the device may trigger collection.(c) If and how the consumer can obtain information about security patches and feature updates for the connected device.1798.91.02.1798.91.03. (a) A manufacturer that sells or offers to sell a connected device to a consumer in California shall design the device to indicate through visual, auditory, or other means when it is collecting audio, video, or location information, or when it is collecting biometric or health information beyond the stated functionality of the connected device.(b)A manufacturer that sells or offers to sell a connected device in California shall design the device to obtain user consumer consent before it collects or transmits information beyond what is necessary in order to fulfill a user transaction or for the stated functionality of the connected device.(b) Consent granted in accordance with subdivision (a) shall remain in effect until it is revoked by the consumer.(c) Consent granted in accordance with subdivision (a) may be revoked by the consumer at any time.(c)(d) Nothing in subdivision (b) (a) shall be construed to prohibit a manufacturer from collecting or using deidentified information collected from a connected device for purposes of maintaining, developing, supporting, improving, or diagnosing the device or for protecting the safety of a user or the security of a connected device or network. device, or from providing location information concerning a user under any of the following circumstances:(1) The information is provided a public safety answering point, emergency medical service provider or emergency dispatch provider, public safety, fire service, or law enforcement official, or hospital emergency or trauma care facility, in order to respond to the users request for emergency services.(2) The information is provided to inform the users legal guardian, members of the users family, or to a person reasonably believed by the manufacturer to be a close personal friend of the user, of the users location in an emergency situation that involves the risk of death or life threatening harm.(3) The information is provided to providers of information or database management services solely for purposes of assisting in the delivery of emergency services in response to an emergency.1798.91.03.A connected device sold in California to a consumer shall provide notice through the use of words or icons on the devices packaging, or if the device is being sold online, on the products Internet Web site, of both of the following:(a)Whether the device is capable of collecting audio, video, location, biometric, health, or other personal or sensitive user information, including specifying which types of information the device may collect, if that information is not otherwise indicated by packaging or by the stated functionality of the device.(b)How the consumer can obtain information about security patches and feature updates for the connected device.1798.91.04. For purposes of this title, the following terms have the following meanings:(a) (1) Connected device means any device, sensor, or other physical object that is capable of connecting to the Internet, directly or indirectly, or to another connected device. On and after January 1, 2021, the term connected device shall include a medical device that meets the definition of a device in subsection (h) of Section 321 of Title 21 of the United States Code.(2) Connected device shall not include a motor vehicle as defined in Section 415 of the Vehicle Code.(b) Consumer means a person who purchases or obtains a connected device for personal or household use.(c) Deidentified information means information that does not contain any link or connection to the consumer or user of the device. In order for information to be deidentified, the manufacturer or another party must do all of the following:(1) Make a reasonable determination that the information does not contain, or cannot be linked to, a consumers or users identity, taking into account other pertinent information that may be reasonably available to the manufacturer, the public, or an advertiser seeking to associate the deidentified information with a specific consumer or user.(2) Lack actual knowledge that the deidentified information could be used alone or in combination with other information to link the deidentified information to an individual.(3) Ensure that all deidentification procedures occur on the device.(d) Stated functionality means the functionality of the device as understood by a reasonable person based on the manufacturers marketing of the device.(e) Unauthorized access, destruction, use, modification, or disclosure means access, destruction, use, modification, or disclosure that is not authorized by the consumer.1798.91.05. (a) This title shall not be construed to impose any duty upon the manufacturer of a connected device related to unaffiliated third-party software or applications that a user chooses to add to a connected device.(b) This title shall not be construed to impose any duty upon a provider of an electronic store, gateway, marketplace, or other means of purchasing or downloading software or applications, to review or enforce compliance with this title.(c) This title shall not be construed to impose any duty upon the manufacturer of a connected device to prevent a user from having full control over a connected device, including the ability to modify the software or firmware running on the device at the users discretion. (c)(d) The duties and obligations imposed by this title are cumulative with any other duties or obligations imposed under other law, and shall not be construed to relieve any party from any duties or obligations imposed under other law.(d)(e) This section shall not be construed to limit the authority of a law enforcement agency to obtain connected device information from a manufacturer as authorized by law or pursuant to an order of a court of competent jurisdiction.(f) A covered entity, provider of health care, business associate, health care service plan, contractor, employer, or any other person subject to the federal Health Insurance Portability and Accountability Act of 1996 (HIPAA) (Public Law 104-191) or the Confidentiality of Medical Information Act (Part 2.6 (commencing with Section 56) of Division 1) shall not be subject to this title with respect to any activity regulated by those acts.1798.91.06.This title shall become operative on January 1, 2019.
Amended IN Senate May 26, 2017 Amended IN Senate May 17, 2017 Amended IN Senate March 20, 2017 CALIFORNIA LEGISLATURE 20172018 REGULAR SESSION Senate Bill No. 327Introduced by Senator JacksonFebruary 13, 2017 An act to add Title 1.81.26 (commencing with Section 1798.91.01) to Part 4 of Division 3 of the Civil Code, relating to information privacy. LEGISLATIVE COUNSEL'S DIGESTSB 327, as amended, Jackson. Information privacy: connected devices.Existing law requires a business to take all reasonable steps to dispose of customer records within its custody or control containing personal information when the records are no longer to be retained by the business by shredding, erasing, or otherwise modifying the personal information in those records to make it unreadable or undecipherable. Existing law also requires a business that owns, licenses, or maintains personal information about a California resident to implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure. Existing law authorizes a customer injured by a violation of these provisions to institute a civil action to recover damages.This bill, commencing on January 1, 2019, bill would require a manufacturer that sells or offers to sell a connected device, device in this state, defined as any device, sensor, or other physical object that is capable of connecting to the Internet, directly or indirectly, or to another connected device, to equip the device with reasonable security features appropriate to the nature of the device and the information it may collect, contain, or transmit, that protect it from unauthorized access, destruction, use, modification, or disclosure, and to design the device to indicate when it is disclosure. The bill would also require any connected device sold or provided in this state to provide notice of whether it is capable of collecting audio, video, or location information, or when it is collecting biometric or health information beyond location, biometric, health, or other personal or sensitive user information if that information is not otherwise indicated by the packaging or by the stated functionality of the connected device and to obtain user consent before it collects or transmits information, as specified. The bill would also require a connected device sold in California to provide notice of whether the connected device is capable of collecting specified types of information and if and how the consumer can obtain information about security patches and feature updates. The bill would require a manufacturer that sells or offers to sell a connected device to a consumer in this state to obtain consumer consent before it collects or transmits information beyond what is necessary in order to fulfill a user transaction or for the stated functionality of the connected device, as specified.Digest Key Vote: MAJORITY Appropriation: NO Fiscal Committee: NO Local Program: NO
Amended IN Senate May 26, 2017 Amended IN Senate May 17, 2017 Amended IN Senate March 20, 2017
Amended IN Senate May 26, 2017
Amended IN Senate May 17, 2017
Amended IN Senate March 20, 2017
CALIFORNIA LEGISLATURE 20172018 REGULAR SESSION
Senate Bill No. 327
Introduced by Senator JacksonFebruary 13, 2017
Introduced by Senator Jackson
February 13, 2017
An act to add Title 1.81.26 (commencing with Section 1798.91.01) to Part 4 of Division 3 of the Civil Code, relating to information privacy.
LEGISLATIVE COUNSEL'S DIGEST
## LEGISLATIVE COUNSEL'S DIGEST
SB 327, as amended, Jackson. Information privacy: connected devices.
Existing law requires a business to take all reasonable steps to dispose of customer records within its custody or control containing personal information when the records are no longer to be retained by the business by shredding, erasing, or otherwise modifying the personal information in those records to make it unreadable or undecipherable. Existing law also requires a business that owns, licenses, or maintains personal information about a California resident to implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure. Existing law authorizes a customer injured by a violation of these provisions to institute a civil action to recover damages.This bill, commencing on January 1, 2019, bill would require a manufacturer that sells or offers to sell a connected device, device in this state, defined as any device, sensor, or other physical object that is capable of connecting to the Internet, directly or indirectly, or to another connected device, to equip the device with reasonable security features appropriate to the nature of the device and the information it may collect, contain, or transmit, that protect it from unauthorized access, destruction, use, modification, or disclosure, and to design the device to indicate when it is disclosure. The bill would also require any connected device sold or provided in this state to provide notice of whether it is capable of collecting audio, video, or location information, or when it is collecting biometric or health information beyond location, biometric, health, or other personal or sensitive user information if that information is not otherwise indicated by the packaging or by the stated functionality of the connected device and to obtain user consent before it collects or transmits information, as specified. The bill would also require a connected device sold in California to provide notice of whether the connected device is capable of collecting specified types of information and if and how the consumer can obtain information about security patches and feature updates. The bill would require a manufacturer that sells or offers to sell a connected device to a consumer in this state to obtain consumer consent before it collects or transmits information beyond what is necessary in order to fulfill a user transaction or for the stated functionality of the connected device, as specified.
Existing law requires a business to take all reasonable steps to dispose of customer records within its custody or control containing personal information when the records are no longer to be retained by the business by shredding, erasing, or otherwise modifying the personal information in those records to make it unreadable or undecipherable. Existing law also requires a business that owns, licenses, or maintains personal information about a California resident to implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure. Existing law authorizes a customer injured by a violation of these provisions to institute a civil action to recover damages.
This bill, commencing on January 1, 2019, bill would require a manufacturer that sells or offers to sell a connected device, device in this state, defined as any device, sensor, or other physical object that is capable of connecting to the Internet, directly or indirectly, or to another connected device, to equip the device with reasonable security features appropriate to the nature of the device and the information it may collect, contain, or transmit, that protect it from unauthorized access, destruction, use, modification, or disclosure, and to design the device to indicate when it is disclosure. The bill would also require any connected device sold or provided in this state to provide notice of whether it is capable of collecting audio, video, or location information, or when it is collecting biometric or health information beyond location, biometric, health, or other personal or sensitive user information if that information is not otherwise indicated by the packaging or by the stated functionality of the connected device and to obtain user consent before it collects or transmits information, as specified. The bill would also require a connected device sold in California to provide notice of whether the connected device is capable of collecting specified types of information and if and how the consumer can obtain information about security patches and feature updates. The bill would require a manufacturer that sells or offers to sell a connected device to a consumer in this state to obtain consumer consent before it collects or transmits information beyond what is necessary in order to fulfill a user transaction or for the stated functionality of the connected device, as specified.
## Digest Key
## Bill Text
The people of the State of California do enact as follows:SECTION 1. Title 1.81.26 (commencing with Section 1798.91.01) is added to Part 4 of Division 3 of the Civil Code, to read:TITLE 1.81.26. Security of Connected Devices1798.91.01. A manufacturer that sells or offers to sell a connected device in California shall equip the device with reasonable security features appropriate to the nature of the device and the information it may collect, contain, or transmit, that protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure.1798.91.02. Any connected device sold or provided in this state to a consumer shall provide notice through the use of words or icons on the devices packaging, or on the products, or on the manufacturers Internet Web site, of all of the following:(a) Whether the device is capable of collecting audio, video, location, biometric, health, or other personal or sensitive user information, including specifying which type or types of information the device may collect, if that information is not otherwise indicated by packaging or by the stated functionality of the device.(b) The process by which a connected device collects the information specified in subdivision (a), as well as the frequency of collection and what types of interactions with the device may trigger collection.(c) If and how the consumer can obtain information about security patches and feature updates for the connected device.1798.91.02.1798.91.03. (a) A manufacturer that sells or offers to sell a connected device to a consumer in California shall design the device to indicate through visual, auditory, or other means when it is collecting audio, video, or location information, or when it is collecting biometric or health information beyond the stated functionality of the connected device.(b)A manufacturer that sells or offers to sell a connected device in California shall design the device to obtain user consumer consent before it collects or transmits information beyond what is necessary in order to fulfill a user transaction or for the stated functionality of the connected device.(b) Consent granted in accordance with subdivision (a) shall remain in effect until it is revoked by the consumer.(c) Consent granted in accordance with subdivision (a) may be revoked by the consumer at any time.(c)(d) Nothing in subdivision (b) (a) shall be construed to prohibit a manufacturer from collecting or using deidentified information collected from a connected device for purposes of maintaining, developing, supporting, improving, or diagnosing the device or for protecting the safety of a user or the security of a connected device or network. device, or from providing location information concerning a user under any of the following circumstances:(1) The information is provided a public safety answering point, emergency medical service provider or emergency dispatch provider, public safety, fire service, or law enforcement official, or hospital emergency or trauma care facility, in order to respond to the users request for emergency services.(2) The information is provided to inform the users legal guardian, members of the users family, or to a person reasonably believed by the manufacturer to be a close personal friend of the user, of the users location in an emergency situation that involves the risk of death or life threatening harm.(3) The information is provided to providers of information or database management services solely for purposes of assisting in the delivery of emergency services in response to an emergency.1798.91.03.A connected device sold in California to a consumer shall provide notice through the use of words or icons on the devices packaging, or if the device is being sold online, on the products Internet Web site, of both of the following:(a)Whether the device is capable of collecting audio, video, location, biometric, health, or other personal or sensitive user information, including specifying which types of information the device may collect, if that information is not otherwise indicated by packaging or by the stated functionality of the device.(b)How the consumer can obtain information about security patches and feature updates for the connected device.1798.91.04. For purposes of this title, the following terms have the following meanings:(a) (1) Connected device means any device, sensor, or other physical object that is capable of connecting to the Internet, directly or indirectly, or to another connected device. On and after January 1, 2021, the term connected device shall include a medical device that meets the definition of a device in subsection (h) of Section 321 of Title 21 of the United States Code.(2) Connected device shall not include a motor vehicle as defined in Section 415 of the Vehicle Code.(b) Consumer means a person who purchases or obtains a connected device for personal or household use.(c) Deidentified information means information that does not contain any link or connection to the consumer or user of the device. In order for information to be deidentified, the manufacturer or another party must do all of the following:(1) Make a reasonable determination that the information does not contain, or cannot be linked to, a consumers or users identity, taking into account other pertinent information that may be reasonably available to the manufacturer, the public, or an advertiser seeking to associate the deidentified information with a specific consumer or user.(2) Lack actual knowledge that the deidentified information could be used alone or in combination with other information to link the deidentified information to an individual.(3) Ensure that all deidentification procedures occur on the device.(d) Stated functionality means the functionality of the device as understood by a reasonable person based on the manufacturers marketing of the device.(e) Unauthorized access, destruction, use, modification, or disclosure means access, destruction, use, modification, or disclosure that is not authorized by the consumer.1798.91.05. (a) This title shall not be construed to impose any duty upon the manufacturer of a connected device related to unaffiliated third-party software or applications that a user chooses to add to a connected device.(b) This title shall not be construed to impose any duty upon a provider of an electronic store, gateway, marketplace, or other means of purchasing or downloading software or applications, to review or enforce compliance with this title.(c) This title shall not be construed to impose any duty upon the manufacturer of a connected device to prevent a user from having full control over a connected device, including the ability to modify the software or firmware running on the device at the users discretion. (c)(d) The duties and obligations imposed by this title are cumulative with any other duties or obligations imposed under other law, and shall not be construed to relieve any party from any duties or obligations imposed under other law.(d)(e) This section shall not be construed to limit the authority of a law enforcement agency to obtain connected device information from a manufacturer as authorized by law or pursuant to an order of a court of competent jurisdiction.(f) A covered entity, provider of health care, business associate, health care service plan, contractor, employer, or any other person subject to the federal Health Insurance Portability and Accountability Act of 1996 (HIPAA) (Public Law 104-191) or the Confidentiality of Medical Information Act (Part 2.6 (commencing with Section 56) of Division 1) shall not be subject to this title with respect to any activity regulated by those acts.1798.91.06.This title shall become operative on January 1, 2019.
The people of the State of California do enact as follows:
## The people of the State of California do enact as follows:
SECTION 1. Title 1.81.26 (commencing with Section 1798.91.01) is added to Part 4 of Division 3 of the Civil Code, to read:TITLE 1.81.26. Security of Connected Devices1798.91.01. A manufacturer that sells or offers to sell a connected device in California shall equip the device with reasonable security features appropriate to the nature of the device and the information it may collect, contain, or transmit, that protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure.1798.91.02. Any connected device sold or provided in this state to a consumer shall provide notice through the use of words or icons on the devices packaging, or on the products, or on the manufacturers Internet Web site, of all of the following:(a) Whether the device is capable of collecting audio, video, location, biometric, health, or other personal or sensitive user information, including specifying which type or types of information the device may collect, if that information is not otherwise indicated by packaging or by the stated functionality of the device.(b) The process by which a connected device collects the information specified in subdivision (a), as well as the frequency of collection and what types of interactions with the device may trigger collection.(c) If and how the consumer can obtain information about security patches and feature updates for the connected device.1798.91.02.1798.91.03. (a) A manufacturer that sells or offers to sell a connected device to a consumer in California shall design the device to indicate through visual, auditory, or other means when it is collecting audio, video, or location information, or when it is collecting biometric or health information beyond the stated functionality of the connected device.(b)A manufacturer that sells or offers to sell a connected device in California shall design the device to obtain user consumer consent before it collects or transmits information beyond what is necessary in order to fulfill a user transaction or for the stated functionality of the connected device.(b) Consent granted in accordance with subdivision (a) shall remain in effect until it is revoked by the consumer.(c) Consent granted in accordance with subdivision (a) may be revoked by the consumer at any time.(c)(d) Nothing in subdivision (b) (a) shall be construed to prohibit a manufacturer from collecting or using deidentified information collected from a connected device for purposes of maintaining, developing, supporting, improving, or diagnosing the device or for protecting the safety of a user or the security of a connected device or network. device, or from providing location information concerning a user under any of the following circumstances:(1) The information is provided a public safety answering point, emergency medical service provider or emergency dispatch provider, public safety, fire service, or law enforcement official, or hospital emergency or trauma care facility, in order to respond to the users request for emergency services.(2) The information is provided to inform the users legal guardian, members of the users family, or to a person reasonably believed by the manufacturer to be a close personal friend of the user, of the users location in an emergency situation that involves the risk of death or life threatening harm.(3) The information is provided to providers of information or database management services solely for purposes of assisting in the delivery of emergency services in response to an emergency.1798.91.03.A connected device sold in California to a consumer shall provide notice through the use of words or icons on the devices packaging, or if the device is being sold online, on the products Internet Web site, of both of the following:(a)Whether the device is capable of collecting audio, video, location, biometric, health, or other personal or sensitive user information, including specifying which types of information the device may collect, if that information is not otherwise indicated by packaging or by the stated functionality of the device.(b)How the consumer can obtain information about security patches and feature updates for the connected device.1798.91.04. For purposes of this title, the following terms have the following meanings:(a) (1) Connected device means any device, sensor, or other physical object that is capable of connecting to the Internet, directly or indirectly, or to another connected device. On and after January 1, 2021, the term connected device shall include a medical device that meets the definition of a device in subsection (h) of Section 321 of Title 21 of the United States Code.(2) Connected device shall not include a motor vehicle as defined in Section 415 of the Vehicle Code.(b) Consumer means a person who purchases or obtains a connected device for personal or household use.(c) Deidentified information means information that does not contain any link or connection to the consumer or user of the device. In order for information to be deidentified, the manufacturer or another party must do all of the following:(1) Make a reasonable determination that the information does not contain, or cannot be linked to, a consumers or users identity, taking into account other pertinent information that may be reasonably available to the manufacturer, the public, or an advertiser seeking to associate the deidentified information with a specific consumer or user.(2) Lack actual knowledge that the deidentified information could be used alone or in combination with other information to link the deidentified information to an individual.(3) Ensure that all deidentification procedures occur on the device.(d) Stated functionality means the functionality of the device as understood by a reasonable person based on the manufacturers marketing of the device.(e) Unauthorized access, destruction, use, modification, or disclosure means access, destruction, use, modification, or disclosure that is not authorized by the consumer.1798.91.05. (a) This title shall not be construed to impose any duty upon the manufacturer of a connected device related to unaffiliated third-party software or applications that a user chooses to add to a connected device.(b) This title shall not be construed to impose any duty upon a provider of an electronic store, gateway, marketplace, or other means of purchasing or downloading software or applications, to review or enforce compliance with this title.(c) This title shall not be construed to impose any duty upon the manufacturer of a connected device to prevent a user from having full control over a connected device, including the ability to modify the software or firmware running on the device at the users discretion. (c)(d) The duties and obligations imposed by this title are cumulative with any other duties or obligations imposed under other law, and shall not be construed to relieve any party from any duties or obligations imposed under other law.(d)(e) This section shall not be construed to limit the authority of a law enforcement agency to obtain connected device information from a manufacturer as authorized by law or pursuant to an order of a court of competent jurisdiction.(f) A covered entity, provider of health care, business associate, health care service plan, contractor, employer, or any other person subject to the federal Health Insurance Portability and Accountability Act of 1996 (HIPAA) (Public Law 104-191) or the Confidentiality of Medical Information Act (Part 2.6 (commencing with Section 56) of Division 1) shall not be subject to this title with respect to any activity regulated by those acts.1798.91.06.This title shall become operative on January 1, 2019.
SECTION 1. Title 1.81.26 (commencing with Section 1798.91.01) is added to Part 4 of Division 3 of the Civil Code, to read:
### SECTION 1.
TITLE 1.81.26. Security of Connected Devices1798.91.01. A manufacturer that sells or offers to sell a connected device in California shall equip the device with reasonable security features appropriate to the nature of the device and the information it may collect, contain, or transmit, that protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure.1798.91.02. Any connected device sold or provided in this state to a consumer shall provide notice through the use of words or icons on the devices packaging, or on the products, or on the manufacturers Internet Web site, of all of the following:(a) Whether the device is capable of collecting audio, video, location, biometric, health, or other personal or sensitive user information, including specifying which type or types of information the device may collect, if that information is not otherwise indicated by packaging or by the stated functionality of the device.(b) The process by which a connected device collects the information specified in subdivision (a), as well as the frequency of collection and what types of interactions with the device may trigger collection.(c) If and how the consumer can obtain information about security patches and feature updates for the connected device.1798.91.02.1798.91.03. (a) A manufacturer that sells or offers to sell a connected device to a consumer in California shall design the device to indicate through visual, auditory, or other means when it is collecting audio, video, or location information, or when it is collecting biometric or health information beyond the stated functionality of the connected device.(b)A manufacturer that sells or offers to sell a connected device in California shall design the device to obtain user consumer consent before it collects or transmits information beyond what is necessary in order to fulfill a user transaction or for the stated functionality of the connected device.(b) Consent granted in accordance with subdivision (a) shall remain in effect until it is revoked by the consumer.(c) Consent granted in accordance with subdivision (a) may be revoked by the consumer at any time.(c)(d) Nothing in subdivision (b) (a) shall be construed to prohibit a manufacturer from collecting or using deidentified information collected from a connected device for purposes of maintaining, developing, supporting, improving, or diagnosing the device or for protecting the safety of a user or the security of a connected device or network. device, or from providing location information concerning a user under any of the following circumstances:(1) The information is provided a public safety answering point, emergency medical service provider or emergency dispatch provider, public safety, fire service, or law enforcement official, or hospital emergency or trauma care facility, in order to respond to the users request for emergency services.(2) The information is provided to inform the users legal guardian, members of the users family, or to a person reasonably believed by the manufacturer to be a close personal friend of the user, of the users location in an emergency situation that involves the risk of death or life threatening harm.(3) The information is provided to providers of information or database management services solely for purposes of assisting in the delivery of emergency services in response to an emergency.1798.91.03.A connected device sold in California to a consumer shall provide notice through the use of words or icons on the devices packaging, or if the device is being sold online, on the products Internet Web site, of both of the following:(a)Whether the device is capable of collecting audio, video, location, biometric, health, or other personal or sensitive user information, including specifying which types of information the device may collect, if that information is not otherwise indicated by packaging or by the stated functionality of the device.(b)How the consumer can obtain information about security patches and feature updates for the connected device.1798.91.04. For purposes of this title, the following terms have the following meanings:(a) (1) Connected device means any device, sensor, or other physical object that is capable of connecting to the Internet, directly or indirectly, or to another connected device. On and after January 1, 2021, the term connected device shall include a medical device that meets the definition of a device in subsection (h) of Section 321 of Title 21 of the United States Code.(2) Connected device shall not include a motor vehicle as defined in Section 415 of the Vehicle Code.(b) Consumer means a person who purchases or obtains a connected device for personal or household use.(c) Deidentified information means information that does not contain any link or connection to the consumer or user of the device. In order for information to be deidentified, the manufacturer or another party must do all of the following:(1) Make a reasonable determination that the information does not contain, or cannot be linked to, a consumers or users identity, taking into account other pertinent information that may be reasonably available to the manufacturer, the public, or an advertiser seeking to associate the deidentified information with a specific consumer or user.(2) Lack actual knowledge that the deidentified information could be used alone or in combination with other information to link the deidentified information to an individual.(3) Ensure that all deidentification procedures occur on the device.(d) Stated functionality means the functionality of the device as understood by a reasonable person based on the manufacturers marketing of the device.(e) Unauthorized access, destruction, use, modification, or disclosure means access, destruction, use, modification, or disclosure that is not authorized by the consumer.1798.91.05. (a) This title shall not be construed to impose any duty upon the manufacturer of a connected device related to unaffiliated third-party software or applications that a user chooses to add to a connected device.(b) This title shall not be construed to impose any duty upon a provider of an electronic store, gateway, marketplace, or other means of purchasing or downloading software or applications, to review or enforce compliance with this title.(c) This title shall not be construed to impose any duty upon the manufacturer of a connected device to prevent a user from having full control over a connected device, including the ability to modify the software or firmware running on the device at the users discretion. (c)(d) The duties and obligations imposed by this title are cumulative with any other duties or obligations imposed under other law, and shall not be construed to relieve any party from any duties or obligations imposed under other law.(d)(e) This section shall not be construed to limit the authority of a law enforcement agency to obtain connected device information from a manufacturer as authorized by law or pursuant to an order of a court of competent jurisdiction.(f) A covered entity, provider of health care, business associate, health care service plan, contractor, employer, or any other person subject to the federal Health Insurance Portability and Accountability Act of 1996 (HIPAA) (Public Law 104-191) or the Confidentiality of Medical Information Act (Part 2.6 (commencing with Section 56) of Division 1) shall not be subject to this title with respect to any activity regulated by those acts.1798.91.06.This title shall become operative on January 1, 2019.
TITLE 1.81.26. Security of Connected Devices1798.91.01. A manufacturer that sells or offers to sell a connected device in California shall equip the device with reasonable security features appropriate to the nature of the device and the information it may collect, contain, or transmit, that protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure.1798.91.02. Any connected device sold or provided in this state to a consumer shall provide notice through the use of words or icons on the devices packaging, or on the products, or on the manufacturers Internet Web site, of all of the following:(a) Whether the device is capable of collecting audio, video, location, biometric, health, or other personal or sensitive user information, including specifying which type or types of information the device may collect, if that information is not otherwise indicated by packaging or by the stated functionality of the device.(b) The process by which a connected device collects the information specified in subdivision (a), as well as the frequency of collection and what types of interactions with the device may trigger collection.(c) If and how the consumer can obtain information about security patches and feature updates for the connected device.1798.91.02.1798.91.03. (a) A manufacturer that sells or offers to sell a connected device to a consumer in California shall design the device to indicate through visual, auditory, or other means when it is collecting audio, video, or location information, or when it is collecting biometric or health information beyond the stated functionality of the connected device.(b)A manufacturer that sells or offers to sell a connected device in California shall design the device to obtain user consumer consent before it collects or transmits information beyond what is necessary in order to fulfill a user transaction or for the stated functionality of the connected device.(b) Consent granted in accordance with subdivision (a) shall remain in effect until it is revoked by the consumer.(c) Consent granted in accordance with subdivision (a) may be revoked by the consumer at any time.(c)(d) Nothing in subdivision (b) (a) shall be construed to prohibit a manufacturer from collecting or using deidentified information collected from a connected device for purposes of maintaining, developing, supporting, improving, or diagnosing the device or for protecting the safety of a user or the security of a connected device or network. device, or from providing location information concerning a user under any of the following circumstances:(1) The information is provided a public safety answering point, emergency medical service provider or emergency dispatch provider, public safety, fire service, or law enforcement official, or hospital emergency or trauma care facility, in order to respond to the users request for emergency services.(2) The information is provided to inform the users legal guardian, members of the users family, or to a person reasonably believed by the manufacturer to be a close personal friend of the user, of the users location in an emergency situation that involves the risk of death or life threatening harm.(3) The information is provided to providers of information or database management services solely for purposes of assisting in the delivery of emergency services in response to an emergency.1798.91.03.A connected device sold in California to a consumer shall provide notice through the use of words or icons on the devices packaging, or if the device is being sold online, on the products Internet Web site, of both of the following:(a)Whether the device is capable of collecting audio, video, location, biometric, health, or other personal or sensitive user information, including specifying which types of information the device may collect, if that information is not otherwise indicated by packaging or by the stated functionality of the device.(b)How the consumer can obtain information about security patches and feature updates for the connected device.1798.91.04. For purposes of this title, the following terms have the following meanings:(a) (1) Connected device means any device, sensor, or other physical object that is capable of connecting to the Internet, directly or indirectly, or to another connected device. On and after January 1, 2021, the term connected device shall include a medical device that meets the definition of a device in subsection (h) of Section 321 of Title 21 of the United States Code.(2) Connected device shall not include a motor vehicle as defined in Section 415 of the Vehicle Code.(b) Consumer means a person who purchases or obtains a connected device for personal or household use.(c) Deidentified information means information that does not contain any link or connection to the consumer or user of the device. In order for information to be deidentified, the manufacturer or another party must do all of the following:(1) Make a reasonable determination that the information does not contain, or cannot be linked to, a consumers or users identity, taking into account other pertinent information that may be reasonably available to the manufacturer, the public, or an advertiser seeking to associate the deidentified information with a specific consumer or user.(2) Lack actual knowledge that the deidentified information could be used alone or in combination with other information to link the deidentified information to an individual.(3) Ensure that all deidentification procedures occur on the device.(d) Stated functionality means the functionality of the device as understood by a reasonable person based on the manufacturers marketing of the device.(e) Unauthorized access, destruction, use, modification, or disclosure means access, destruction, use, modification, or disclosure that is not authorized by the consumer.1798.91.05. (a) This title shall not be construed to impose any duty upon the manufacturer of a connected device related to unaffiliated third-party software or applications that a user chooses to add to a connected device.(b) This title shall not be construed to impose any duty upon a provider of an electronic store, gateway, marketplace, or other means of purchasing or downloading software or applications, to review or enforce compliance with this title.(c) This title shall not be construed to impose any duty upon the manufacturer of a connected device to prevent a user from having full control over a connected device, including the ability to modify the software or firmware running on the device at the users discretion. (c)(d) The duties and obligations imposed by this title are cumulative with any other duties or obligations imposed under other law, and shall not be construed to relieve any party from any duties or obligations imposed under other law.(d)(e) This section shall not be construed to limit the authority of a law enforcement agency to obtain connected device information from a manufacturer as authorized by law or pursuant to an order of a court of competent jurisdiction.(f) A covered entity, provider of health care, business associate, health care service plan, contractor, employer, or any other person subject to the federal Health Insurance Portability and Accountability Act of 1996 (HIPAA) (Public Law 104-191) or the Confidentiality of Medical Information Act (Part 2.6 (commencing with Section 56) of Division 1) shall not be subject to this title with respect to any activity regulated by those acts.1798.91.06.This title shall become operative on January 1, 2019.
TITLE 1.81.26. Security of Connected Devices
TITLE 1.81.26. Security of Connected Devices
1798.91.01. A manufacturer that sells or offers to sell a connected device in California shall equip the device with reasonable security features appropriate to the nature of the device and the information it may collect, contain, or transmit, that protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure.
1798.91.01. A manufacturer that sells or offers to sell a connected device in California shall equip the device with reasonable security features appropriate to the nature of the device and the information it may collect, contain, or transmit, that protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure.
1798.91.02. Any connected device sold or provided in this state to a consumer shall provide notice through the use of words or icons on the devices packaging, or on the products, or on the manufacturers Internet Web site, of all of the following:(a) Whether the device is capable of collecting audio, video, location, biometric, health, or other personal or sensitive user information, including specifying which type or types of information the device may collect, if that information is not otherwise indicated by packaging or by the stated functionality of the device.(b) The process by which a connected device collects the information specified in subdivision (a), as well as the frequency of collection and what types of interactions with the device may trigger collection.(c) If and how the consumer can obtain information about security patches and feature updates for the connected device.
1798.91.02. Any connected device sold or provided in this state to a consumer shall provide notice through the use of words or icons on the devices packaging, or on the products, or on the manufacturers Internet Web site, of all of the following:
(a) Whether the device is capable of collecting audio, video, location, biometric, health, or other personal or sensitive user information, including specifying which type or types of information the device may collect, if that information is not otherwise indicated by packaging or by the stated functionality of the device.
(b) The process by which a connected device collects the information specified in subdivision (a), as well as the frequency of collection and what types of interactions with the device may trigger collection.
(c) If and how the consumer can obtain information about security patches and feature updates for the connected device.
1798.91.02.1798.91.03. (a) A manufacturer that sells or offers to sell a connected device to a consumer in California shall design the device to indicate through visual, auditory, or other means when it is collecting audio, video, or location information, or when it is collecting biometric or health information beyond the stated functionality of the connected device.(b)A manufacturer that sells or offers to sell a connected device in California shall design the device to obtain user consumer consent before it collects or transmits information beyond what is necessary in order to fulfill a user transaction or for the stated functionality of the connected device.(b) Consent granted in accordance with subdivision (a) shall remain in effect until it is revoked by the consumer.(c) Consent granted in accordance with subdivision (a) may be revoked by the consumer at any time.(c)(d) Nothing in subdivision (b) (a) shall be construed to prohibit a manufacturer from collecting or using deidentified information collected from a connected device for purposes of maintaining, developing, supporting, improving, or diagnosing the device or for protecting the safety of a user or the security of a connected device or network. device, or from providing location information concerning a user under any of the following circumstances:(1) The information is provided a public safety answering point, emergency medical service provider or emergency dispatch provider, public safety, fire service, or law enforcement official, or hospital emergency or trauma care facility, in order to respond to the users request for emergency services.(2) The information is provided to inform the users legal guardian, members of the users family, or to a person reasonably believed by the manufacturer to be a close personal friend of the user, of the users location in an emergency situation that involves the risk of death or life threatening harm.(3) The information is provided to providers of information or database management services solely for purposes of assisting in the delivery of emergency services in response to an emergency.
1798.91.02.1798.91.03. (a) A manufacturer that sells or offers to sell a connected device to a consumer in California shall design the device to indicate through visual, auditory, or other means when it is collecting audio, video, or location information, or when it is collecting biometric or health information beyond the stated functionality of the connected device.
(b)A manufacturer that sells or offers to sell a connected device in California shall design the device to obtain user consumer consent before it collects or transmits information beyond what is necessary in order to fulfill a user transaction or for the stated functionality of the connected device.
(b) Consent granted in accordance with subdivision (a) shall remain in effect until it is revoked by the consumer.
(c) Consent granted in accordance with subdivision (a) may be revoked by the consumer at any time.
(c)
(d) Nothing in subdivision (b) (a) shall be construed to prohibit a manufacturer from collecting or using deidentified information collected from a connected device for purposes of maintaining, developing, supporting, improving, or diagnosing the device or for protecting the safety of a user or the security of a connected device or network. device, or from providing location information concerning a user under any of the following circumstances:
(1) The information is provided a public safety answering point, emergency medical service provider or emergency dispatch provider, public safety, fire service, or law enforcement official, or hospital emergency or trauma care facility, in order to respond to the users request for emergency services.
(2) The information is provided to inform the users legal guardian, members of the users family, or to a person reasonably believed by the manufacturer to be a close personal friend of the user, of the users location in an emergency situation that involves the risk of death or life threatening harm.
(3) The information is provided to providers of information or database management services solely for purposes of assisting in the delivery of emergency services in response to an emergency.
A connected device sold in California to a consumer shall provide notice through the use of words or icons on the devices packaging, or if the device is being sold online, on the products Internet Web site, of both of the following:
(a)Whether the device is capable of collecting audio, video, location, biometric, health, or other personal or sensitive user information, including specifying which types of information the device may collect, if that information is not otherwise indicated by packaging or by the stated functionality of the device.
(b)How the consumer can obtain information about security patches and feature updates for the connected device.
1798.91.04. For purposes of this title, the following terms have the following meanings:(a) (1) Connected device means any device, sensor, or other physical object that is capable of connecting to the Internet, directly or indirectly, or to another connected device. On and after January 1, 2021, the term connected device shall include a medical device that meets the definition of a device in subsection (h) of Section 321 of Title 21 of the United States Code.(2) Connected device shall not include a motor vehicle as defined in Section 415 of the Vehicle Code.(b) Consumer means a person who purchases or obtains a connected device for personal or household use.(c) Deidentified information means information that does not contain any link or connection to the consumer or user of the device. In order for information to be deidentified, the manufacturer or another party must do all of the following:(1) Make a reasonable determination that the information does not contain, or cannot be linked to, a consumers or users identity, taking into account other pertinent information that may be reasonably available to the manufacturer, the public, or an advertiser seeking to associate the deidentified information with a specific consumer or user.(2) Lack actual knowledge that the deidentified information could be used alone or in combination with other information to link the deidentified information to an individual.(3) Ensure that all deidentification procedures occur on the device.(d) Stated functionality means the functionality of the device as understood by a reasonable person based on the manufacturers marketing of the device.(e) Unauthorized access, destruction, use, modification, or disclosure means access, destruction, use, modification, or disclosure that is not authorized by the consumer.
1798.91.04. For purposes of this title, the following terms have the following meanings:
(a) (1) Connected device means any device, sensor, or other physical object that is capable of connecting to the Internet, directly or indirectly, or to another connected device. On and after January 1, 2021, the term connected device shall include a medical device that meets the definition of a device in subsection (h) of Section 321 of Title 21 of the United States Code.
(2) Connected device shall not include a motor vehicle as defined in Section 415 of the Vehicle Code.
(b) Consumer means a person who purchases or obtains a connected device for personal or household use.
(c) Deidentified information means information that does not contain any link or connection to the consumer or user of the device. In order for information to be deidentified, the manufacturer or another party must do all of the following:
(1) Make a reasonable determination that the information does not contain, or cannot be linked to, a consumers or users identity, taking into account other pertinent information that may be reasonably available to the manufacturer, the public, or an advertiser seeking to associate the deidentified information with a specific consumer or user.
(2) Lack actual knowledge that the deidentified information could be used alone or in combination with other information to link the deidentified information to an individual.
(3) Ensure that all deidentification procedures occur on the device.
(d) Stated functionality means the functionality of the device as understood by a reasonable person based on the manufacturers marketing of the device.
(e) Unauthorized access, destruction, use, modification, or disclosure means access, destruction, use, modification, or disclosure that is not authorized by the consumer.
1798.91.05. (a) This title shall not be construed to impose any duty upon the manufacturer of a connected device related to unaffiliated third-party software or applications that a user chooses to add to a connected device.(b) This title shall not be construed to impose any duty upon a provider of an electronic store, gateway, marketplace, or other means of purchasing or downloading software or applications, to review or enforce compliance with this title.(c) This title shall not be construed to impose any duty upon the manufacturer of a connected device to prevent a user from having full control over a connected device, including the ability to modify the software or firmware running on the device at the users discretion. (c)(d) The duties and obligations imposed by this title are cumulative with any other duties or obligations imposed under other law, and shall not be construed to relieve any party from any duties or obligations imposed under other law.(d)(e) This section shall not be construed to limit the authority of a law enforcement agency to obtain connected device information from a manufacturer as authorized by law or pursuant to an order of a court of competent jurisdiction.(f) A covered entity, provider of health care, business associate, health care service plan, contractor, employer, or any other person subject to the federal Health Insurance Portability and Accountability Act of 1996 (HIPAA) (Public Law 104-191) or the Confidentiality of Medical Information Act (Part 2.6 (commencing with Section 56) of Division 1) shall not be subject to this title with respect to any activity regulated by those acts.
1798.91.05. (a) This title shall not be construed to impose any duty upon the manufacturer of a connected device related to unaffiliated third-party software or applications that a user chooses to add to a connected device.
(b) This title shall not be construed to impose any duty upon a provider of an electronic store, gateway, marketplace, or other means of purchasing or downloading software or applications, to review or enforce compliance with this title.
(c) This title shall not be construed to impose any duty upon the manufacturer of a connected device to prevent a user from having full control over a connected device, including the ability to modify the software or firmware running on the device at the users discretion.
(c)
(d) The duties and obligations imposed by this title are cumulative with any other duties or obligations imposed under other law, and shall not be construed to relieve any party from any duties or obligations imposed under other law.
(d)
(e) This section shall not be construed to limit the authority of a law enforcement agency to obtain connected device information from a manufacturer as authorized by law or pursuant to an order of a court of competent jurisdiction.
(f) A covered entity, provider of health care, business associate, health care service plan, contractor, employer, or any other person subject to the federal Health Insurance Portability and Accountability Act of 1996 (HIPAA) (Public Law 104-191) or the Confidentiality of Medical Information Act (Part 2.6 (commencing with Section 56) of Division 1) shall not be subject to this title with respect to any activity regulated by those acts.
This title shall become operative on January 1, 2019.