Two new laws in California will create rules for IoT device makers and businesses holding consumer information. Here’s what that means for the rest of us when they go into effect in 2020.

In the absence of federal rules, the California state legislature recently passed laws intended to protect consumer privacy and secure the Internet of Things (IoT), with new rules coming for both businesses collecting customer information online and IoT device makers.

For many businesses, the impact of the laws will be limited: The IoT security law will not define how IoT vendors should secure their devices, and the privacy law echoes some of the broad rules in the European Union’s General Data Protection Regulation (GDPR). Still, the new laws, when they go into effect in 2020, will impose new rules for IoT manufacturers and businesses collecting consumer data.

The California Consumer Privacy Act (CCPA) and the Security of Connected Devices Act, both passed by the legislature and signed by Gov. Jerry Brown earlier this year, puts California on the forefront of consumer privacy and IoT security regulation.

The California action comes after Congress failed to pass legislation to address either IoT security or consumer privacy. For several years, privacy advocates and some lawmakers have unsuccessfully pushed for comprehensive consumer privacy laws. In the past year and a half, after several IoT security failures, lawmakers introduced a handful of IoT security bills, including the Internet of Things Cybersecurity Improvement Act, but none passed.

It appears, however, that Congress will resume work on both IoT security and consumer privacy in 2019. Members of a subcommittee of the Senate Commerce, Science,and Transportation Committee recently talked about releasing a draft of a consumer privacy bill early next year.

New laws might inspire U.S. national standard

The California laws, if they go into effect before other states pass stronger laws, would in effect become the U.S. national standard because many IoT and e-commerce businesses have customers in the state.

“The new California law will probably force the tech industry and other large businesses to institute stricter privacy rules for all consumers, including those outside California, as it does not make sense on a cost basis for companies to have to comply with a patchwork of different applicable laws among different states,” says Morvareed Salehpour, a California tech-focused lawyer.

Action on legislation in California also tends to inspire other states to pass their own laws.

California tends to be a “thought leader” in consumer and tech-related laws, says Lee Tien, a senior staff attorney at the Electronic Frontier Foundation. While other states don’t often copy California’s wording, they may look to pass their own IoT security and consumer privacy laws in coming years.

Both bills have their critics, with detractors saying that the IoT bill lacks specific rules and that the CCPA either is too strong or too weak, depending on who you ask.

The short IoT bill requires IoT manufactures to equip devices with “reasonable” security measures, appropriate to the function of the devices and to the information they collect or transmit.

The CCPA, similar in some ways to GDPR, gives consumers the right to know what personal information of theirs a business holds, what it is being used for, and whether it is being shared or sold. The law also gives consumers the right to opt out of a business sharing or selling their personal information and the right to ask the business to delete their information in many cases.

IT and operational technology teams view IoT projects differently. Here are 6 perception gaps you need to close. Improve IoT outcomes

Impact of the Security of Connected Devices Act

The IoT security law requires “reasonable” security for connected devices, but it largely doesn’t define what that looks like. The law covers manufacturers of IoT technology but not customers like large businesses deploying IoT networks.

The law does allow that the deployment of authentication technologies—those that verify the authority of a user, process, or device to access resources on an information system—constitutes reasonable security but offers few other suggestions.

The lack of specifics has prompted many critics to question whether the law will be useful.

The law, “in itself, will not dramatically improve security of devices or safety for consumers,” says Rusty Carter, vice president of product management at Arxan, a cybersecurity vendor. But the law could put a spotlight on IoT security problems and expose companies to lost revenue due to “failure in the court of public opinion,” he adds.

In addition to the largely undefined “reasonable” security practices, the bill doesn’t create a new ability for IoT users or consumers to sue manufacturers, notes Marcus Harjani, a legal officer at the Foundry Law Group, a tech-focused law firm in Seattle. “While a step in the direction of protecting user information, the bill offers a light-touch obligation on manufacturers of connected devices.

The law, however, could force IoT manufacturers to scrap the use of widely used default passwords, says Pravin Kothari, CEO of CipherCloud. Attackers can easily scan the Internet for devices accessible through open and exposed ports, then take control of them through those default passwords, he notes.

About three-quarters of all IoT compromises are related to default passwords, and about 10 percent of all connected devices use easy-to-guess passwords like “admin,” “root,” or “12345,” Kothari adds.

“This legislation helps stop the billions of dollars of theft, damage, wasted effort, and more caused by default passwords,” says Kothari. The law is “a very positive step forward.”

Impact of the California Consumer Privacy Act

While CCPA has some similarities to GDPR, the two laws have several differences. GDPR has a broader set of regulations, with rules on the collection of consumer data as well as its use, while the California law is more focused on how businesses use consumer data after it’s collected.

The California law will require most businesses to tell consumers what they’re doing with their data and allow consumers to opt out of data-sharing agreements a business has with other organizations. The California law is more about “disclosure and transparency” than about collection and use of data, the EFF’s Tien says.

Violations of the California law can result in fines of up to $7,500 per incident. Consumers can also sue companies for up to $750 per incident when their unencrypted data is stolen from the company or disclosed due to lax security practices. Even though the penalties aren’t huge, some privacy experts expect the state to bring early enforcement actions against a handful of companies to show it means business.

The California law exempts businesses with revenues of less than $25 million or with fewer than 50,000 customer or device collection points.

“Very small businesses can breathe a sigh of relief, but the universe of businesses that are covered in the scope of CCPA is still extremely large,” says John Kronick, director of security services at cybersecurity vendor PCM.

The good news: Businesses now complying with GDPR since it went into effect in May should be most of the way there with the California law.

Compliance with GDPR may put a company “in a better position” to comply with CCPA, Tien says. “If a company thought it was in substantial compliance with the GDPR, it seems likely to me they are a lot closer to complying with the California law.”

There may be some businesses, however, that will be subject to CCPA but haven’t had to comply with GDPR. A U.S. business that has no real presence in Europe but has customers in California would fall under that scenario. A U.S. company with no customers in California—a local grocery store in Vermont, for example—would not need to comply with the CCPA. To put a fine point on it, the trigger is collection of a California resident's data.

One potential issue: The California law isn’t written in stone yet. The state legislature may attempt to strengthen—or weaken—it during its 2019 session, and the law, as it stands today, gives the state attorney general the authority to write several privacy rules.

PCM’s Kronick sees significant overlap in GDPR and CCPA compliance. For example, if a company has reviewed its procedures for responding to consumer requests for access to their personal information as part of GDPR, a similar process should work for the California law, he says. Employee security awareness training in response to GDPR should also translate to CCPA, he adds.

“Both laws follow the principle that consumers or data subjects have a right to know what personal data a business is processing about them before that data is collected and processed,” he adds. “Both laws require specific disclosures concerning the sharing or sale of personal information with third parties.”

IoT and privacy regulation: Lessons for leaders

California passed new IoT security and consumer privacy laws in 2018, with the laws going into effect in 2020.

Both bills offer limited regulation, but IoT device makers and businesses handling consumer data will be subject to the new rules.

The consumer privacy law will require most businesses to let consumers know what personal data they hold and delete information upon a customer’s request.

Related link:

IoT security management for SMBs: A growing challenge with new solutions