In September 2018, the California Legislature enacted Senate Bill 327,1 requiring that a “manufacturer” of a “connected device” that sells that device in California, regardless of the place where the device was actually produced, must implement “reasonable security features” in that device. The law came into effect on January 1, 2020.
The law’s definition of “manufacturer” is quite broad, including companies that contract with another person to manufacture devices on their behalf.2 The term “connected device” is defined very broadly, as “any device, or other physical object that is capable of connecting to the Internet, directly or indirectly, and that is assigned an Internet Protocol address or Bluetooth address.”3 Accordingly, the statute does not appear to be limited to consumer devices and appears to include devices that are used for business-to-business purposes.
The statute requires a manufacturer of a connected device to implement “a reasonable security feature or features” that are “(1) [a]ppropriate to the nature and function of the device[,] (2) [a]ppropriate to the information it may collect, contain, or transmit[, and] (3) [d]esigned to protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure.”4
The statute provides that a security feature consisting of a password or other means of authentication shall be deemed reasonable if (in addition to meeting the above three criteria) either: “(1) [t]he preprogrammed password is unique to each device manufactured[; or] (2) [t]he device contains a security feature that requires a user to generate a new means of authentication before access is granted to the device for the first time.”5 The law does provide an exception where the functionality of a connected device is subject to security requirements under federal law, federal regulations, or guidance from a federal agency pursuant to its regulatory enforcement authority.6
More recently, the State of Oregon adopted House Bill 2395,7 which was inspired by California’s law. The Oregon law specifies requirements for “reasonable security features” that are similar to the requirements in the California law.8 Also, like California’s law, the law in Oregon provides that a reasonable security feature may consist of “[c]ompliance with requirements of federal law or federal regulations that apply to security measures for connected devices.”9
Oregon’s law, however, differs from California’s law in certain notable respects. Under Oregon’s law, a “connected device” is restricted to a device that “is used primarily for personal, family or household purposes,”10 thereby excluding from its scope devices used or sold for business-to-business purposes. In addition, Oregon’s law applies to a narrower range of entities. In Oregon, a “manufacturer” is defined as “a person that makes a connected device and sells or offers to sell the connected device in this state.”11 In comparison, California’s law defines manufacturers to include any entity that “contracts with another person to manufacture”12 the connected device on the person’s behalf.
The California Consumer Privacy Act (“CCPA”) took effect on January 1, 2020.13 While the California Attorney General’s enforcement authority only began on July 1, 2020, prior to that date, a number of private plaintiffs initiated lawsuits alleging violations of the CCPA.
As a reminder, the CCPA provides that California residents may initiate an action against an organization for a “violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information.”14 This does not mean, however, that the CCPA imposes on organizations a general duty of security that can be enforced by a private cause of action, as the CCPA limits the private cause of action to cases where a security breach of personal information has occurred, as defined in California’s data breach notification law.15 In particular, the CCPA provides that a California resident can seek damages of between $100 and $750 per consumer per incident or actual damages (whichever is greater), as well as injunctive or declaratory relief and any other relief the court deems proper.16
Some of the recently filed cases are based on alleged data breaches, such as Barnes v. Hanna Andersson, LLC,17Fuentes v. Sunshine Behavioral Health Grp., LLC,18Rahman v. Marriott International, Inc.,19 and Lopez v. Tandem Diabetes Care, Inc.20 In those cases, the plaintiffs generally claim that the defendants failed to implement and maintain adequate security measures, resulting in the “unauthorized access and exfiltration, theft, or disclosure”21 of the plaintiffs’ personal information.22 However, in other cases, such as Sweeney v. Life on Air, Inc.,23Sheth v. Ring LLC,24Kirpekar v. Zoom Video Communications, Inc.,25Cullen v. Zoom Video Communications, Inc.,26 and Henry v. Zoom Video Communications, Inc.,27 the plaintiffs allege that the defendants failed to comply with the CCPA’s notice and opt-out provisions.28 Finally, in other cases, such as Burke v. Clearwater AI, Inc.29 and Almeida v. Slickwraps Inc.,30 the plaintiffs allege that violations of the CCPA constitute unlawful business practices under California’s Unfair Competition Law.31
Given how recent these cases are, their outcome and impact are still unknown. Nevertheless, these cases do illustrate the importance of CCPA compliance, even for companies based outside of California, and that plaintiffs will increasingly invoke the CCPA against companies that do not overhaul their data practices.