Internet of Things legislation in California is dead for this year, but it will be back

The sponsor of “Internet of Things” privacy legislation in the California Senate has tabled the bill for the remainder of 2017, but remains committed to reactivating it in the second half of the 2017–2018 session. SB 327, introduced in March 2017, was prompted by a children’s internet advocacy group that was upset over toys, like the now-notorious Cayla doll, that have the ability to monitor the children with whom the toys interact and record their words and voice patterns, and potentially even the ability to transmit data from the children back to the Internet for marketing or other purposes. The sponsor of the bill referred to it as the “teddy bears and toasters” law.

The bill as originally introduced applied to any device capable of connecting to the Internet, and would have required point-of-sale disclosure as to a device’s capability to collect audio, video, location, biometric, health or “other personal or sensitive user information.” It also required disclosure as to how a consumer can obtain the privacy policy related to the use of such data, and required that security measures be in place for any such data, including notifications to consumers as to how to obtain updates and patches for such security measures. It also required that such a device be designed to communicate by “visual, auditory or other indicators” the fact that it is collecting data, and obtain user consent at the time of collection, unless such data collection was an implicit part of the device performing its “stated function.” Later, the bill was amended to limit its scope by specifying that it would only apply to household devices; that it only applied to video, voice or biometric/health information; that it did not apply to the auto industry; and that it did not limit law enforcement’s use of such data.

The hearings held on the bill in the Senate Judiciary Committee in May 2017 were marked by broad support for the idea of giving consumers control over data collection from their household devices, especially with regard to children’s toys, but also great unease that the topic of data collection by connected devices was so large, and so ill defined, that rushing through a bill after one hearing, with minimal input from industry, was bound to result in negative unintended consequences. The bill squeaked out of committee on what is known as a “courtesy vote,” which kept the bill alive so that more hearings could be conducted and additional refinements made. As a result, there is every likelihood that the bill will be taken up again in 2018.

The debate over SB 327 provides a taste of the questions that will confront legislators at the state or federal level as they grapple with the issue of how to regulate privacy in the “Internet of Things.” Should regulation apply only to consumers or to all of a product’s users? Who is the consumer of such a product anyway? Is point-of-sale notice of data collection capabilities useful? How can notice of data use be updated if the sort of data collected, or the purpose for which it is collected, changes after the device is in operation? How realistic is it to expect a device to constantly disclose to its user (or those in the vicinity) what data it is being collected and for what purpose? Won’t that result in a flood of meaningless over-disclosure? Is it realistic to expect users to constantly manifest their consent or lack of consent? If consent is deemed given for a device to collect the sort of data essential to its intended function, are there ambiguities inherent in the concept as well? What if different users perceive its essential function differently? And who is the owner of such data, for the purpose of applying existing data security and data breach laws?In addition, privacy concerns regarding the Internet of Things tend to be much broader in scope than existing data security and breach statutes, which are focused more on identity theft and medical data than the risks of lifestyle and consumer preference tracking.

One senator—who actually voted in favor of the bill—stated that his tax reform committee has conducted over thirty hearings with respect to the issues before it, and the interrelationship of privacy and the Internet of Things might turn out to be just as complicated.