California Lawmakers Clear Bills on IoT Security, Tougher Parental Consent Rules for Social Media
Electronics manufacturers would have to include “reasonable” security measures on internet-connected devices under a California bill advanced by the Assembly Privacy Committee. At Tuesday's hearing, members also OK’d a bill to penalize social media companies that don’t adequately prevent sale to minors of guns and other age-restricted items. Manufacturers opposed the security bill, while internet companies resisted the parental-consent bill.
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
The committee voted 8-2 for requiring security in IoT and other connected devices. Self-regulation isn’t enough; AB-1906 seeks a “minimum level of security” and could be a model for other states, said sponsor Assembly Member Jacqui Irwin (D). “With little to no security, hackers have found a goldmine in IoT devices, which they infect and then string together into botnets to do their bidding.” Supporting the bill, Chairman Ed Chau (D) said many manufacturers have appropriate security measures, but the bill sets a “baseline” needed with the IoT explosion.
Republican committee members warned about possible legal consequences. Catharine Baker supported AB-1906 but raised concerns about lengthy and expensive litigation. The legislation should define reasonable and not “leave it up to rooms full of lawyers to argue about what’s reasonable and what’s not reasonable,” said Jay Obernolte. Vice Chair Kevin Kiley said consumers already can sue for unreasonable conduct and he favors industry standards. Kiley and Obernolte voted no.
Responding to industry concerns, Irwin agreed to an amendment to delay the effective date one year to Jan. 1, 2020. With that change, officials from several business groups said they would no longer oppose, including the California Chamber of Commerce, CompTIA and TechNet.
Still opposed are the Association of Home Appliance Manufacturers and the California Manufacturers and Technology Association, said AHAM and CMTA lobbyists. Laws can’t keep up with technology, so it’s better to make industry standards, said AHAM Senior Vice President-Policy Kevin Messner. Requiring reasonable security by law is “a lawyer’s dream” that opens manufacturers up to litigation, he said. Manufacturers “are not the bad actors here,” said CMTA Policy Director-Government Relations Jarrell Cook. CMTA is opposed unless the bill is amended to give a “more precise definition” of manufacturer and grant “an affirmative defense” to manufacturers that show they researched security and implemented features based on that research, he said. An Electronic Frontier Foundation official also opposed AB-1906, but medical device manufacturers supported the measure.
The committee voted 8-1 -- with Kiley abstaining -- to tighten parental-consent restrictions on social networks. AB-2511 would ban social media websites from selling a minor's information without actual consent, requiring that consent to be separate from the website's general terms and conditions. It bans consent from being obtained through the minor, and from denying the minor access to the website if they don't get the separate parental consent for sale of their information. Online retailers would have to take "reasonable steps" to verify age of purchaser for products illegal to sell to a minor. Violators would be subject to a civil penalty of up to $7,500 per violation.
"Many online retailers fine-print, boilerplate terms and conditions make no effort whatsoever comparable to their brick-and-mortar competitors to obtain age verification or parental consent to prevent children from purchasing illegal firearms,” said Chau. The bill doesn’t prescribe how to get consent, he said.
Committee members questioned the bill’s wording and difficulty of implementation, particularly age verification. Several members conditioned support on Chau spending more time on “workability” before it gets to the floor; Chau said he will. Baker, again raising concerns that reasonableness requirements raise specter of costly litigation, asked if Chau would consider adding a safe harbor or affirmative defense for companies. Chau said he’s open to negotiate safe harbors. Baker worries the bill is “very broad” and could apply to nearly every website.
The Internet Association, Instacart and various business groups are opposed. California law already requires parental consent, said IA Director-Government Affairs Kevin McKinley. The bill is too broad and may unconstitutionally stop minors from sharing any information on social media, he said. Kids' advocacy groups supported the bill. Current law is insufficient to stop companies from selling age-restricted items to children, said Ed Howard, senior counsel of Children's Advocacy Institute at the University of San Diego.
No member seconded a motion to vote on requiring websites to disclose if they use bots to gather users’ personal information. AB-1950 is a transparency bill that doesn’t condemn bots or require changes to website operator practices, said author Marc Levine (D). But GOP members said its definition of bots is too broad and disclosure may imply bots are always bad. Chau generally dislikes lengthening privacy policies but wanted conversation to continue because bots are generating much attention. CompTIA, IA and TechNet are opposed. The bill would clutter privacy policies; specifying how websites collect data isn’t meaningful to consumers, said California Chamber of Commerce Policy Advocate Sarah Boot.