SACRAMENTO — A senate proposal pushed by state Sen. Hannah-Beth Jackson (D-Santa Barbara) has been declared inactive by the bill sponsor after a major outpouring of opposition to the legislation ultimately threatened the bill’s passage.
The controversial proposal, Senate Bill 327, is Jackson’s attempt at mandating duplicative data security and consumer notification mandates on retailers and manufacturers of devices connected to the internet. SB 327 has been criticized as a bill that could, essentially, confuse the consumers across the California while simultaneously burdening industry.
“This bill places unworkable, unnecessary and ineffective mandates on devices that connect to the internet,” an opposition leader from a coalition of trade groups led by the California Chamber of Commerce said. “SB 327 would require manufacturers of connected devices to reengineer virtually every device sold in California. The bill requires all personal internet-connected devices to provide users with a visual, auditory or other warning when it is collecting information, and the bill requires consumer consent for the collection of information. Today, many devices are not designed with this functionality because the collection of information is inherent to these devices. Ongoing notifications would be annoying at best and may interfere with the operation of the device.”
In addition to the state’s chamber of commerce, over 20 other organizations voiced concern, including the Advance Medical Technology Association, the Alliance of Automobile Manufacturers, Association for Unmanned Vehicle Systems, the International Association of Home Appliance Manufacturers and the Association of National Advertisers.
Other organizations include the California Automotive Business Coalition, the California Cable and Telecommunications Association, the California Manufacturers and Technology Association, the California Retailers Association, the Civil Justice Association of California, the Computing Technology Industry Association, the Consumer Technology Association, the CTIA – The Wireless Association, the Data and Marketing Association and the Entertainment Software Association.
The Internet Coalition, the Internet Association, the National Electrical Manufacturers Association, the Retail Industry Leaders Association, the Security Industry Association, the Self-Driving Coalition for Safer Streets, the State Privacy and Security Coalition, TechNet and the Toy Association are also signers of the opposition letter.
If the bill was still in contention for passage, SB 327 would have authorized several mandates on industries that sell and manufacture consumer technology goods. Simply put, if a company wanted to gather data or information from its products required for internet connection under Jackson’s bill, the company would have to send visual, auditory or other types of notifications to the consumer using the product that such things are taking place.
The bill would require manufacturers to have sufficient data security, must gather the consent of the users to obtain their data and make sure that data collected are used to better user experience on these devices.
Under current state statute, manufacturers of internet-enabled products are required to implement privacy protections. The measures in questions must be “reasonable security procedures and practices appropriate to the nature of the information to protect the personal information from unauthorized access, destruction, use, modification or disclosure."
Thomas Struble, the tech policy manager for the D.C.–based R Street Institute, told the Northern California Record that despite any potential shortcomings, the bill has some merit due to the apparent connection of privacy and data security standards the Federal Trade Commission (FTC) currently has in place.
“Altogether, it seems pretty good and likely wouldn't impose an undue burden on device makers, because it seems to largely track the FTC's privacy and data security standards, which are also currently at stake in the U.S. District Court for the Northern District of California, funnily enough,” Struble said. “In that case, the FTC is arguing that D-Link violated Section 5 of the FTC Act, which prohibits 'unfair or deceptive acts or practices,' by failing to provide 'reasonable' data security in some of its devices and by misrepresenting the quality of its data security. If the FTC prevails in that case — the FTC's complaint was filed on January 5, but no schedule for briefing or oral argument has yet been set — then California's SB327 would likely have little effect because it would basically mirror the FTC standards that device makers in California are already governed by.”
Advocates of the legislation have voiced their support on the grounds that it would help promote privacy and that “smart toys” and other products can put a consumer’s basic security at risk. Opponents still believe that the legislation is unnecessary and places too much burden on businesses.
“These products get rushed out to the market without the privacy issues being addressed in advance, and then consumers end up paying the price," James Steyer, the CEO Common Sense Kids Action, said in a statement to the Los Angeles Times. Steyer and his organization are part masterminds of SB 327.
The Northern California Record contacted the Civil Justice Association of California and the California Business Round Table for comment, but no responses were given by time of publication.
The only recorded vote on record was the passage of the bill through the Senate Judiciary Committee, 5 to 2, on May 9. At the moment, the bill is at a standstill.