California IoT Security Law: SB-327 and Connected Device Requirements

California's SB-327, codified at California Civil Code §§ 1798.91.04–1798.91.06, established the first state-level IoT security law in the United States when it took effect on January 1, 2020. The law imposes baseline security requirements on manufacturers of connected devices sold or offered for sale in California, regardless of where those manufacturers are headquartered. This page covers the law's definitions, operative requirements, enforcement structure, and the decision boundaries that determine whether a device or entity falls within its scope — context that sits within the broader California cybersecurity regulatory landscape.

Definition and scope

SB-327 defines a "connected device" as any device or physical object capable of connecting to the internet, directly or indirectly, and assigned an Internet Protocol (IP) address or Bluetooth address (California Civil Code § 1798.91.05(b)). This definition is intentionally broad: it captures routers, smart thermostats, home security cameras, wearables, smart speakers, networked industrial sensors, and connected medical devices sold into the California consumer market.

The law's obligation falls on the manufacturer — the entity that manufactures, or contracts for the manufacture of, a connected device sold or offered for sale in California. Importers and resellers who alter device firmware may also bear responsibility under the statute, though the primary compliance burden rests with original equipment manufacturers (OEMs).

Scope limitations are equally significant:

For a full glossary of terms used across California's cybersecurity statutes, the California cybersecurity terminology and definitions reference provides aligned definitions.

How it works

SB-327 does not prescribe a fixed list of security features. Instead, it requires that a connected device be equipped with a "reasonable security feature or features" appropriate to:

  1. The nature and function of the device
  2. The information the device may collect, contain, or transmit
  3. Any reasonably foreseeable risks and harms from unauthorized access, destruction, use, modification, or disclosure

The law then provides two specific, operative standards for password security:

  1. Unique preprogrammed passwords: Each device must ship with a unique password for each unit — not a single shared default password common to all units of that model.
  2. Forced initial setup: If a device lacks a preprogrammed password, it must require the user to generate a new means of authentication before first access is granted.

These two password rules represent the law's minimum floor. The broader "reasonable security" obligation leaves room for regulatory and judicial interpretation of what additional protections — such as encrypted communications, authenticated firmware updates, or access control logging — are required based on device risk profile.

The conceptual overview of how California cybersecurity works explains how this statute fits alongside California's data breach notification obligations and the California Consumer Privacy Act (CCPA).

Common scenarios

Scenario 1 — Consumer smart home device: A manufacturer selling a Wi-Fi-enabled doorbell camera in California must assign a unique password to each unit during manufacturing. A shared default password such as "admin123" across all units of a product line violates SB-327 regardless of how clearly the manual advises users to change it.

Scenario 2 — Industrial IoT sensor: A company selling networked temperature sensors to California food processing facilities is subject to SB-327. Because these sensors collect and transmit operational data, the "reasonable security" analysis would weigh transmission encryption and authentication controls, not just password defaults.

Scenario 3 — Bluetooth wearable: A fitness tracker with only a Bluetooth address — no IP address — still falls within SB-327's definition of a connected device, because the statute explicitly includes Bluetooth-addressed devices.

Scenario 4 — Software update delivered to existing devices: SB-327 applies to devices "manufactured" after the effective date of January 1, 2020. A manufacturer shipping firmware updates to pre-2020 devices does not automatically bring legacy hardware into compliance scope, though the Attorney General's enforcement posture on ongoing software modifications has not been publicly litigated as of the statute's text.

Contrast with the CCPA's cybersecurity implications — where the obligation is on businesses handling personal data to implement "reasonable security" against unauthorized access (tracked separately at CCPA cybersecurity implications) — SB-327 targets the hardware supply chain rather than the data controller relationship.

Decision boundaries

The following structured breakdown identifies whether SB-327 applies to a given situation:

  1. Is the object a physical device? If no (pure software, cloud service, API), SB-327 does not apply.
  2. Does the device have an IP address or Bluetooth address? If no, SB-327 does not apply.
  3. Can the device connect to the internet, directly or indirectly? If no, SB-327 does not apply.
  4. Is the device sold or offered for sale in California? If no, SB-327 does not apply — though logistics of enforcement against foreign-only sales remain practically complex.
  5. Is the entity the manufacturer (or contract manufacturer)? If the entity is a retailer that did not modify the device, the primary obligation rests upstream with the OEM.
  6. Does the device ship with a unique password, or does it require authentication setup before first access? If neither condition is met, the manufacturer is in violation of the statute's minimum password requirement.

Beyond these binary tests, the "reasonable security" standard introduces a risk-proportionate analysis. Devices that collect sensitive categories of data — health metrics, location data, financial information — face a higher implicit security threshold than devices with minimal data collection. The National Institute of Standards and Technology (NIST) NISTIR 8259A, which defines a baseline of IoT device cybersecurity capabilities, provides a widely cited external benchmark that manufacturers can use to assess whether their security posture meets a "reasonable" standard, even though NISTIR 8259A is a federal guidance document without direct legal authority in California.

The relationship between SB-327 and federal preemption remains unsettled. No federal statute as of the statute's text specifically preempts state IoT security laws, and the federal Cyber Shield Act proposals introduced in Congress have not been enacted into law, leaving SB-327 operative. Organizations assessing exposure across connected product lines should also consult the California IoT security regulations reference for related enforcement context, and review the California Attorney General cybersecurity enforcement page for enforcement precedents.

A full picture of the state's cybersecurity obligations, including the frameworks that apply to sectors where IoT devices are common, is available through the home index of California Security Authority.

References

📜 2 regulatory citations referenced  ·  🔍 Monitored by ANA Regulatory Watch  ·  View update log

Explore This Site

Services & Options Types of California Cybersecurity Regulations & Safety Regulatory Context for California Cybersecurity Tools & Calculators Password Strength Calculator FAQ California Cybersecurity: Frequently Asked Questions