A doll for a child, a refrigerator that sends photos of the food on its shelves to a smartphone, a TV that responds to voice commands. These smart gadgets are filling up homes and making life convenient for Californians, but some state lawmakers fear they could also pose a security risk.
On Tuesday, May 9, the Senate Judiciary Committee approved legislation intended to beef up state privacy protections despite concerns expressed by the tech and manufacturing industries that added mandates could stifle innovation of everyday devices.
“This is an issue that deals with our immediate privacy, safety and security,” Sen. Hannah-Beth Jackson, D-Santa Barbara, pleaded with wavering members of the committee after nearly an hour of testimony and questions.
“This equipment is out there. It is amassing information. It is absolutely blowing our privacy rights to smithereens,” she added.
Her bill, SB 327, would mandate “reasonable” security features be built into appliances, electronics and children’s toys that can connect to the Internet. And it would require that Californians be alerted by either an audio or visual signal (like the blinking red record light of a video camera, for example) whenever data is being collected by their device.
Business groups argued that such provisions would lead to overly burdensome security features on everyday products that Californians have come to rely upon. And they pointed to federal privacy laws, including the Children’s Online Privacy Protection Act (COPPA), they say already require the industry to equip devices with security features.
“There are many existing laws at the state and federal level that do cover these devices,” said Margaret Gladstein, a privacy and data security lobbyist who testified on behalf of the California Chamber of Commerce and California Retailers Association.
For example, the Federal Trade Commission recently reached a $2.2 million settlement with television maker Vizio when it collected viewer information without consent, Gladstein noted. Jennifer Gibbons, senior director of state government affairs at the Toy Association, added that state attorneys general can also go after bad actors.
The industry’s concerns resonated with at least two Democrats on the panel — Sens. Bob Hertzberg and Henry Stern — who initially abstained from voting on the measure. They later voted for the bill, giving it the needed votes to move to the Senate floor, after securing a pledge from Jackson that she would work with the industry to address their concerns.
“The world is changing at such a rapid pace. The stuff that is out there is so extraordinary — both good and bad,” Hertzberg said. “I’m completely befuddled about what to do with this thing because I see a hundred holes in this deal.”
Among the concerns raised was exactly what “reasonable” security features would entail. Supporters argued that not all Internet-connected devices or personal information are covered by federal privacy rules and currently leave consumers vulnerable. Meanwhile, charged that the bill fails to narrowly define “reasonable” security features, which could lead to the state imposing more sweeping regulations than the federal government.
Joseph Jerome, policy counsel for nonprofit The Center for Democracy & Technology, said additional regulations are needed because consumers are already suffering. For example, children’s conversations can be recorded by the “My Friend Cayla” doll, which comes equipped with Bluetooth, and can be sent to the manufacturer. Hackers also have tapped into unsecure baby monitors and operated their cameras to track children’s movements.
“These scenarios are not anomalies. They will continue to occur as long as there is a lack of sensible privacy and security protections for consumer devices,” Jerome wrote in a letter to Jackson.
At the hearing, privacy advocates described the burgeoning industry of Internet-connected devices as one that is “more focused on making the latest hip gadget” than building in privacy and security protections.
Jackson, who held up the Cayla doll at the hearing, said her bill would require manufacturers to detail the capabilities of devices and questioned if parents would buy the doll if they knew it could record their children and be manipulated by hackers.
“I believe consumers, particularly parents, should not be left in the dark about the capacity of these devices and the sensitive information they may be collecting and making accessible to strangers,” Jackson said. “The lack of consumer information and disclosures means a lack of understanding about these dangers.”
In addition to privacy concerns, Jackson said her bill would help deter the theft of personal and sensitive information through data breaches or hacking of household devices.
