California lawyers Proposition 65

Near as we can tell, nearly all IoT products are being made in China these days. And near as we can tell, most of those IoT products being made in China by foreign companies are being sold in the United States, and that includes California. It therefore bears mentioning that California Governor Jerry Brown last week approved SB-327, the first information security law in the U.S. specifically targeting the IoT.

SB-327 will take effect on January 1, 2020 and it will require manufacturers of connected devices — essentially, IoT devices — to be equipped with “reasonable” security measures. These security measures must be appropriate for the nature of the devices and for the information they collect and contain and they must be designed to protect the devices from unauthorized access, destruction, use, modification, or disclosure. SB-327 also requires devices that can be accessed outside of a local area network be equipped with either a unique password or allow its users to generate their own password.

It is important to emphasize that SB-327 does not impose any requirements on users of IoT devices, but rather on manufacturers. This will essentially mean that companies that manufacture qualifying devices may need to re-do or re-develop or maybe even re-invent their IoT products.

It is also important to note that this new California law will apply to more than just California manufacturers. It will apply to any business that manufactures — either itself or through a contracting third party — qualifying devices that will be sold or offered for sale in California. Crucially, there is no threshold number for product sales in California. Consequently, pretty much any manufacturer, anywhere, could be subject to SB-327.

Complying with SB-327 may be as simple as assigning randomly generated passwords to each of your IoT devices or re-tooling your IoT device’s software or firmware to provide more robust security protection. But for some manufacturers — especially those that make devices that gather up or contain sensitive information — compliance may be more involved and may require a ground-up reinvention. And because this is California, you should expect to be sued (and sued again) if you do not comply with these new laws.

Any company that has had to deal with California’s Proposition 65 knows whereof we are speaking here. Speaking of California’s Proposition 65, this is another California law of which companies that manufacture in China and sell into California must be aware. California’s Proposition 65 regulates any substance listed by the State of California as having a 1 in 100,000 chance of causing cancer over a 70-year period or birth defects or other reproductive harm. Businesses are prohibited from knowingly exposing individuals to listed substances without providing a clear and reasonable warning.

Here though is the big issue with Proposition 65: a company whose product may cause cancer (as defined per the above) may be sued by a private party for having such a product in California. What this means is that if you are having a product made in China (or anywhere else) and that product ends up in California, you are at risk of having to pay a lot of money to lawyers to defend against such a lawsuit and of having to pay the plaintiff in such a lawsuit a lot of money to make it go away.

And let me tell you, this is not just a hypothetical risk; I know this because my law firm’s Los Angeles and San Fransisco offices deal with these sorts of cases on behalf of our clients (American, European and Asian) all the time.

If you sell your products into the United States, you should figure that will include California and you should figure that you will need to contend with SB-327 and/or Proposition 65 and don’t say we didn’t warn you.

What are you seeing out there?

Editor’s Note: This post was co-written by Griffen Thorne, a cybersecurity lawyer based in our Los Angeles office.

Photo of Dan Harris Dan Harris

Dan is a founder of Harris Bricken, an international law firm with lawyers in Los Angeles, Portland, San Francisco, Seattle, China and Spain.

He primarily represents companies doing business in emerging market countries, having spent years building and maintaining a global, professional network. 

Dan is a founder of Harris Bricken, an international law firm with lawyers in Los Angeles, Portland, San Francisco, Seattle, China and Spain.

He primarily represents companies doing business in emerging market countries, having spent years building and maintaining a global, professional network.  His work has been as varied as securing the release of two improperly held helicopters in Papua New Guinea, setting up a legal framework to move slag from Canada to Poland’s interior, overseeing hundreds of litigation and arbitration matters in Korea, helping someone avoid terrorism charges in Japan, and seizing fish product in China to collect on a debt.

He was named as one of only three Washington State Amazing Lawyers in International Law, is AV rated by Martindale-Hubbell Law Directory (its highest rating), is rated 10.0 by (also its highest rating), and is a recognized SuperLawyer.

Dan is a frequent writer and public speaker on doing business in Asia and constantly travels between the United States and Asia. He most commonly speaks on China law issues and is the lead writer of the award winning China Law Blog. Forbes Magazine, Fortune Magazine, the Wall Street Journal, Investors Business Daily, Business Week, The National Law Journal, The Washington Post, The ABA Journal, The Economist, Newsweek, NPR, The New York Times and Inside Counsel have all interviewed Dan regarding various aspects of his international law practice.

Dan is licensed in Washington, Illinois, and Alaska.

In tandem with the international law team at his firm, Dan focuses on setting up/registering companies overseas (via WFOEs, Rep Offices or Joint Ventures), drafting international contracts (NDAs, OEM Agreements, licensing, distribution, etc.), protecting IP (trademarks, trade secrets, copyrights and patents), and overseeing M&A transactions.