HealthVerity Blog

CCPA: Connected devices and new privacy regulations

Written by HealthVerity | Aug 27, 2019 3:41:06 PM
Connected devices are here to stay. The conveniences they offer can make it easy to forget just how much personal data these smart devices are collecting every second of the day. They control the temperature of your home, track your sleep patterns, and play your favorite songs. This vast interconnected network of smart devices is commonly known as the Internet of Things (IoT) and it is expanding at a rapid pace. By 2025, more than 75 billion devices are expected to be connected to the IoT worldwide and the information they share back with manufacturers and with each other is staggering.


The greater good of smart devices for consumers, however, must be balanced with the risk that comes with having so much personal information readily available. Due to the sheer volume of data collected from so many different devices, the IoT nodes are especially susceptible to cyberattacks and data breaches, with many entry points left exposed and unprotected.

Despite these vulnerabilities, there are currently no federal laws designed specifically to regulate IoT. In less than six months, however, lawmakers in the state of California hope that two new privacy regulations, the California Consumer Privacy Act (CCPA) and the Security Connected Devices Act (SB 327), will bring about a new standard of improved data privacy. Set to go into effect on January 1, 2020, these bills have the potential to drive significant changes for how device manufacturers develop their products and track the important consumer data these products collect. As companies prepare for these new privacy bills to become law, they must also build a strategy to ensure compliance and have the tools in place to effectively manage this rich and growing source of data.

Get Smart about Smart Devices

According to the Security of Connected Devices Act, a connected device is defined as “any object that has the ability to connect to the internet, either directly or indirectly, and that is assigned an IP or Bluetooth address.” This is an incredibly broad definition that essentially applies to almost any technological device that sends or receives information via an internet connection. Smartphones, virtual assistants, and fitness trackers along with toys, baby monitors, e-readers, home security systems, and even automobiles are considered connected devices.

Companies that manufacture any product that can connect to the internet, along with third-party vendors that sell them, must be ready to comply with CCPA and SB 327. In addition to developing an inventory of all their products to determine which items fall under the definition of a “connected device,” companies will need to understand and take steps to mitigate the security risks these devices pose to consumers and to the company itself. This includes ensuring that solutions, such as HealthVerity Consent, are in place to monitor, manage, and protect data.

How Key Legislation Differs

CCPA and SB 327 are complementary bills, but each piece of legislation serves a unique purpose. CCPA outlines the broadest definition to date of “personal information,” giving consumers significantly more control over how their information is used -- including how businesses collect, share, and sell that information. Consumers also have the ability to opt-out of data-sharing agreements at any time. Essentially CCPA is focused on disclosure and transparency when it comes to data usage, with less focus on the details related to actually securing that information.

SB 327, on the other hand, is primarily focused on security, with provisions for manufacturers to include “reasonable security” for devices. While this may seem simple, this provision could mean significant changes for device manufacturers who currently are able to equip devices with standard passwords such as “admin” or “password” and leave it to the user to make password changes (something that does not necessarily happen and leaves millions of devices vulnerable to hackers). Under the new bill, a device is considered secure if it either contains a pre-programmed password unique to each device or has a security feature that requires the user to generate a new means of authentication before being granted first-time access to use the device.

These provisions are still relatively broad but could open the door for consumers to gain a greater sense of control and understanding regarding device security. This understanding, coupled with CCPA’s transparency provisions, will leave the consumer feeling more empowered to manage their personal data and more informed about a company’s responsibility in that process.

While SB 327 does not include provisions for consumers to file lawsuits in case of a data breach, CCPA gives consumers a right to action should their data become compromised and provides for consumer lawsuits with statutory damages of between $100 and $750 per consumer per incident, or actual damages if greater. For actions commenced by the Attorney General, the CCPA allows penalties to be imposed for intentional violations of any provision up to $7,500 per violation or $2,500 for unintentional violations if the violation is not cured within 30 days of notice.

How the regulatory framework spawned by these bills evolves come January 1 remains to be seen, but what is certain is that businesses must be ready to deal with both a more knowledgeable and empowered consumer and a new set of rules and regulations on how to data must be managed and secured.

Think on a National Scale

SB 327 and CCPA are technically California bills, but any company that sells or manufactures connected devices to individuals living in California will need to comply, meaning this new set of standards could soon become the de-facto national law. Even a company that manages a website where California residents may enter personal data will need to comply.

IoT manufacturers and the third parties that help collect and manage data from these devices need to be ready now with a clear system in place to sift through all the data and ensure compliance across all 50 states.

What about Wearables?

Wearables, such as fitness trackers, present a unique challenge when it comes to navigating new privacy regulations as these devices are often designed specifically to collect health data. CCPA allows exemptions for entities that comply with HIPAA (Health Insurance Portability and Accountability Act), such as hospitals, insurers, and other healthcare providers. It is unlikely, however, that wearable manufacturers will be able to count on that exemption since these devices collect data directly from consumers without providing healthcare services. The future is looking at the person and doing it automatically for them.

Wearables, perhaps more than other smart devices, put consumers on alert with respect to privacy. Since these devices track everything from disease management to mental health to email addresses, names, phone numbers, and other identifiable information, consumers and wearable manufacturers must be extra diligent in ensuring data privacy. Under CCPA, consumers also have the right to request a “look back” at all the information that a company has been collecting on them for the previous twelve months. Come January 1, 2020, many companies, especially wearable manufacturers, are likely to be inundated with consumer requests to both know what data has been collected and to then change or opt-out of data collection moving forward. The tools to manage this data and this pending deluge of requests must be in place now to ensure compliance and retain customer goodwill.

Don’t Find Yourself Left to Your Own Devices

The New Year will present many challenges for connected device manufacturers and the companies that collect IoT data. A single platform, such as HealthVerity Consent, will help collect, manage and report on divergent data, classify that data, and automatically log consumer data preferences to ensure compliance with new security regulations. By using a unified system that can effectively manage data and ensure compliance device manufacturers can show their customers that they take data privacy seriously and are committed to the transparency and security measures that will ensure their data is protected and their privacy preferences are respected.