California lawmakers have prepared a new bill, dubbed ‘The Teddy Bear and Toaster Act’, that would regulate manufacturers to better secure ‘smart’ internet-connected products which can record data, also requiring customers’ consent to transfer information.
Under Senate Bill 327, companies would have to design their products to alert customers through a visual or auditory cue that it is gathering data. The device would also have to obtain consent when it intended to transfer the information.
"The more we know and the more we learn about the internet connection of all sorts of devices, many are realizing that we don’t know the extent to which these devices are invading our lives," Senator Hannah-Beth Jackson (D, Santa Barbara) said, according to the Los Angeles Times.
Sellers of the products and devices would have to disclose at point of sale to customers whether the devices are capable of sweeping up sensitive data.
The move comes over concerns that toys and devices that converse with children - like ‘My Friend Cayla’ or Amazon ‘Echo’ - presents an inviting target for hacks.
The ‘Cayla’ doll was banned in Germany after parents became concerned that it could prompt children to give personal information such as their parents’ names and addresses, and manufacturers retained the right to target young buyers in direct marketing campaigns.
Amazon’s ‘Echo’, a voice-activated smart home device, does not appear to leak information. The device does, however, capture audio and streams it to the cloud when the device hears the wake word “Alexa.” A ring at the top of the device turns blue to give a visual indication that audio is being recorded. Those sound clips are stored until a customer deletes them.
The device has become a central focus in a 2015 murder case. Police in Arkansas want to know if the gadget overhead anything involving the death of Victor Collins, found dead in the hot tub of James Andrew Bates, who is accused of first-degree murder.
Most states, including California, have privacy breach laws to protect personal information but the proposal, which would extend those provisions to consumer devices, could be the first of its kind nationwide. However, it is expected to garner wide opposition from retailers and manufacturers.
Senate Bill 327 would also require manufacturers to notify customers about security patches and other updates.
Jackson called her bill the first of its kinds on the issue, and expects it will initially be heard in the Senate Judiciary Committee, which she chairs.
She suspects companies that make the produce “are not going to be real happy with this.”
“This technology is far beyond what we understand. They’re getting away with these privacy violations now,” Jackson added, according to the Sacramento Bee. “I’m happy to sit at the table with them.”
The California Manufacturers and Technology Association has not taken a position on the bill.
But there are critics of the bill. The Washington, DC legal firm Keller and Heckman argued the language of the legislation is “so broad that it would apply to any device that is capable of connecting to the internet or to another device, including computers, toys, appliances, cell phone, and professional equipment.”