CA AB1906

Requires manufacturers of connected devices to equip devices with reasonable security features appropriate to the device's nature, function, and the information it collects, beginning January 1, 2020.

Deems a device to have reasonable security if it either uses a unique preprogrammed password for each device or requires users to generate new authentication credentials before first use.

Defines "connected device" as any physical object capable of connecting to the Internet directly or indirectly with an assigned Internet Protocol or Bluetooth address.

Exempts manufacturers from liability for third-party software, user modifications, devices subject to federal security requirements, and health-related entities regulated under HIPAA or California's Confidentiality of Medical Information Act.

Provides exclusive enforcement authority to the Attorney General, city attorneys, county counsel, and district attorneys; eliminates private right of action for consumers.