CA SB327

Requires manufacturers of connected devices to equip devices with reasonable security features appropriate to the device's nature, function, and any information it collects, contains, or transmits, effective January 1, 2020.

Deems a device to have reasonable security if it either has a unique preprogrammed password for each device or requires users to generate new authentication credentials before first access.

Defines "connected device" as any physical object capable of connecting to the Internet directly or indirectly and assigned an Internet Protocol address or Bluetooth address.

Excludes from requirements third-party software/applications added by users, software marketplace providers, and devices subject to federal security requirements; exempts HIPAA and medical information privacy law-regulated activities.

Grants exclusive enforcement authority to the Attorney General, city attorneys, county counsel, and district attorneys; does not create a private right of action.