If a device requires you to sign in, manufacturers will either have to use unique preprogrammed passwords -- see ya never, username: admin/password: admin -- or make you change the credentials the first time you use it. Companies will also have to "equip the device with a reasonable security feature or features that are appropriate to the nature and function of the device."
If Brown signs the bill into law, it will take effect at the beginning of 2020. But critics claim the wording is vague and doesn't go far enough in ensuring manufacturers don't include unsecured features.
"It's like dieting, where people insist you should eat more kale, which does little to address the problem you are pigging out on potato chips," Robert Graham of Errata Security said in a blog post. "The key to dieting is not eating more but eating less." Given the huge number of connected devices available, it's also not clear how the state plans to enforce and regulate the rules.
Still, it's a step towards protecting consumers from the litany of attacks, exploits, and security flaws on connected devices that threaten consumers every day. Including fuzzy wording in the draft language may actually be a positive, as technology companies (and hackers) typically move faster than lawmakers can legislate, so more concrete security measures that the bill could have laid out may soon seem antiquated anyway.
It's possible that, should the law come into effect, manufacturers will adopt the same security measures for their products in other states that they will in California. A number of draft bills related to connected device security are languishing in Congress committee purgatory, so the California law could prompt movement on legislation at the federal level too.