The UK and the EU have moved forward with legislation aimed at protecting consumer devices. These governments are responding to the sheer number of Internet of Things (IoT) devices that are in use. According to some industry estimates, it’s expected that there will be more than 22 billion IoT devices in use by the end of 2025.

The UK and EU mandates are unique in that they are directly moving to add protection to consumer devices, putting responsibility on manufacturers, distributors and retailers selling devices in these locations.

Meanwhile, in the US, there are currently no federal laws in place that directly address consumer devices. Federal cybersecurity law is focused largely on data privacy (including HIPAA, and additional laws protecting financial information). However, some states in the US are moving to tackle specific consumer risks. 

Here’s a brief roundup of recent mandates and guidelines in place in the US, how they compare with recent UK and EU legislation, and also some consideration on the direction cybersecurity seems to be taking. 

U.S. IoT device protection 

Consumers have grown to enjoy the ease and convenience of smart home devices that let you use a mobile app to control anything from turning on the air conditioning to starting a pot of coffee. But any device that’s connected to wifi can also be infiltrated by hackers and can put your privacy and data at risk. Why? Smart home devices provide another attack vector that malicious actors can potentially access via an unsecured wifi network. 

In the US, to combat some of these vulnerabilities, the Federal Communications Commission (FCC) recently announced the adoption of a voluntary cybersecurity labeling program for smart products including IoT devices such as smart TVs, appliances, wearables and other devices.  

The U.S. Cyber Trust Mark logo will initially appear on wireless consumer IoT products that meet the program’s cybersecurity standards, according to a press release from the FCC. 

The goal of the Cyber Trust Mark program is to “encourage manufacturers to meet higher cybersecurity standards,” the FCC stated. The program is also designed to make it easier for consumers to make informed purchasing decisions and determine the level of security or support for a specific product, including whether the product includes automatic software patches or security updates. 

This program contrasts with the recently passed PSTI Act in the UK as well as upcoming EU legislation that bans the use of default universal passwords. 

In the US, on the federal level, the Internet of Things Cybersecurity Improvement Act of 2020 covers devices “owned and controlled by the federal government,” not consumer devices. The act gave the National Institute of Standards and Technology (NIST) the authority to manage IoT cybersecurity risks for devices acquired by the federal government. While the law doesn’t expressly cover consumer devices, the federal government was aware of a potential ripple effect of private industry and consumers benefiting from the new standards.

States with new privacy laws in 2024 

Data privacy legislation continues to move forward on a state-by-state basis, as five states are unveiling new privacy legislation in 2024 including three that take effect in July 2024, according to reports, as follows:

Washington: On March 31, 2024, the My Health My Data Act went into effect. The law focuses exclusively on regulating personal health data that is outside the scope of HIPAA but doesn’t go as far as privacy laws in some other states.

Oregon: The Oregon Consumer Privacy Act takes effect on July 1, 2024. This affects firms that conduct business in the state and collect or process:

• (1) the personal data of 100,000 or more Oregon consumers or
• (2) the personal data of 25,000 or more Oregon consumers and derives 25% or more of its annual gross revenue from selling the personal data

Texas: The Texas Data Privacy and Security Act applies to anyone conducting business in the state of Texas and to any products or services consumed by Texas residents. There are exemptions in place for small businesses that meet certain criteria. 

Florida: Florida Digital Bill of Rights becomes effective on July 1, 2024. This mandate only applies to companies with $1 billion or more in revenue and for which more than half its global gross annual revenue is derived from the sale of online advertisements or other narrow criteria.

Montana: The Montana Consumer Data Privacy Act applies to firms that conduct business in Montana or that produce products or services that are targeted to Montana residents and also:  

• Control or process the personal data of at least 50,000 consumers or 
• Control or process the personal data of at least 25,000 consumers and derive over 25% of gross revenue from the sale of personal data

Meanwhile, California passed a law that took effect in 2020 aimed at universal passwords similar to the UK law, in an effort to combat distributed denial-of-service (DDoS) attacks from botnets.

Limits of IoT legislation and mandates

Despite new legislation and mandates, it’s not certain whether these protections will go far enough to protect devices and consumer data from cyberthreats. 

As one report from the University of Washington notes, laws regulating IoT are “still in infancy,” and most IoT guidance is “generally advisory and non-binding.” It’s possible that legislation to fill gaps may move forward. However, securing the software that integrates products and devices may be a more effective solution, especially when software security is built in.