Chapter 35.5 - Connected Devices

California Business and Professions Code — §§ 22948.30-22948.37

Sections (9)

Added by Stats. 2005, Ch. 437, Sec. 1. Effective January 1, 2006.

(a)The following persons may bring an action against a person who violates or is in violation of Section 22948.2:

(1)A person who (A) is engaged in the business of providing Internet access service to the public, owns a Web page, or owns a trademark, and (B) is adversely affected by a violation of Section 22948.2.

An action brought under this paragraph may seek to recover the greater of actual damages or five hundred thousand dollars ($500,000).

(2)An individual who is adversely affected by a violation of Section 22948.2 may bring an action, but only against a person who has directly violated Section 22948.2.

An action brought under this paragraph may seek to enjoin further violations of Section 22948.2 and to recover the greater of three times the amount of actual damages or five thousand dollars ($5,000) per violation.

(b)The Attorney General or a district attorney may bring an action against a person who violates or is in violation of Section 22948.2 to enjoin further violations of Section 22948.2 and to recover a civil penalty of up to two thousand five hundred dollars ($2,500) per violation.

(c)In an action pursuant to this section, a court may, in addition, do either or both of the following:

(1)Increase the recoverable damages to an amount up to three times the damages otherwise recoverable under subdivision (a) in cases in which the defendant has engaged in a pattern and practice of violating Section 22948.2.

(2)Award costs of suit and reasonable attorney’s fees to a prevailing plaintiff.

(d)The remedies provided in this section do not preclude the seeking of remedies, including criminal remedies, under any other applicable provision of law.

(e)For purposes of paragraph (1) of subdivision (a), multiple violations of Section 22948.2 resulting from any single action or conduct shall constitute one violation.

§ 22948.30

Added by Stats. 2025, Ch. 676, Sec. 2. (SB 50) Effective January 1, 2026.

For purposes of this chapter, the following definitions apply:

(a)“Account manager” means a person or entity that provides an individual an internet-based or app-based user account, or a third party that manages those user accounts on behalf of that person or entity, that has authority to make decisions regarding user access to those user accounts.

(b)(1) “Connected device” means any device, or other physical object that is capable of connecting to the internet, directly or indirectly, and that is assigned an internet protocol address or Bluetooth address or enables a person to remotely obtain data

from or send commands to a connected device or account, which may be accomplished through a software application that is designed to be operated on a mobile device, computer, or other technology.

(2)“Connected device” does not include either of the following:

(A)Peripheral or component devices that are solely dependent on a primary connected device for internet connectivity and that cannot be independently accessed, remotely disabled, or

disconnected by a user or service provider.

(B)A connected device that is more than 10 years old or is no longer supported by the account manager.

(c)(1) “Covered act” means conduct that constitutes any of the following:

(A) A crime described in Chapter 8 (commencing with Section 236) of Title 8 of Part 1 of the Penal Code.

(B) A crime described in Chapter 1 (commencing with Section 261), Chapter 2 (commencing with Section 270), Chapter 2.5 (commencing with Section 273.8), Chapter 4 (commencing with Section 277), Chapter 5 (commencing with Section 281),

Chapter 5.5 (commencing with Section 290), Chapter 7.5 (commencing with Section 311), Chapter 7.6 (commencing with Section 313), or Chapter 8 (commencing with Section 314) of Title 9 of Part 1 of the Penal Code.

(C) An act under federal law, tribal law, or the Uniform Code of Military Justice that is similar to an offense described in subparagraph (A), (B), (D), or (E).

(D) Domestic violence, as defined in Section 6211 of the Family Code.

(E) A misdemeanor described in subdivision (e) of Section 243 of the Penal Code.

(2)Nothing in paragraph (1) shall be construed to require a criminal conviction or any other determination of a court in order for

conduct to constitute a covered act.

(d)“Device access” means the ability to remotely control a connected device, remotely change the characteristics of a connected device, or remotely view or manipulate data collected by or through a connected device, by accessing a user account or accounts associated with the connected device. Acts that require device access include, but are not limited to, remotely manipulating an audio system, security system, light fixture, or other home appliance or fixture.

(e)“Device protection request” means a request by a survivor to terminate or disable a perpetrator’s access to a connected device or account, including, but not limited to, the ability of a person to obtain data from or send commands to a connected device or account.

(f)“Perpetrator” means an individual who has committed or allegedly committed a covered act against a survivor or an individual under the care of a survivor.

(g)“Survivor” means an individual who has had a covered act committed, or allegedly committed, against the individual, or who cares for another individual against whom a covered act has been committed or allegedly committed, provided that the individual providing care did not commit or allegedly commit the covered act.

(h)“User account or account” means an account or other means by which a person enrolls in or obtains access to a connected device or online service.

§ 22948.31

Added by Stats. 2025, Ch. 676, Sec. 2. (SB 50) Effective January 1, 2026.

(a)A survivor, or a designated representative of a survivor, may submit a device protection request to an account manager seeking to terminate a perpetrator’s access to a connected device or associated user account.

(b)A device protection request shall include all of the following:

(1)A verification that the perpetrator has committed or allegedly committed a covered act against the survivor or an individual in the survivor’s care, by providing either of the following:

(A)A copy of a signed affidavit from a licensed medical or mental health care

provider, licensed military medical or mental health care provider, licensed social worker, victim services provider, or licensed military victim services provider, a temporary restraining order, an emergency protective order, or a protective order lawfully issued pursuant to Section 527.6 of the Code of Civil Procedure, Part 3 (commencing with Section 6240) or Part 4 (commencing with Section 6300) of Division 10 of the Family Code, or Section 136.2 of the Penal Code.

(B)A copy of a police report, statements provided by police, including military police, to magistrates or judges, charging documents, protective or restraining orders, military protective orders, or any other official record that documents the covered act, including a copy of a written report by a peace officer employed by a state or local law enforcement agency acting in the

peace officer’s official capacity stating that the individual has filed a report alleging victimization of an act or crime.

(2)Verification of the survivor’s exclusive legal possession or control of the connected device, including, but not limited to, a dissolution decree, temporary restraining order, protective order, domestic violence restraining order, or other document indicating the survivor’s exclusive use care, possession, or control of the connected device.

(3)Identification of the connected device or devices.

(4)Identification of the person that the requester seeks to deny device or account access.

(c)An account manager shall offer a survivor or

a designated representative of a survivor the ability to submit a device protection request under subdivision (b) through secure remote means that are easily navigable. Except as specified under subdivision (b), an account manager shall not require a specific form of documentation to submit a device protection request.

(d)Within two business days of receiving a complete device protection request, the account manager shall do one of the following:

(1)Terminate or disable the identified perpetrator’s access to the connected device or user account, and notify the survivor or their representative that access has been successfully denied.

(2)Inform the survivor, in a clear and conspicuous manner, of any methods to reset the device to factory settings or to a similar state that removes all account holders. A reset method is one that does not require the survivor to possess a personal identification number (PIN), password, or other access credential, and shall be available solely by virtue of the survivor’s physical proximity to the

device.

(e)An account manager shall clearly describe the process under this section to submit a device protection request, including required documentation and available remedies, on its internet website and any associated mobile application.

(f)An account manager shall not require any of the following as a condition for processing a device protection request:

(1)Payment of a fee, penalty, or other charge for the survivor or a designated representative of the survivor to submit a request, or for the account manager to carry out the request.

(2)Approval of the device protection request by any person who has device or account access that is not the survivor.

(3)An increase in the rate charged for the account if any

subscription fee or other recurring charge for account access applies.

(4)Any other requirement not listed under subdivision (b).

(g)An account manager shall not deny a device protection request due to arrears accrued by the account or associated with the connected device.

(h)An account manager shall not notify the perpetrator of the access termination and shall not disclose any data, credentials, or account changes relating to the survivor or any new account created after the perpetrator’s access is removed.

(i)A survivor shall not be financially responsible for any amount incurred or charged to the connected device or associated account by

the perpetrator after the perpetrator’s access has been terminated under this chapter.

(j)(1) An account manager and any officer, director, employee, vendor, or agent thereof shall treat any information submitted by a survivor or a designated representative of a survivor under this section as confidential and securely dispose of the information not later than 90 days after receiving the information.

(2)Nothing in paragraph (1) shall be construed to prohibit an account manager from maintaining, for longer than the period specified in that paragraph, a record that verifies that a survivor or a designated representative of a survivor fulfilled the conditions of a device protection request under subdivision (b).

§ 22948.32

Added by Stats. 2025, Ch. 676, Sec. 2. (SB 50) Effective January 1, 2026.

(a)(1) An account manager that fails to deny a perpetrator access in compliance with subdivision (a) of Section 22948.31 or otherwise does not comply with the requirements described in Section 22948.31 shall be deemed in violation of this chapter.

(2)A perpetrator that maintains or exercises device or account access, including by disturbing the peace of the other party, as described in subdivision (c) of Section 6320 of the Family Code, despite having their device or account access denied pursuant to subdivision (a) of Section 22948.31, shall be deemed in violation of this chapter.

(b)(1) Actions for relief pursuant to this chapter may be prosecuted exclusively in a court of competent jurisdiction in a civil action brought by any person injured by the violation or in the name of the people of the State of California by the Attorney General, a district attorney, county counsel, a city attorney, or a city prosecutor.

(2)A court may enjoin a person or entity who engages, has engaged, or proposes to engage in a violation of this chapter. The court may make any orders or judgments as may be necessary to prevent or remedy a violation of this chapter.

(3)A person or entity who engages, has engaged, or proposes to engage in a violation of this chapter shall be liable for a civil penalty not to exceed two thousand five hundred dollars

($2,500) per violation for each connected device in violation of this chapter. If multiple violations of this chapter are alleged in any civil action, they shall be specifically alleged, and a court of competent jurisdiction shall make specific findings as to each violation. If the action is brought by the Attorney General, the penalty shall be deposited into the General Fund. If the action is brought by a district attorney or county counsel, the penalty shall be paid to the treasurer of the county in which the judgment was entered. If the action is brought by a city attorney or city prosecutor, the penalty shall be paid to the treasurer of the city in which the judgment was entered. If the action is brought by a person injured by the violation, the penalty shall be awarded to that person.

(c)The prevailing plaintiff in any action commenced

under this section shall be entitled to recover court costs and reasonable attorney’s fees.

§ 22948.33

Added by Stats. 2025, Ch. 676, Sec. 2. (SB 50) Effective January 1, 2026.

Any waiver of the provisions of this chapter is contrary to public policy and void and unenforceable.

§ 22948.34

Added by Stats. 2025, Ch. 676, Sec. 2. (SB 50) Effective January 1, 2026.

(a)The duties and obligations imposed by this chapter are cumulative with any other duties or obligations imposed under other law, and shall not be construed to relieve any party from any duties or obligations imposed under other law.

(b)The remedies or penalties provided by this chapter are cumulative to each other and to the remedies or penalties available under all other laws of the state.

§ 22948.35

Added by Stats. 2025, Ch. 676, Sec. 2. (SB 50) Effective January 1, 2026.

Notwithstanding any other provision of this chapter, any entity that is subject to the federal Safe Connections Act of 2022 (Public Law 117-223) or regulations of the Federal Communications Commission adopted pursuant to the authority of that law, shall not be subject to this chapter.

§ 22948.36

Added by Stats. 2025, Ch. 676, Sec. 2. (SB 50) Effective January 1, 2026.

Notwithstanding any other provision of this chapter, an entity that is subject to Chapter 6 (commencing with Section 28200) of Division 12 of the Vehicle Code shall not be subject to this chapter.

§ 22948.37

Added by Stats. 2025, Ch. 676, Sec. 2. (SB 50) Effective January 1, 2026.

The provisions of this chapter are severable. If any provision of this chapter or its application is held invalid, that invalidity shall not affect other provisions or applications that can be given effect without the invalid provision or application.