There are three ways to address the dismal state of IoT security. Developers could do the right thing and incorporate reasonable security controls. Customers could refuse to buy insecure products. Legislators could step in. California chose door number 3.
California Senate Bill 327, which became law on September 28, 2018, is, while inadequate, a step in the right direction. Many media outlets have reported that it outlaws default passwords, but the actual legislation is broader and less definitive.
You can read the full article here.