As someone said: "The 'S' in 'IoT' stands for Security".
I expect this to do very little to the problem, where consumers don't understand and care enough to pay extra for secure stuff, and producers will not spend resources on something that consumers don't want to pay for.
The laws that I see working are the ones that punish companies that, by negligence in security measures, enable private data to be leaked.
You can never leave this decision as a choice to the consumer.