BILL ANALYSIS SB 1476 Page 1 Date of Hearing: June 29, 2010 ASSEMBLY COMMITTEE ON JUDICIARY Mike Feuer, Chair SB 1476 (Padilla) - As Amended: June 23, 2010 Proposed Consent (As Proposed to be Amended) SENATE VOTE : 30-0 SUBJECT : Public Utilities: Consumer Privacy: Advanced Metering KEY ISSUE : Should public utilities that use advanced "smart" metering technology be prohibited from sharing or selling consumer consumption data and personal information, as specified, and be required to establish reasonable DATA security measures? FISCAL EFFECT : As currently in print this bill is keyed fiscal. SYNOPSIS This bill would impose certain restrictions and privacy requirements on investor owned gas and electric utilities (IOUs) and local publicly-owned utilities (POUs) that use advanced metering devices, generally known as "smart meters." The "smart meter" allows data to be sent via Internet directly to the utility (thus avoiding the need for individual collection at each meter) and permits consumers to monitor their consumption data in order, ideally, to adjust their behavior and use energy more efficiently. However, customers generally access this data through third parties, such as Google Power Meter, that provide the consumer with tools for analyzing the data and how they might change their consumption patterns. However, third party providers often require the consumer to permit the provider to share the consumption data for commercial use. This bill would do the following: require utilities to offer the consumer an option to access data without the condition of sharing consumption data; prohibit utilities from sharing, disclosing, or selling consumption data or personal information, subject to certain exceptions; and require both the public utilities and third party contractors to adopt reasonable security measures. The California Public Utilities Commission, Sempra, and SMUD SB 1476 Page 2 have generally been supportive of the bill but have sought amendments clarifying that the general prohibition on sharing and disclosing data not prohibit them from sharing information with third parties not be construed to prohibit customer use of "demand response" and energy efficiency programs, so long as those third party provider maintains reasonable security measures. The June 23 amendments appear to address these concerns. The author has agreed to take some additional technical amendments in this Committee that were suggested by Sempra and TechNet. There is no opposition to this bill. The bill has not received any negative votes in any committee or floor vote thus far. SUMMARY : Prohibits any electrical or gas corporation, or any locally owned public utility that employs advanced metering (or "smart meters") from sharing, disclosing, or selling a customer's personal information data or consumption data, subject to certain exceptions, and requires public utilities to adopt reasonable security measures to protect a customers personal information and consumption data from unauthorized access. Specifically, this bill : 1)Repeals a pilot project relating to the relative value to ratepayers of information, rate design, and metering innovations. 2)Prohibits an electrical corporation or gas corporation that employs an advanced metering infrastructure (electrical or gas corporation) from sharing, disclosing, or otherwise making accessible to any third party a customer's electrical or gas consumption data, except upon the consent of the consumer. Permits use of aggregated data for purposes of consumption analysis, reporting, or program management so long as all information regarding a customer's individual identity has been removed. 3)Prohibits an electrical or gas corporation from selling a customer's electrical or gas consumption data or any other personally identifiable information for any purpose. 4)Prohibits an electrical or gas corporation, or any contractor of the utility, from conditioning a customer's access to electrical or gas consumption data on the payment of an incentive or discount. SB 1476 Page 3 5)Provides that if the electrical or gas corporation contracts with a third party for a service that allows a customer to monitor his or her electricity or gas usage, and that third party uses the data for a secondary commercial purpose, the electrical or gas corporation shall ensure that the third party prominently discloses that secondary use to the customer. 6)Requires the electrical or gas corporation to provide the customer with an option to monitor his or her electricity or gas usage which is not conditioned on the use of the data by a third party for a secondary commercial purpose. 7)Requires an electrical or gas corporation to use reasonable security procedures and practices to protect a consumers electrical or gas consumption data from unauthorized access, destruction, use, modification, or disclosure. 8)Provides that nothing in this bill shall preclude an electrical or gas corporation from disclosing a customer's aggregated data for purposes of analysis, reporting, or management, as specified, or from disclosing a customer's consumption data to a third party for system, grid, or operational needs, or the implementation of demand response or energy efficiency programs, so long as the third party is contractually required to maintain reasonable security procedures and practices. 9)Provides that nothing in this bill shall preclude an electrical or gas corporation from disclosing electrical or gas consumption data as required under state or federal law or by an order of the Public Utilities Commission. 10)Provides that if the customer chooses to disclose his or her electrical or gas consumption data to a third party that is unaffiliated with, and has no other business relationship with, the electrical or gas corporation, the electrical or gas corporation shall not be responsible for the security of that data, or its misuse. 11) Applies requirements identical to the above to local, publicly owned electrical utilities. EXISTING LAW : SB 1476 Page 4 1)Requires the Public Utilities Commission (PUC) to conduct a pilot study on rate design and metering innovations to assist residential and small commercial customers with better management of their electricity use. Consumption data obtained in the pilot study cannot be used for any commercial purposes unless specifically authorized by the customer. (Public Utilities Code Section 393 et seq.) 2)Requires a business that owns or licenses the personal information about a California resident to implement and maintain reasonable security procedures and practices to protect the consumer information from unauthorized access. Requires any business or state agency that owns or licenses personal information to notify the affected person in the event that any unencrypted computerized personal information is subject to a security breach. (Civil Code Sections 1798.81.5 and 178.82.) 3)Requires a business that discloses personal information about a California resident pursuant to a contract with a nonaffiliated third party to require by contract that the third party implement and maintain reasonable security measures to prevent unauthorized access to the personal information. (Civil Code Section 1798.81.5 (c).) 4)Establishes smart grid as the policy of the state and requires the PUC to determine the requirements for smart grid deployment no later than July 1, 2010. Investor owned public utilities would be required to adopt a plan for implementation of a smart grid no later than July 1, 2011. (Public Utilities Code Section 8360 et seq.) COMMENTS : This bill is a follow up to SB 17 of 2009 by the same author. (Chapter 327, Stats. of 2009). That bill required the PUC, in consultation with other state agencies and stakeholders, to determine the requirements for a "smart grid" deployment plan and required investor owned public utilities in the state to adopt implementation plans no later than July 1, 2011. Because installation of "smart meters" has already begun, this bill seeks to protect the privacy of a customer's consumption data and personal information by restricting the use of the data and requiring the utility and third parties to implement and maintain security policies and procedures designed to protect data from unauthorized access. SB 1476 Page 5 Background : Advanced metering technology is clearly the wave of the future. The term "smart meter" generally refers to meters that allow two-way wireless communication between the individual consumer's meter and the utility company. In short, the meter sends a consumer's consumption data over the Internet to the utility company, thereby eliminating the need for the utility company to send personnel to read each meter manually. Moreover, smart meters also have the potential to permit consumers to use energy much more efficiently and cost effectively. For example, the smart meter allows consumer to monitor their energy use and thereby consider ways that they might reduce overall energy consumption. In addition, so-called "demand response" and related efficiency programs provide consumers with more detailed analysis of the data, for example by showing consumers how they can save money through off-peak usage. This not only saves the consumer money, it also puts less pressure on the power grid and could potentially reduce the danger of "black outs" during peak usage periods. To date, however, most utility companies independently lack the capacity to allow consumers to directly access data from the utility in a way that provides useful feedback and analysis. Instead, consumers access their data through third party "demand response providers" (e.g. Google Power Meter) or companies that provide consumers with energy efficiency tools (e.g. OPOWER). In order to provide this service, however, these third parties often require the customer to permit the third party to share consumption data for commercial purposes. This bill seeks to protect the privacy of a customer's consumption data and personal information. Most notably, this bill would prohibit public utilities from sharing, selling, or otherwise disclosing a customer's consumption data and personal information, subject to certain exceptions. In addition, tracking existing language of Civil Code Section 1798.81.5, which applies to private businesses that keep a customer's personal information, this bill would require utilities to implement and maintain reasonable security measures to protect consumption data and personal information. To the extent that utilities are permitted to share information with third parties - such as those that offer demand response and energy efficiency programs - they must require by contract that the third party maintain reasonable security procedures. If third parties share any of that information for commercial purposes, this fact must be conspicuously disclosed to the customer. Finally, the bill SB 1476 Page 6 requires public utilities to offer customers at least one option of accessing consumption data that does not require an agreement to authorize the sharing of that data for commercial purposes. ARGUMENTS IN SUPPORT : The author, who last year carried legislation to require the PUC to develop a plan for implementing a smart grid system, is obviously supportive of the new technology. However, the author also believes that a customer's information - both personally identifiable information and specific consumption patterns - should be protected from unauthorized access. For example, the author notes that detailed consumption data can reveal sensitive information about a customer's schedule and habits, including the times at which a person may or may not be home or on vacation. Finally, the author believes that consumers should have an option to access their consumption data without having to permit a third party to share, sell, or disclose that information for commercial purposes. The Public Utilities Commission, Sempra Energy, and SMUD have generally supported this bill subject to certain amendments. The most recent amendments reflected in the June 23 version of the bill appear to address those concerns. Overall, the PUC and the utilities have primarily been concerned that the bill not be construed in a way that would prohibit utilities from sharing information with third party "demand response" providers and other parties that offer useful energy efficiency programs. These efficiencies, after all, are the primary reason for adopting smart meters. The June 23 amendments appear to have removed this opposition. However, Sempra and TechNet (which wrote a letter of concern) also requested technical amendments listed below, and which the author has agreed to take. Proposed Author Technical Amendments: - On page 4 line 10 after "customer's" insert: unencrypted - On page 4 line 22 after "response" insert: energy management - On page 6 line 6 after "response" insert: energy management - On page 6 line 17 after "customer's" insert: unencrypted REGISTERED SUPPORT / OPPOSITION : SB 1476 Page 7 Support Division of Ratepayer Advocates, PUC California Public Utilities Commission (if amended) Sacramento Municipal Utility District (SMUD) (if amended) Sempra Energy (if amended) Opposition None of file Analysis Prepared by : Thomas Clark / JUD. / (916) 319-2334