AB 1274,
as amended, Bradford. Privacy:begin delete public utilities.end deletebegin insert customer electrical or natural gas usage data.end insert
Existing law prohibits, except as specified, anbegin delete electricend deletebegin insert electricalend insert corporation or gas corporation, and a local publicly owned utility, from sharing, disclosing, or otherwise making accessible to abegin delete thirdend deletebegin insert 3rdend insert party a consumer’s electric or gas usage that is made available as a part of an advanced metering infrastructure, including the name, account number, and residence of the customer (data). Existing law requires the electrical corporation or gas corporation, and abegin delete locallyend deletebegin insert
localend insert publicly owned utility, to use reasonable security procedures and practices to provide a consumer’s unencrypted data from unauthorized access, destruction, use, modification, or disclosure.
Existing law makes the willful obtaining of personal identifying information, as defined, and use of that information for any unlawful purpose, a felony or misdemeanor. Existing law authorizes a person that has been injured as a result of a violation of this prohibition to bring an action against a claimant, as defined, to establish that they are a victim of identity theft, in connection with the claimant’s claim against that person and to bring a cross-complaint if the claimant has brought an action to recover on a claim against the person. A person who proves that he or she is a victim of identity theft by a preponderance of evidence is entitled to a judgment providing for actual damages, attorney’s fees, and costs, and any equitable relief that the court deems appropriate.
This bill would prohibitbegin delete an energy management service provider, as defined, from, among
other things, sharing, disclosing, or otherwise making a customer’s electrical or gas consumption data accessible to a 3rd party or selling a customer’s electrical or gas consumption data, except upon the consent of the customer, as specified. The bill would prohibit an energy management service provider or its contractors from providing an incentive or discount to the customer for accessing the customer’s electrical or gas consumption data without the prior consent of the
customer. The bill would prohibit
an energy management service provider or its contractor from providing a service that allows a customer to monitor his or her electricity or gas usage, except as specified.end deletebegin insert a business from sharing, disclosing, or otherwise making accessible to any 3rd party a customer’s electrical or natural gas usage without obtaining the express consent of the customer and conspicuously disclosing to whom the disclosure will be made and how the data will be used. The bill would require a business and a nonaffiliated 3rd party, pursuant to a contract, to implement and maintain reasonable security procedures and practices to protect the data from unauthorized disclosure. The bill would prohibit a business from providing an incentive or discount to the customer for accessing the data without the prior consent of the customer. The bill would require a business to take reasonable steps with regard to the disposal of customer data no longer
to be retained.end insert
The bill would authorize a customer to bring a civil action for actual damages not to exceed $500 for each willful violation of these provisions.
Vote: majority. Appropriation: no. Fiscal committee: no. State-mandated local program: no.
The people of the State of California do enact as follows:
begin insertTitle 1.81.4 (commencing with Section 1798.98)
2is added to Part 4 of Division 3 of the end insertbegin insertCivil Codeend insertbegin insert, to read:end insert
(a) For the purposes of this title, the following
5definitions shall apply:
6(1) “Business” means a sole proprietorship, partnership,
7corporation, association, or other group, however organized and
8whether or not organized to operate at a profit, including a
9financial institution organized, chartered, or holding a license or
10authorization certificate under the law of this state, any other state,
11the United States, or of any other country, or the parent or the
12subsidiary of a financial institution.
13(2) “Customer” means a customer of an electrical or gas
14corporation or a local publicly owned electric utility that permits
15a business to have access to data in association with purchasing
16or leasing a product or obtaining a service from the business.
17(3) “Data” means a customer’s electrical
or natural gas usage
18that is made available to the business as part of an advanced
19metering infrastructure provided by an electrical corporation, a
20gas corporation, or a local publicly owned electric utility, and
21includes the name, account number, or physical address of the
22customer.
23(4) “Electrical corporation” has the same meaning as in Section
24218 of the Public Utilities Code.
25(5) “Gas corporation” has the same meaning as in Section 222
26of the Public Utilities Code.
27(6) “Local publicly owned electric utility” has the same meaning
28as in Section 224.3 of the Public Utilities Code.
29(b) Unless otherwise required or authorized by federal or state
30law, a business shall not share, disclose, or otherwise make
31accessible to any third party a customer’s data without obtaining
32the express consent of the customer and conspicuously disclosing
33to whom the disclosure will be made and how the data will be
34
used.
35(c) A business that discloses data, with the express consent of
36the customer, pursuant to a contract with a nonaffiliated third
37party, shall require by contract that the third party implement and
38maintain reasonable security procedures and practices appropriate
39to the nature of the information, to protect the data from
40unauthorized access, destruction, use, modification, or disclosure.
P4 1(d) A business shall implement and maintain reasonable security
2procedures and practices appropriate to the nature of the
3information to protect the data from unauthorized access,
4destruction, use, modification, or disclosure.
5(e) A business shall not provide an incentive or discount to the
6customer for accessing the data without the prior consent of the
7customer.
8(f) A business shall take all reasonable steps to dispose, or
9arrange for the disposal, of customer data within its custody or
10control when the
records are no longer to be retained by the
11business by (1) shredding, (2) erasing, or (3) otherwise modifying
12the data in those records to make it unreadable or undecipherable
13through any means.
14(g) The provisions of this section do not apply to an electrical
15corporation, a gas corporation, or a local publicly owned electric
16utility or a business that secures the data as a result of a contract
17with an electrical or gas corporation or a local publicly owned
18electric utility under the provisions of Section 8380 or 8381 of the
19Public Utilities Code.
A customer harmed by the release and unauthorized
21use of his or her customer data, in violation of Section 1798.98,
22may bring a civil action to recover actual damages in an amount
23not to exceed five hundred dollars ($500) for each willful violation.
24(b) The rights, remedies, and penalties established by this title
25are in addition to the rights, remedies, or penalties established
26under any other law.
27(c) Nothing in this title shall abrogate any authority of the
28Attorney General to enforce existing law.
Title 1.81.4 (commencing with Section 1798.98)
30is added to Part 4 of Division 3 of the Civil Code, to read:
31
(a) For the purposes of this section, the following
36definitions shall apply:
37 (1) “Electrical or gas consumption data” has the meaning used
38in Section 8380 of the Public Utilities Code.
39(2) “Energy management service provider” means
an entity that
40receives electrical or gas consumption data from a utility advanced
P5 1metering system, but excludes an electrical or gas corporation or
2publicly owned utility or its agent, contractor, or vendor.
3(3) “Customer” means a residential customer or a nonresidential
4customer with a demand of 20kW or less during the previous
5calendar year.
6(b) An energy management service provider and its contractors
7shall abide by the following:
8(1) An energy
management service provider shall not share,
9disclose, or otherwise make accessible to a third party a customer’s
10electrical or gas consumption data, except upon the express consent
11of the customer.
12(2) An energy management service provider shall not sell a
13customer’s electrical or gas consumption data or any other
14personally identifiable information for any purpose, except as
15provided in subdivision (d).
16(3) An
energy management service provider and its contractors
17shall not provide an incentive or discount to the customer for
18accessing the customer’s electrical or gas consumption data without
19the prior consent of the customer.
20(4) If
an energy management service provider or its contractor
21provides a service that allows a customer to monitor his or her
22electricity or gas usage, and uses the data for a purpose other than
23that specified in the agreement between the customer and the
24energy management service provider, either the energy
25management service provider shall prominently disclose the
26purpose and secure the customer’s express consent to the use of
27his or her data for that purpose prior to the use of
the data, or the
28contract between the energy management service provider and its
29contractor shall provide that the contractor prominently discloses
30that purpose to the customer and secures the customer’s express
31consent to the use of his or her data for that purpose prior to the
32use of the data.
33(5) If an energy management service provider contracts with a
34third party for any service and that third party uses customer
35electrical or gas consumption data for a secondary commercial
36purpose, the energy management
service provider shall prominently
37disclose that secondary commercial purpose and secure the
38customer’s consent to the use of his or her data for that purpose
39prior to the use of the data.
P6 1(6) An energy management service provider shall use industry
2standards for securing a customer’s unencrypted electrical or gas
3consumption data from the unauthorized access, destruction, use,
4modification, or disclosure of the data.
5(7) If a customer chooses to disclose his or her electrical or gas
6consumption data to a third party that is unaffiliated with, and has
7no other business relationship with, the energy management service
8provider, the energy management service provider shall not be
9responsible for the security of that data, or its use or misuse.
10(c) This section shall not preclude an energy management
11service provider from using or disclosing electrical or gas
12consumption data for analysis, research, reporting, sharing with
13third parties, or program management if the data has been
14aggregated sufficiently to protect individual customer identity and
15personally identifying information has been removed.
16(d) This section shall not preclude an energy management
17service provider, with the consent of the customer, from disclosing
18a customer’s electrical or gas consumption data to a third party for
19the operational needs of an electric or natural gas system or electric
20grid, or the implementation of demand response, energy
21management, or energy efficiency programs. The third party shall
22use industry standards for securing customer’s unencrypted data
23from the unauthorized access, destruction, use, modification, or
24disclosure of the
data and for the destruction of data.
25(e) This section shall not preclude an energy management
26service provider from disclosing electrical or gas consumption
27data as required under state or federal law.
(a) A customer harmed by the release and
29unauthorized use of his or her electrical or gas consumption data,
30as described in Section 1798.98, may bring a civil action to recover
31actual damages in an amount not to exceed five hundred dollars
32($500) for each willful violation.
33(b) The rights, remedies, and penalties established by this title
34are in addition to the rights,
remedies, or penalties established
35under any other law.
36(c) Nothing in this title shall abrogate any authority of the
37Attorney General to enforce existing law.
O
96