AB 1274, as amended, Bradford. Privacy: customer electrical or natural gas usage data.
Existing law prohibits, except as specified, an electrical corporation or gas corporation, and a local publicly owned utility, from sharing, disclosing, or otherwise making accessible to a 3rd party a consumer’s electric or gas usage that is made available as a part of an advanced metering infrastructure, including the name, account number, and residence of the customer (data). Existing law requires the electrical corporation or gas corporation, and a local publicly owned utility, to use reasonable security procedures and practices to provide a consumer’s unencrypted data from unauthorized access, destruction, use, modification, or disclosure.
Existing law makes the willful obtaining of personal identifying information, as defined, and use of that information for any unlawful purpose, a felony or misdemeanor. Existing law authorizes a person that has been injured as a result of a violation of this prohibition to bring an action against a claimant, as defined, to establish that they are a victim of identity theft, in connection with the claimant’s claim against that person and to bring a cross-complaint if the claimant has brought an action to recover on a claim against the person. A person who proves that he or she is a victim of identity theft by a preponderance of evidence is entitled to a judgment providing for actual damages, attorney’s fees, and costs, and any equitable relief that the court deems appropriate.
This bill would prohibit a business from sharing, disclosing, or otherwise making accessible to any 3rd party a customer’s electrical or natural gas usage without obtaining the express consent of the customer and conspicuously disclosing to whom the disclosure will be made and how
the data will be used. The bill would require a business and a nonaffiliated 3rd party, pursuant to a contract, to implement and maintain reasonable security procedures and practices to protect the data from unauthorized disclosure. The bill would prohibit a business from providing an incentive or discount to the customer for accessing the data without the prior consent of the customer. The bill would require a business to take reasonable steps
begin delete with regard to the disposal ofend delete customer data begin delete no longer to be retainedend delete.
The bill would authorize a customer to bring a civil action for actual damages not to exceed $500 for each willful violation of these provisions.
Vote: majority. Appropriation: no. Fiscal committee: no. State-mandated local program: no.
The people of the State of California do enact as follows:
Title 1.81.4 (commencing with Section 1798.98)
2is added to Part 4 of Division 3 of the Civil Code, to read:
(a) For the purposes of this title, the following
8definitions shall apply:
9(1) “Business” means a sole proprietorship, partnership,
10corporation, association, or other group, however organized and
11whether or not organized to operate at a profit, including a financial
P3 1institution organized, chartered, or holding a license or
2authorization certificate under the law of this state, any other state,
3the United States, or of any other country, or the parent or the
4subsidiary of a financial institution.
5(2) “Customer” means a customer of an electrical or gas
6corporation or a local publicly owned electric utility that permits
7a business to have access to data in association with purchasing
8or leasing a product or obtaining a service from the business.
9(3) “Data” means a customer’s electrical or natural gas usage
10that is made available to the business as part of an advanced
11metering infrastructure provided by an electrical corporation, a
12gas corporation, or a local publicly owned electric utility, and
13includes the name, account number, or physical address of the
15(4) “Electrical corporation” has the same meaning as in Section
16218 of the Public Utilities Code.
17(5) “Gas corporation” has the same meaning as in Section 222
18of the Public Utilities Code.
19(6) “Local publicly owned electric utility” has the same meaning
20as in Section 224.3 of the Public Utilities Code.
21(b) Unless otherwise required or authorized by federal or state
22law, a business shall not share, disclose, or otherwise make
23accessible to any third party a customer’s data without obtaining
24the express consent of the customer and conspicuously disclosing
25to whom the disclosure will be made and how the data will be
27(c) A business that discloses data, with the express consent of
28the customer, pursuant to a contract with a nonaffiliated third party,
29shall require by contract that the third party implement and
30maintain reasonable security procedures and practices appropriate
31to the nature of the information, to protect the data from
32unauthorized access, destruction, use, modification, or disclosure.
33(d) A business shall implement and maintain reasonable security
34procedures and practices appropriate to the nature of the
35information to protect the data from unauthorized access,
36destruction, use, modification, or disclosure.
37(e) A business shall not provide an incentive or discount to the
38customer for accessing the data without the prior consent of the
P4 1(f) A business shall take all reasonable steps to dispose, or
2arrange for the disposal, of customer data within its custody or
3control when the records are no longer to be retained by the
4business by (1) shredding, (2) erasing, or (3) otherwise modifying
5the data in those records to make it unreadable or undecipherable
6through any means.
7(g) The provisions of this section do not apply to an electrical
8corporation, a gas corporation, or a local publicly owned electric
9utility or a business that secures the data as a result of a contract
10with an electrical or gas corporation or a local publicly owned
11electric utility under the provisions of Section
128380 or 8381 of the Public Utilities Code.
A customer harmed by the release
begin delete andend delete
14 unauthorized use of his or her customer data, in violation of Section
151798.98, may bring a civil action to recover actual damages in an
16amount not to exceed five hundred dollars ($500) for each willful
18(b) The rights, remedies, and penalties established by this title
19are in addition to the rights, remedies, or penalties established
20under any other law.
21(c) Nothing in this title shall abrogate any authority of the
22Attorney General to enforce existing law.