BILL ANALYSIS                                                                                                                                                                                                    






                             SENATE JUDICIARY COMMITTEE
                             Senator Noreen Evans, Chair
                              2013-2014 Regular Session


          AB 1274 (Bradford)
          As Amended June 25, 2013
          Hearing Date: July 2, 2013
          Fiscal: No
          Urgency: No
          TH


                                        SUBJECT
                                           
               Privacy: Customer Electrical or Natural Gas Usage Data

                                      DESCRIPTION  

          Existing law provides that a local publicly owned electric  
          utility, electrical corporation, or gas corporation, shall not  
          share, disclose, or otherwise make accessible to any third party  
          a customer's utility consumption data without the consent of the  
          customer, except as otherwise provided by law.

          This bill would extend this restriction to all businesses, other  
          than the utility providers noted above and their third-party  
          contractors, that acquire a customer's utility consumption data.  
           Additionally, it would require these businesses to disclose to  
          whom utility consumption data will be disclosed and for what  
          purpose before any disclosure can be made, and would require  
          these businesses to implement specified security procedures to  
          protect the data from unauthorized access.  The bill would also  
          create a new civil remedy allowing consumers to recover actual  
          damages resulting from harm caused by the release and  
          unauthorized use of utility consumption data.

                                      BACKGROUND  

          California gas and electric utility providers are developing and  
          implementing advanced metering infrastructure across the state.   
          The "smart meter" is the most recognizable component of this new  
          infrastructure.  Through a smart meter, a utility is able to  
          gather consumption data from a consumer in real time, allowing  
          it to offer new demand response and energy management programs  
          such as critical peak pricing, where utility rates fluctuate in  
                                                                (more)



          AB 1274 (Bradford)
          Page 2 of ?



          response to overall system demand.  With this new technology and  
          access to real-time energy usage data has come an increased  
          interest in using this data for marketing and other purposes.

          Responding to privacy concerns surrounding the use of utility  
          consumption data, the Legislature passed and the Governor signed  
          SB 1476 (Padilla, Ch. 497, Stats. 2010) which, among other  
          things, prohibited a utility as defined from sharing,  
          disclosing, or otherwise making a consumer's electrical or gas  
          consumption data accessible to third parties, except in  
          specified instances.  The bill also required that, in cases  
          where a utility contracts with a third party for a service that  
          allows a customer to monitor his or her electricity or gas usage  
          and the third party uses that information for a secondary  
          commercial purpose, the contract between the utility and the  
          third party must prominently disclose that purpose to the  
          customer.  SB 1476 also permitted a utility to disclose a  
          customer's electrical or gas consumption data to a third party  
          for system, grid, or operational needs, or the implementation of  
          demand response, energy management, or energy efficiency  
          programs provided that the contract between the utility and that  
          third party prohibited the use of the data for a secondary  
          commercial purpose without the customer's consent.  The  
          following year, the Legislature passed and the Governor signed  
          SB 674 (Padilla, Ch. 255, Stats. 2011), which amended the  
          protections added by SB 1476 to make clear that a customer's  
          prior consent is required for the use and release of the  
          customer's data for a secondary purpose in both of the instances  
          described above.  However, neither SB 1476 nor SB 674 imposed  
          restrictions on the use of a customer's utility consumption data  
          in situations when this data is acquired from a source other  
          than the utility provider or their third-party contractors, or  
          after this data has been transmitted to a third party by the  
          utility provider.

          This bill would address that gap in the law by restricting  
          businesses, other than electrical corporations, gas  
          corporations, local publicly owned electric utilities, or   
          businesses that receive customer utility consumption data under  
          contract with any of these three entities, from sharing,  
          disclosing, or otherwise making accessible to any third party  
          customer utility consumption data without obtaining the express  
          consent of the customer and conspicuously disclosing to whom the  
          disclosure will be made and how the data will be used.  This  
          bill would also prohibit a business from providing an incentive  
          or discount to a utility customer for accessing consumption data  
                                                                      



          AB 1274 (Bradford)
          Page 3 of ?



          without first obtaining the customer's consent.  The bill would  
          require businesses that possess or maintain customer utility  
          consumption data to implement certain security procedures to  
          protect the data from unauthorized access.  Finally, the bill  
          would also create a new civil remedy allowing customers to  
          recover actual damages resulting from harm caused by the release  
          and unauthorized use of their utility consumption data.

                                CHANGES TO EXISTING LAW
           
           Existing law  provides that, among other rights, all people have  
          an inalienable right to pursue and obtain privacy.  (Cal.  
          Const., art. I, Sec. 1.)

           Existing case law  permits a person to bring an action in tort  
          for the invasion of privacy, and provides that in order to state  
          a claim for violation of the constitutional right to privacy a  
          plaintiff must establish the following three elements: (1) a  
          legally protected privacy interest; (2) a reasonable expectation  
          of privacy in the circumstances; and (3) conduct by the  
          defendant that constitutes a serious invasion of privacy.  (Hill  
          v. National Collegiate Athletic Assn. (1994) 7 Cal.4th 1.)
           Existing law  states that a local publicly owned utility, an  
          electrical corporation, or gas corporation, shall not share,  
          disclose, or otherwise make accessible to any third party a  
          customer's electrical or gas consumption data, except as  
          specified or upon the consent of the customer.  Existing law  
          also prohibits these entities from selling a customer's utility  
          consumption data.  (Pub. Util. Code Secs. 8380(b)(1)-(2),  
          8381(b)(1)-(2).)

           Existing law  provides that if an electrical or gas corporation  
          or local publicly owned electric utility contracts with a third  
          party for a service that permits a customer to monitor his or  
          her electricity or gas usage and the third party uses that  
          information for a secondary commercial purpose, the contract  
          between the utility and third party shall provide that the third  
          party prominently disclose that secondary commercial purpose to  
          the customer and require the third party to secure the  
          customer's consent prior to the use of the data for that  
          secondary commercial purpose.  (Pub. Util. Code Secs. 8380(c),  
          8381(c).)

           Existing law  states that a local publicly owned utility, an  
          electrical corporation, or gas corporation, shall not provide an  
          incentive or discount to the customer for accessing the  
                                                                      



          AB 1274 (Bradford)
          Page 4 of ?



          customer's utility consumption data without the prior consent of  
          the customer.  (Pub. Util. Code Secs. 8380(b)(3), 8381(b)(3).)
          
           Existing law  states that a local publicly owned utility, an  
          electrical corporation, or gas corporation, shall use reasonable  
          security procedures and practices to protect a customer's  
          unencrypted electrical or gas consumption data from unauthorized  
          access, destruction, use, modification, or disclosure.  (Pub.  
          Util. Code Secs. 8380(d), 8381(d).)

           Existing law  does not preclude a local publicly owned utility,  
          an electrical corporation, or gas corporation, from disclosing a  
          customer's electrical or gas consumption data to a third party  
          for system, grid, or operational needs, or the implementation of  
          demand response, energy management, or energy efficiency  
          programs, provided that, for contracts entered into after  
          January 1, 2011, the utility has required by contract that the  
          third party implement and maintain reasonable security  
          procedures and practices appropriate to the nature of the  
          information, to protect the personal information from  
          unauthorized access, destruction, use, modification, or  
          disclosure, and prohibits the use of the data for a secondary  
          commercial purpose not related to the primary purpose of the  
          contract without the customer's prior consent to that use.   
          (Pub. Util. Code Secs. 8380(e)(2), 8381(e)(2).)

           This bill  provides that unless otherwise required or authorized  
          by federal or state law, a business shall not share, disclose,  
          or otherwise make accessible to any third party a customer's  
          data without obtaining the express consent of the customer and  
          conspicuously disclosing to whom the disclosure will be made and  
          how the data will be used.

           This bill  provides that a business shall not provide an  
          incentive or discount to the customer for accessing the data  
          without the prior consent of the customer.
           This bill  provides that a business shall implement and maintain  
          reasonable security procedures and practices appropriate to the  
          nature of the information to protect the data from unauthorized  
          access, destruction, use, modification, or disclosure.

           This bill  also provides that a business that discloses data,  
          with the express consent of the customer, pursuant to a contract  
          with a nonaffiliated third party, shall require by contract that  
          the third party implement and maintain reasonable security  
          procedures and practices appropriate to the nature of the  
                                                                      



          AB 1274 (Bradford)
          Page 5 of ?



          information, to protect the data from unauthorized access,  
          destruction, use, modification, or disclosure.

           This bill  provides further that a business shall take all  
          reasonable steps to dispose, or arrange for the disposal, of  
          customer data within its custody or control when the records are  
          no longer to be retained by the business by (1) shredding, (2)  
          erasing, or (3) otherwise modifying the data in those records to  
          make it unreadable or undecipherable through any means.

           This bill  provides that a customer harmed by the release and  
          unauthorized use of his or her customer data, in violation of  
          the above provisions, may bring a civil action to recover actual  
          damages in an amount not to exceed five hundred dollars ($500)  
          for each willful violation.  The rights, remedies, and penalties  
          established by this bill are in addition to the rights,  
          remedies, or penalties established under any other law.

           This bill  also provides that it shall not abrogate any authority  
          of the Attorney General to enforce existing law.

           This bill  states that it shall not apply to an electrical  
          corporation, a gas corporation, or a local publicly owned  
          electric utility or a business that secures the data as a result  
          of a contract with an electrical or gas corporation or a local  
          publicly owned electric utility under the provisions of Section  
          8380 or 8381 of the Public Utilities Code. 

                                        COMMENT
           
          1.  Stated need for the bill  
          
          The author writes:
          
               Existing law prohibits utilities from selling or sharing  
               customer data on gas and electricity use unless ordered by  
               federal or state authorities.

               This bill prohibits a 3rd party from sharing, disclosing,  
               or otherwise making a customer's electrical or gas  
               consumption data accessible to another entity except with  
               the consent of the customer; it prohibits selling a  
               customer's electrical or gas consumption data, and it  
               prohibits providing an incentive or discount to the  
               customer for accessing the customer's electrical or gas  
               consumption data without the prior consent of the customer.
                                                                      



          AB 1274 (Bradford)
          Page 6 of ?



               This bill provides remedies to the customer in the event  
               that they are damaged by the willful release of private  
               information.

               Third party providers are not utilities and do not fall  
               within the scope of the PUC's regulatory oversight  
               therefore they are not subject to current data privacy  
               laws. This bill addresses that gap so that independent 3rd  
               parties are required to maintain privacy of customer data.

          2.  Privacy concerns regarding utility consumption data  

          The development of "smart grid" infrastructure in California has  
          enabled utility customers to receive detailed, real-time  
          information about their energy usage.  This new data about one's  
          utility consumption allows customers to better manage their  
          overall energy use and identify more precisely where energy is  
          being used in their home.  For some customers, a device called a  
          "home area network" (HAN) is built into their "smart meter"  
          which allows the metering infrastructure to interface with an  
          existing home computer network.  According to the California  
          Public Utilities Commission, some of these HANs include  
          independent communications channels that can be controlled by  
          consumers, enabling the consumer to provide third-parties not  
          related or connected to the utility provider with access to  
          their utility consumption data through the Internet.

          With this new technology and access to real-time energy usage  
          data has come an increased interest in using this data for  
          marketing purposes.  The technology sector has revealed how  
          analysis of this data can, for instance, show that a consumer  
          owns a refrigerator that is an energy hog, giving this data a  
          high value in the marketplace.  However, the information gained  
          through analysis of utility consumption data is potentially much  
          more revealing.  The Department of Energy made the following  
          findings in a recent report about energy consumption data  
          collected by advanced metering infrastructure:

               Advances in Smart Grid technology could significantly  
               increase the amount of potentially available information  
               about personal energy consumption.  Such information could  
               reveal personal details about the lives of consumers, such  
               as their daily schedules (including times when they are at  
               or away from home or asleep), whether their homes are  
               equipped with alarm systems, whether they own expensive  
               electronic equipment such as plasma TVs, and whether they  
                                                                      



          AB 1274 (Bradford)
          Page 7 of ?



               use certain types of medical equipment.  Consumers  
               rightfully expect that the privacy of this information will  
               be maintained.  The proprietary business information of  
               non-residential customers could also be revealed through  
               the release of energy consumption data, resulting in  
               competitive harm.  Studies conducted by utilities and  
               consumer advocates have consistently shown that privacy  
               issues are of tremendous import to consumers of  
               electricity.  (U.S. Department of Energy, Data Access and  
               Privacy Issues Related To Smart Grid Technologies  
                [as of June 25,  
               2013].)
          This bill responds to these privacy concerns by enacting  
          restrictions prohibiting businesses from sharing, disclosing, or  
          otherwise making accessible a customer's utility consumption  
          data to third parties without first obtaining the consent of the  
          customer and disclosing to whom and for what purpose disclosure  
          will be made.  The bill helps to ensure that any disclosures  
          that are made are subject to data security measures required by  
          contract, and provides an express remedy for consumers who are  
          harmed by the release and unauthorized use of their utility  
          consumption data. 

          3.    Fundamental right to privacy  

          Staff notes that the right to privacy is a fundamental right  
          protected by Section 1 of Article I of the Constitution of  
          California.  This bill builds upon that fundamental right by  
          providing utility customers with safeguards to ensure that their  
          privacy is maintained as the market for utility consumption data  
          grows, and as advanced metering infrastructure enables data  
          analysts to peer ever deeper into the lives of the people on the  
          other end of a power or gas line.  Detailed utility usage data  
          can be analyzed to discern information about a customer's daily  
          patterns and habits as revealed from the appliances they use,  
          down to the level of being able to determine whether a customer  
          turned on their alarm system when they left for work, or, for  
          those who own plug-in electric vehicles, a customer's location  
          and travel history based on their use of grid-connected charging  
          infrastructure.  (See Brandon J. Murrill, Edward C. Liu, Richard  
          M. Thompson III, Smart Meter Data: Privacy and Cybersecurity,  
          Congressional Research Service Report R42338, February 3, 2012,  
          pp. 4-6.)  Indeed, according to the National Institute of  
          Standards and Technology, "research shows that analyzing  
          15-minute interval aggregate household energy consumption data  
                                                                      



          AB 1274 (Bradford)
          Page 8 of ?



          can by itself pinpoint the use of most major home appliances."   
          (Id., p. 4.)  The revealing nature of this information, if  
          acquired by third parties, could lead to harassment or unwanted  
          exposure to targeted marketing.

          This bill would put the customer in control of to whom and for  
          what purpose their utility consumption data is shared, requiring  
          the customer's affirmative consent before any consumption data  
          could be shared with a third party.  It would also require any  
          data held by a business or disclosed to a third party to be  
          protected by "reasonable security procedures and practices  
          appropriate to the nature of the information."  As discussed in  
          Comment 5, it would additionally provide consumers with a new  
          legal remedy for recovering damages for losses incurred due to  
          the unauthorized use and access of utility usage data.

          4.    Exclusion for third-party contracted businesses
           
          In its current form, this bill specifically excludes from its  
          provisions electrical corporations, gas corporations, local  
          publicly owned electric utilities, and businesses that acquire  
          customer utility consumption data as a result of a contract with  
          one of these utility providers, as specified.  As noted above,  
          electrical corporations, gas corporations, and local publicly  
          owned electric utilities are already subject to very similar  
          data privacy and data security provisions to those in this bill  
          pursuant to Sections 8380 and 8381 of the Public Utilities Code  
          (which generally restrict the transmission of utility  
          consumption data to third parties absent a customer's consent).   
          These two sections of the Public Utilities Code also impose some  
          privacy controls on third-party businesses in privity of  
          contract with utility providers where a third-party business  
          uses customer utility consumption data to allow a customer to  
          monitor his or her electricity or gas usage (see Pub. Util. Code  
          Secs. 8380(c), 8381(c)), or for system, grid, or operational  
          needs, or the implementation of demand response, energy  
          management, or energy efficiency programs (see Pub. Util. Code  
          Secs. 8380(e)(2), 8381(e)(2)).

          While the privacy and security controls in Sections 8380 and  
          8381 do contain parallel provisions to this bill, this bill  
          arguably offers more robust consumer protection.  Staff notes  
          that the focus of this bill is on providing consumer security  
          and privacy safeguards whenever businesses acquire a customer's  
          utility consumption data.  The potential for harm to a consumer  
          following the unauthorized use or release of his or her  
                                                                      



          AB 1274 (Bradford)
          Page 9 of ?



          consumption data is the same regardless of where a particular  
          business stands in relation to a utility provider.  It therefore  
          may not make sense as a matter of policy to exempt from this  
          bill those businesses in privity of contract with a utility  
          provider by the mere fact that those two parties have entered  
          into some sort of data usage or sharing contract.  The author  
          offers the following amendment to limit the scope of this bill's  
          exclusion clause to just those businesses that use utility  
          consumption data for system, grid, or operational needs, or the  
          implementation of demand response, energy management, or energy  
          efficiency programs:

                Author's Amendment  


               On page 4, lines 18-19, strike "Section 8380 or 8381 of the  
               Public Utilities Code" and replace with "Section 8380(e) or  
               8381(e) of the Public Utilities Code"

          5.    Remedies  

          Staff notes that, unlike the utility consumption data  
          protections codified in Sections 8380 and 8381 of the Public  
          Utilities Code, this bill provides an express remedy for  
          consumers who are injured as a result of a business's misuse of  
          their utility data.  The bill provides that a customer harmed by  
          the release and unauthorized use of his or her utility  
          consumption data in violation of the bill's provisions may bring  
          a civil action to recover actual damages not to exceed $500 per  
          willful violation.  The bill also expressly states that any  
          remedy available under this provision is in addition to remedies  
          established under other law, which may include claims brought  
          pursuant to California's Unfair Practices Act (Bus. & Prof. Code  
          Sec. 17000), or as a third-party beneficiary under California  
          contract law.  To clarify the scope of the remedy provision and  
          make explicit that it applies to harm resulting from either the  
          release or the unauthorized use of a customer's utility  
          consumption data, the author offers the following amendment:



                Author's Amendment  

               On page 4, line 20, strike "and" and replace with "or"

          6.    CPUC requested amendment 
                                                                      



          AB 1274 (Bradford)
          Page 10 of ?




          In its letter of support dated April 9, 2013, the California  
          Public Utilities Commission (CPUC) requested that this bill be  
          amended "to provide general consumer protection (outside of the  
          CPUC's jurisdiction) of consumption data . . . from unauthorized  
          access or disclosure by any third party . . . and that the bill  
                                                             be moved from the Public Utilities Code and placed under the  
          jurisdiction of an agency other than the CPUC."  Staff notes  
          that amendments to the bill made on June 25, 2013, seem to  
          address the CPUC's concerns.  However, the Committee has not  
          received any updated correspondence from the CPUC.


           Support  :  California Public Utilities Commission (if amended);  
          Division of Ratepayer Advocates, California Public Utilities  
          Commission

           Opposition  :  None Known

                                        HISTORY
           
           Source  :  Author

           Related Pending Legislation  :  None Known

           Prior Legislation  :

          SB 674 (Padilla, Chapter 255, Statutes of 2011) see Background.

          SB 1476 (Padilla, Chapter 497, Statutes of 2010) see Background.

           Prior Vote  :

          Assembly Rules Committee (Ayes 8, Noes 0)
          Assembly Judiciary Committee (Ayes 10, Noes 0)
          Assembly Floor (Ayes 75, Noes 0)
          Senate Energy, Utilities, and Communications Committee (Ayes 8,  
          Noes 0)

                                   **************