BILL ANALYSIS ��
SENATE JUDICIARY COMMITTEE
Senator Noreen Evans, Chair
2013-2014 Regular Session
AB 1274 (Bradford)
As Amended June 25, 2013
Hearing Date: July 2, 2013
Fiscal: No
Urgency: No
TH
SUBJECT
Privacy: Customer Electrical or Natural Gas Usage Data
DESCRIPTION
Existing law provides that a local publicly owned electric
utility, electrical corporation, or gas corporation, shall not
share, disclose, or otherwise make accessible to any third party
a customer's utility consumption data without the consent of the
customer, except as otherwise provided by law.
This bill would extend this restriction to all businesses, other
than the utility providers noted above and their third-party
contractors, that acquire a customer's utility consumption data.
Additionally, it would require these businesses to disclose to
whom utility consumption data will be disclosed and for what
purpose before any disclosure can be made, and would require
these businesses to implement specified security procedures to
protect the data from unauthorized access. The bill would also
create a new civil remedy allowing consumers to recover actual
damages resulting from harm caused by the release and
unauthorized use of utility consumption data.
BACKGROUND
California gas and electric utility providers are developing and
implementing advanced metering infrastructure across the state.
The "smart meter" is the most recognizable component of this new
infrastructure. Through a smart meter, a utility is able to
gather consumption data from a consumer in real time, allowing
it to offer new demand response and energy management programs
such as critical peak pricing, where utility rates fluctuate in
(more)
�
AB 1274 (Bradford)
Page 2 of ?
response to overall system demand. With this new technology and
access to real-time energy usage data has come an increased
interest in using this data for marketing and other purposes.
Responding to privacy concerns surrounding the use of utility
consumption data, the Legislature passed and the Governor signed
SB 1476 (Padilla, Ch. 497, Stats. 2010) which, among other
things, prohibited a utility as defined from sharing,
disclosing, or otherwise making a consumer's electrical or gas
consumption data accessible to third parties, except in
specified instances. The bill also required that, in cases
where a utility contracts with a third party for a service that
allows a customer to monitor his or her electricity or gas usage
and the third party uses that information for a secondary
commercial purpose, the contract between the utility and the
third party must prominently disclose that purpose to the
customer. SB 1476 also permitted a utility to disclose a
customer's electrical or gas consumption data to a third party
for system, grid, or operational needs, or the implementation of
demand response, energy management, or energy efficiency
programs provided that the contract between the utility and that
third party prohibited the use of the data for a secondary
commercial purpose without the customer's consent. The
following year, the Legislature passed and the Governor signed
SB 674 (Padilla, Ch. 255, Stats. 2011), which amended the
protections added by SB 1476 to make clear that a customer's
prior consent is required for the use and release of the
customer's data for a secondary purpose in both of the instances
described above. However, neither SB 1476 nor SB 674 imposed
restrictions on the use of a customer's utility consumption data
in situations when this data is acquired from a source other
than the utility provider or their third-party contractors, or
after this data has been transmitted to a third party by the
utility provider.
This bill would address that gap in the law by restricting
businesses, other than electrical corporations, gas
corporations, local publicly owned electric utilities, or
businesses that receive customer utility consumption data under
contract with any of these three entities, from sharing,
disclosing, or otherwise making accessible to any third party
customer utility consumption data without obtaining the express
consent of the customer and conspicuously disclosing to whom the
disclosure will be made and how the data will be used. This
bill would also prohibit a business from providing an incentive
or discount to a utility customer for accessing consumption data
�
AB 1274 (Bradford)
Page 3 of ?
without first obtaining the customer's consent. The bill would
require businesses that possess or maintain customer utility
consumption data to implement certain security procedures to
protect the data from unauthorized access. Finally, the bill
would also create a new civil remedy allowing customers to
recover actual damages resulting from harm caused by the release
and unauthorized use of their utility consumption data.
CHANGES TO EXISTING LAW
Existing law provides that, among other rights, all people have
an inalienable right to pursue and obtain privacy. (Cal.
Const., art. I, Sec. 1.)
Existing case law permits a person to bring an action in tort
for the invasion of privacy, and provides that in order to state
a claim for violation of the constitutional right to privacy a
plaintiff must establish the following three elements: (1) a
legally protected privacy interest; (2) a reasonable expectation
of privacy in the circumstances; and (3) conduct by the
defendant that constitutes a serious invasion of privacy. (Hill
v. National Collegiate Athletic Assn. (1994) 7 Cal.4th 1.)
Existing law states that a local publicly owned utility, an
electrical corporation, or gas corporation, shall not share,
disclose, or otherwise make accessible to any third party a
customer's electrical or gas consumption data, except as
specified or upon the consent of the customer. Existing law
also prohibits these entities from selling a customer's utility
consumption data. (Pub. Util. Code Secs. 8380(b)(1)-(2),
8381(b)(1)-(2).)
Existing law provides that if an electrical or gas corporation
or local publicly owned electric utility contracts with a third
party for a service that permits a customer to monitor his or
her electricity or gas usage and the third party uses that
information for a secondary commercial purpose, the contract
between the utility and third party shall provide that the third
party prominently disclose that secondary commercial purpose to
the customer and require the third party to secure the
customer's consent prior to the use of the data for that
secondary commercial purpose. (Pub. Util. Code Secs. 8380(c),
8381(c).)
Existing law states that a local publicly owned utility, an
electrical corporation, or gas corporation, shall not provide an
incentive or discount to the customer for accessing the
�
AB 1274 (Bradford)
Page 4 of ?
customer's utility consumption data without the prior consent of
the customer. (Pub. Util. Code Secs. 8380(b)(3), 8381(b)(3).)
Existing law states that a local publicly owned utility, an
electrical corporation, or gas corporation, shall use reasonable
security procedures and practices to protect a customer's
unencrypted electrical or gas consumption data from unauthorized
access, destruction, use, modification, or disclosure. (Pub.
Util. Code Secs. 8380(d), 8381(d).)
Existing law does not preclude a local publicly owned utility,
an electrical corporation, or gas corporation, from disclosing a
customer's electrical or gas consumption data to a third party
for system, grid, or operational needs, or the implementation of
demand response, energy management, or energy efficiency
programs, provided that, for contracts entered into after
January 1, 2011, the utility has required by contract that the
third party implement and maintain reasonable security
procedures and practices appropriate to the nature of the
information, to protect the personal information from
unauthorized access, destruction, use, modification, or
disclosure, and prohibits the use of the data for a secondary
commercial purpose not related to the primary purpose of the
contract without the customer's prior consent to that use.
(Pub. Util. Code Secs. 8380(e)(2), 8381(e)(2).)
This bill provides that unless otherwise required or authorized
by federal or state law, a business shall not share, disclose,
or otherwise make accessible to any third party a customer's
data without obtaining the express consent of the customer and
conspicuously disclosing to whom the disclosure will be made and
how the data will be used.
This bill provides that a business shall not provide an
incentive or discount to the customer for accessing the data
without the prior consent of the customer.
This bill provides that a business shall implement and maintain
reasonable security procedures and practices appropriate to the
nature of the information to protect the data from unauthorized
access, destruction, use, modification, or disclosure.
This bill also provides that a business that discloses data,
with the express consent of the customer, pursuant to a contract
with a nonaffiliated third party, shall require by contract that
the third party implement and maintain reasonable security
procedures and practices appropriate to the nature of the
�
AB 1274 (Bradford)
Page 5 of ?
information, to protect the data from unauthorized access,
destruction, use, modification, or disclosure.
This bill provides further that a business shall take all
reasonable steps to dispose, or arrange for the disposal, of
customer data within its custody or control when the records are
no longer to be retained by the business by (1) shredding, (2)
erasing, or (3) otherwise modifying the data in those records to
make it unreadable or undecipherable through any means.
This bill provides that a customer harmed by the release and
unauthorized use of his or her customer data, in violation of
the above provisions, may bring a civil action to recover actual
damages in an amount not to exceed five hundred dollars ($500)
for each willful violation. The rights, remedies, and penalties
established by this bill are in addition to the rights,
remedies, or penalties established under any other law.
This bill also provides that it shall not abrogate any authority
of the Attorney General to enforce existing law.
This bill states that it shall not apply to an electrical
corporation, a gas corporation, or a local publicly owned
electric utility or a business that secures the data as a result
of a contract with an electrical or gas corporation or a local
publicly owned electric utility under the provisions of Section
8380 or 8381 of the Public Utilities Code.
COMMENT
1. Stated need for the bill
The author writes:
Existing law prohibits utilities from selling or sharing
customer data on gas and electricity use unless ordered by
federal or state authorities.
This bill prohibits a 3rd party from sharing, disclosing,
or otherwise making a customer's electrical or gas
consumption data accessible to another entity except with
the consent of the customer; it prohibits selling a
customer's electrical or gas consumption data, and it
prohibits providing an incentive or discount to the
customer for accessing the customer's electrical or gas
consumption data without the prior consent of the customer.
�
AB 1274 (Bradford)
Page 6 of ?
This bill provides remedies to the customer in the event
that they are damaged by the willful release of private
information.
Third party providers are not utilities and do not fall
within the scope of the PUC's regulatory oversight
therefore they are not subject to current data privacy
laws. This bill addresses that gap so that independent 3rd
parties are required to maintain privacy of customer data.
2. Privacy concerns regarding utility consumption data
The development of "smart grid" infrastructure in California has
enabled utility customers to receive detailed, real-time
information about their energy usage. This new data about one's
utility consumption allows customers to better manage their
overall energy use and identify more precisely where energy is
being used in their home. For some customers, a device called a
"home area network" (HAN) is built into their "smart meter"
which allows the metering infrastructure to interface with an
existing home computer network. According to the California
Public Utilities Commission, some of these HANs include
independent communications channels that can be controlled by
consumers, enabling the consumer to provide third-parties not
related or connected to the utility provider with access to
their utility consumption data through the Internet.
With this new technology and access to real-time energy usage
data has come an increased interest in using this data for
marketing purposes. The technology sector has revealed how
analysis of this data can, for instance, show that a consumer
owns a refrigerator that is an energy hog, giving this data a
high value in the marketplace. However, the information gained
through analysis of utility consumption data is potentially much
more revealing. The Department of Energy made the following
findings in a recent report about energy consumption data
collected by advanced metering infrastructure:
Advances in Smart Grid technology could significantly
increase the amount of potentially available information
about personal energy consumption. Such information could
reveal personal details about the lives of consumers, such
as their daily schedules (including times when they are at
or away from home or asleep), whether their homes are
equipped with alarm systems, whether they own expensive
electronic equipment such as plasma TVs, and whether they
�
AB 1274 (Bradford)
Page 7 of ?
use certain types of medical equipment. Consumers
rightfully expect that the privacy of this information will
be maintained. The proprietary business information of
non-residential customers could also be revealed through
the release of energy consumption data, resulting in
competitive harm. Studies conducted by utilities and
consumer advocates have consistently shown that privacy
issues are of tremendous import to consumers of
electricity. (U.S. Department of Energy, Data Access and
Privacy Issues Related To Smart Grid Technologies
[as of June 25,
2013].)
This bill responds to these privacy concerns by enacting
restrictions prohibiting businesses from sharing, disclosing, or
otherwise making accessible a customer's utility consumption
data to third parties without first obtaining the consent of the
customer and disclosing to whom and for what purpose disclosure
will be made. The bill helps to ensure that any disclosures
that are made are subject to data security measures required by
contract, and provides an express remedy for consumers who are
harmed by the release and unauthorized use of their utility
consumption data.
3. Fundamental right to privacy
Staff notes that the right to privacy is a fundamental right
protected by Section 1 of Article I of the Constitution of
California. This bill builds upon that fundamental right by
providing utility customers with safeguards to ensure that their
privacy is maintained as the market for utility consumption data
grows, and as advanced metering infrastructure enables data
analysts to peer ever deeper into the lives of the people on the
other end of a power or gas line. Detailed utility usage data
can be analyzed to discern information about a customer's daily
patterns and habits as revealed from the appliances they use,
down to the level of being able to determine whether a customer
turned on their alarm system when they left for work, or, for
those who own plug-in electric vehicles, a customer's location
and travel history based on their use of grid-connected charging
infrastructure. (See Brandon J. Murrill, Edward C. Liu, Richard
M. Thompson III, Smart Meter Data: Privacy and Cybersecurity,
Congressional Research Service Report R42338, February 3, 2012,
pp. 4-6.) Indeed, according to the National Institute of
Standards and Technology, "research shows that analyzing
15-minute interval aggregate household energy consumption data
�
AB 1274 (Bradford)
Page 8 of ?
can by itself pinpoint the use of most major home appliances."
(Id., p. 4.) The revealing nature of this information, if
acquired by third parties, could lead to harassment or unwanted
exposure to targeted marketing.
This bill would put the customer in control of to whom and for
what purpose their utility consumption data is shared, requiring
the customer's affirmative consent before any consumption data
could be shared with a third party. It would also require any
data held by a business or disclosed to a third party to be
protected by "reasonable security procedures and practices
appropriate to the nature of the information." As discussed in
Comment 5, it would additionally provide consumers with a new
legal remedy for recovering damages for losses incurred due to
the unauthorized use and access of utility usage data.
4. Exclusion for third-party contracted businesses
In its current form, this bill specifically excludes from its
provisions electrical corporations, gas corporations, local
publicly owned electric utilities, and businesses that acquire
customer utility consumption data as a result of a contract with
one of these utility providers, as specified. As noted above,
electrical corporations, gas corporations, and local publicly
owned electric utilities are already subject to very similar
data privacy and data security provisions to those in this bill
pursuant to Sections 8380 and 8381 of the Public Utilities Code
(which generally restrict the transmission of utility
consumption data to third parties absent a customer's consent).
These two sections of the Public Utilities Code also impose some
privacy controls on third-party businesses in privity of
contract with utility providers where a third-party business
uses customer utility consumption data to allow a customer to
monitor his or her electricity or gas usage (see Pub. Util. Code
Secs. 8380(c), 8381(c)), or for system, grid, or operational
needs, or the implementation of demand response, energy
management, or energy efficiency programs (see Pub. Util. Code
Secs. 8380(e)(2), 8381(e)(2)).
While the privacy and security controls in Sections 8380 and
8381 do contain parallel provisions to this bill, this bill
arguably offers more robust consumer protection. Staff notes
that the focus of this bill is on providing consumer security
and privacy safeguards whenever businesses acquire a customer's
utility consumption data. The potential for harm to a consumer
following the unauthorized use or release of his or her
�
AB 1274 (Bradford)
Page 9 of ?
consumption data is the same regardless of where a particular
business stands in relation to a utility provider. It therefore
may not make sense as a matter of policy to exempt from this
bill those businesses in privity of contract with a utility
provider by the mere fact that those two parties have entered
into some sort of data usage or sharing contract. The author
offers the following amendment to limit the scope of this bill's
exclusion clause to just those businesses that use utility
consumption data for system, grid, or operational needs, or the
implementation of demand response, energy management, or energy
efficiency programs:
Author's Amendment
On page 4, lines 18-19, strike "Section 8380 or 8381 of the
Public Utilities Code" and replace with "Section 8380(e) or
8381(e) of the Public Utilities Code"
5. Remedies
Staff notes that, unlike the utility consumption data
protections codified in Sections 8380 and 8381 of the Public
Utilities Code, this bill provides an express remedy for
consumers who are injured as a result of a business's misuse of
their utility data. The bill provides that a customer harmed by
the release and unauthorized use of his or her utility
consumption data in violation of the bill's provisions may bring
a civil action to recover actual damages not to exceed $500 per
willful violation. The bill also expressly states that any
remedy available under this provision is in addition to remedies
established under other law, which may include claims brought
pursuant to California's Unfair Practices Act (Bus. & Prof. Code
Sec. 17000), or as a third-party beneficiary under California
contract law. To clarify the scope of the remedy provision and
make explicit that it applies to harm resulting from either the
release or the unauthorized use of a customer's utility
consumption data, the author offers the following amendment:
Author's Amendment
On page 4, line 20, strike "and" and replace with "or"
6. CPUC requested amendment
�
AB 1274 (Bradford)
Page 10 of ?
In its letter of support dated April 9, 2013, the California
Public Utilities Commission (CPUC) requested that this bill be
amended "to provide general consumer protection (outside of the
CPUC's jurisdiction) of consumption data . . . from unauthorized
access or disclosure by any third party . . . and that the bill
be moved from the Public Utilities Code and placed under the
jurisdiction of an agency other than the CPUC." Staff notes
that amendments to the bill made on June 25, 2013, seem to
address the CPUC's concerns. However, the Committee has not
received any updated correspondence from the CPUC.
Support : California Public Utilities Commission (if amended);
Division of Ratepayer Advocates, California Public Utilities
Commission
Opposition : None Known
HISTORY
Source : Author
Related Pending Legislation : None Known
Prior Legislation :
SB 674 (Padilla, Chapter 255, Statutes of 2011) see Background.
SB 1476 (Padilla, Chapter 497, Statutes of 2010) see Background.
Prior Vote :
Assembly Rules Committee (Ayes 8, Noes 0)
Assembly Judiciary Committee (Ayes 10, Noes 0)
Assembly Floor (Ayes 75, Noes 0)
Senate Energy, Utilities, and Communications Committee (Ayes 8,
Noes 0)
**************