BILL ANALYSIS Ó ----------------------------------------------------------------- |SENATE RULES COMMITTEE | AB 1274| |Office of Senate Floor Analyses | | |1020 N Street, Suite 524 | | |(916) 651-1520 Fax: (916) | | |327-4478 | | ----------------------------------------------------------------- THIRD READING Bill No: AB 1274 Author: Bradford (D) Amended: 7/8/13 in Senate Vote: 21 SENATE ENERGY, UTIL. & COMMUNIC. COMMITTEE : 8-0, 6/18/13 AYES: Padilla, Fuller, Corbett, DeSaulnier, Hill, Knight, Wolk, Wright NO VOTE RECORDED: Cannella, De León, Pavley SENATE JUDICIARY COMMITTEE : 6-0, 7/2/13 AYES: Walters, Anderson, Corbett, Jackson, Leno, Monning NO VOTE RECORDED: Evans ASSEMBLY FLOOR : 75-0, 5/9/13 - See last page for vote SUBJECT : Privacy: customer electrical or natural gas usage data SOURCE : Author DIGEST : This bill prohibits a business, as defined, from sharing, selling, disclosing, or otherwise making accessible the electrical or gas consumption data of a residential or small business customer, except as specified. ANALYSIS : Existing law: CONTINUED AB 1274 Page 2 1. Provides that, among other rights, all people have an inalienable right to pursue and obtain privacy. 2. States that a local publicly owned utility (POU), an electrical corporation, or gas corporation, shall not share, disclose, or otherwise make accessible to any third party a customer's electrical or gas consumption data, except as specified or upon the consent of the customer. Also prohibits these entities from selling a customer's utility consumption data. 3. Provides that if an electrical or gas corporation or local publicly owned electric utility contracts with a third party for a service that permits a customer to monitor his/her electricity or gas usage and the third party uses that information for a secondary commercial purpose, the contract between the utility and third party shall provide that the third party prominently disclose that secondary commercial purpose to the customer and require the third party to secure the customer's consent prior to the use of the data for that secondary commercial purpose. 4. States that a local POU, an electrical corporation, or gas corporation, shall not provide an incentive or discount to the customer for accessing the customer's utility consumption data without the prior consent of the customer. 5. States that a local POU, an electrical corporation, or gas corporation, shall use reasonable security procedures and practices to protect a customer's unencrypted electrical or gas consumption data from unauthorized access, destruction, use, modification, or disclosure. 6. Does not preclude a local POU, an electrical corporation, or gas corporation, from disclosing a customer's electrical or gas consumption data to a third party for system, grid, or operational needs, or the implementation of demand response, energy management, or energy efficiency programs, provided that, for contracts entered into after January 1, 2011, the utility has required by contract that the third party implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure, and prohibits CONTINUED AB 1274 Page 3 the use of the data for a secondary commercial purpose not related to the primary purpose of the contract without the customer's prior consent to that use. This bill: 1. Provides that unless otherwise required or authorized by federal or state law, a business shall not share, disclose, or otherwise make accessible to any third party a customer's data without obtaining the express consent of the customer and conspicuously disclosing to whom the disclosure will be made and how the data will be used. 2. Provides that a business shall not provide an incentive or discount to the customer for accessing the data without the prior consent of the customer. 3. Provides that a business shall implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the data from unauthorized access, destruction, use, modification, or disclosure. 4. Provides that a business that discloses data, with the express consent of the customer, pursuant to a contract with a nonaffiliated third party, shall require by contract that the third party implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the data from unauthorized access, destruction, use, modification, or disclosure. 5. Provides further that a business shall take all reasonable steps to dispose, or arrange for the disposal, of customer data within its custody or control when the records are no longer to be retained by the business by (a) shredding, (b) erasing, or (c) otherwise modifying the data in those records to make it unreadable or undecipherable through any means. 6. Provides that a customer harmed by the release and unauthorized use of his/her customer data, in violation of the above provisions, may bring a civil action to recover actual damages in an amount not to exceed $500 for each willful violation. CONTINUED AB 1274 Page 4 7. States that it shall not apply to an electrical corporation, a gas corporation, or a local publicly owned electric utility or a business that secures the data as a result of a contract with an electrical or gas corporation or a local publicly owned electric utility, as specified. Background California gas and electric utility providers are developing and implementing advanced metering infrastructure across the state. The "smart meter" is the most recognizable component of this new infrastructure. Through a smart meter, a utility is able to gather consumption data from a consumer in real time, allowing it to offer new demand response and energy management programs such as critical peak pricing, where utility rates fluctuate in response to overall system demand. With this new technology and access to real-time energy usage data has come an increased interest in using this data for marketing and other purposes. Responding to privacy concerns surrounding the use of utility consumption data, the Legislature passed and Governor Schwarzenegger signed SB 1476 (Padilla, Chapter 497, Statutes of 2010) which, among other things, prohibited a utility as defined from sharing, disclosing, or otherwise making a consumer's electrical or gas consumption data accessible to third parties, except in specified instances. The bill also required that, in cases where a utility contracts with a third party for a service that allows a customer to monitor his/her electricity or gas usage and the third party uses that information for a secondary commercial purpose, the contract between the utility and the third party must prominently disclose that purpose to the customer. SB 1476 also permitted a utility to disclose a customer's electrical or gas consumption data to a third party for system, grid, or operational needs, or the implementation of demand response, energy management, or energy efficiency programs provided that the contract between the utility and that third party prohibited the use of the data for a secondary commercial purpose without the customer's consent. The following year, the Legislature passed and Governor Brown signed SB 674 (Padilla, Chapter 255, Statutes of 2011), which amended the protections added by SB 1476 to make clear that a customer's prior consent is required for the use and release of the customer's data for a secondary purpose in both of the instances described above. However, neither SB 1476 nor SB 674 CONTINUED AB 1274 Page 5 imposed restrictions on the use of a customer's utility consumption data in situations when this data is acquired from a source other than the utility provider or their third-party contractors, or after this data has been transmitted to a third party by the utility provider. The development of "smart grid" infrastructure in California has enabled utility customers to receive detailed, real-time information about their energy usage. This new data about one's utility consumption allows customers to better manage their overall energy use and identify more precisely where energy is being used in their home. For some customers, a device called a "home area network" (HAN) is built into their "smart meter" which allows the metering infrastructure to interface with an existing home computer network. According to the Public Utilities Commission (PUC), some of these HANs include independent communications channels that can be controlled by consumers, enabling the consumer to provide third-parties not related or connected to the utility provider with access to their utility consumption data through the Internet. With this new technology and access to real-time energy usage data has come an increased interest in using this data for marketing purposes. The technology sector has revealed how analysis of this data can, for instance, show that a consumer owns a refrigerator that is an energy hog, giving this data a high value in the marketplace. However, the information gained through analysis of utility consumption data is potentially much more revealing. FISCAL EFFECT : Appropriation: No Fiscal Com.: No Local: No SUPPORT : (Verified 7/8/13) Division of Ratepayer Advocates Public Utilities Commission ARGUMENTS IN SUPPORT : The author writes: Existing law prohibits utilities from selling or sharing customer data on gas and electricity use unless ordered by federal or state authorities. CONTINUED AB 1274 Page 6 This bill prohibits a 3rd party from sharing, disclosing, or otherwise making a customer's electrical or gas consumption data accessible to another entity except with the consent of the customer; it prohibits selling a customer's electrical or gas consumption data, and it prohibits providing an incentive or discount to the customer for accessing the customer's electrical or gas consumption data without the prior consent of the customer. This bill provides remedies to the customer in the event that they are damaged by the willful release of private information. Third party providers are not utilities and do not fall within the scope of the PUC's regulatory oversight therefore they are not subject to current data privacy laws. This bill addresses that gap so that independent 3rd parties are required to maintain privacy of customer data. ASSEMBLY FLOOR : 75-0, 5/9/13 AYES: Achadjian, Alejo, Allen, Ammiano, Atkins, Bigelow, Bloom, Blumenfield, Bocanegra, Bonilla, Bonta, Bradford, Brown, Buchanan, Ian Calderon, Campos, Chau, Chávez, Chesbro, Conway, Cooley, Dahle, Daly, Dickinson, Donnelly, Eggman, Fong, Fox, Frazier, Beth Gaines, Garcia, Gatto, Gomez, Gordon, Gorell, Gray, Hagman, Hall, Harkey, Roger Hernández, Jones, Jones-Sawyer, Levine, Linder, Lowenthal, Maienschein, Mansoor, Medina, Melendez, Mitchell, Morrell, Mullin, Muratsuchi, Nazarian, Nestande, Olsen, Pan, Patterson, Perea, V. Manuel Pérez, Quirk, Quirk-Silva, Rendon, Salas, Skinner, Stone, Ting, Torres, Wagner, Weber, Wieckowski, Wilk, Williams, Yamada, John A. Pérez NO VOTE RECORDED: Grove, Holden, Logue, Waldron, Vacancy JG:k 7/8/13 Senate Floor Analyses SUPPORT/OPPOSITION: SEE ABOVE **** END **** CONTINUED AB 1274 Page 7 CONTINUED