BILL ANALYSIS �
SENATE JUDICIARY COMMITTEE
Senator Ellen M. Corbett, Chair
2009-2010 Regular Session
SB 837 (Florez)
As Amended March 25, 2010
Hearing Date: April 13, 2010
Fiscal: Yes
Urgency: No
SK:jd
SUBJECT
Utility Service: Smart Meters: Privacy
DESCRIPTION
This bill contains a number of privacy protections related to
electrical and gas corporations and "third-party demand service
providers" (entities that collect customer energy usage data so
that customers may reduce their electricity usage). This bill
would provide that meter data or energy usage data is the
property of the customer and specifies that individual customer
information shall remain confidential. This bill would prohibit
electrical and gas corporations and third-party demand service
providers from sharing a customer's information, such as energy
usage information, with third parties unless the customer
expressly authorizes the disclosure (opt-in). This bill would
require electrical and gas corporations and third-party demand
service providers that install or provide smart meter technology
on customer residences to adopt a "statement of privacy and
security principles" that contains specified elements.
This bill would also include records maintained by an electrical
or gas corporation, a publicly owned gas utility, or a local
publicly owned gas utility under existing law's protections
regarding the production of records using a subpoena and would
expand the entities that would be protected under the statute.
BACKGROUND
In 2009, the Legislature passed and the Governor signed SB 17
(Padilla, Ch. 327, Stats. 2009) which established California's
smart grid policy; smart meters are a component of a smart grid
(more)
�
SB 837 (Florez)
Page 2 of ?
policy. Smart meters are two-way communication devices that
measure electrical, natural gas, or water consumption. They
communicate consumption information via a network back to the
utility, eliminating the need for manual meter readings. Smart
meters can record and report energy consumption on an hourly
basis and can be linked to appliances. They also allow a
utility to remotely disable and enable supply and to utilize
pricing systems for consumption based on the time of day and
season. New technologies, such as Google's "PowerMeter," allow
customers to access and monitor their consumption in real time,
allowing them to manage their energy use more effectively.
In California, the California Public Utilities Commission (CPUC)
has authorized the use of smart meters. Southern California
Edison has been authorized to install approximately 5.3 million
smart meters and San Diego Gas and Electric Company has received
authorization for 1.4 million electric smart meters and 900,000
natural gas meters. Pacific Gas and Electric Company has been
authorized to install approximately 9 million electric and
natural gas meters.
Although smart meters have the potential to help address some of
our most pressing energy and environmental needs, the use of
this new technology also raises privacy concerns. In fact, the
CPUC has initiated a rulemaking (R.08-12-009) to consider
policies for utilities to develop a smarter electric grid. Part
of that rulemaking will investigate the contact between the
smart grid and consumers and cyber-security issues including
policies to ensure customer privacy. In comments to the CPUC
regarding this rulemaking, several privacy groups raised
concerns that smart meter systems could reveal intimate and
sensitive personal behavior patterns such as when consumers eat,
shower, go to bed, wake up, or leave the house. The systems
could also detect whether an alarm system is engaged. Related
concerns have been raised that smart meter systems could be
subject to hacking, leaving consumers vulnerable to identity
theft. Many are also concerned that the information collected
using a smart meter could be shared with third-party marketers.
In order to address these concerns, this bill seeks to require
electrical and gas corporations and third-party demand service
providers to comply with various privacy protections.
This bill has been double-referred to the Senate Energy,
Utilities, and Communications Committee for hearing of the
provisions within its jurisdiction. This analysis will focus on
the bill's provisions related to privacy and the Code of Civil
�
SB 837 (Florez)
Page 3 of ?
Procedure, areas within this Committee's jurisdiction.
CHANGES TO EXISTING LAW
1.Existing law provides that, among other rights, all people
have an inalienable right to pursue and obtain privacy. (Cal.
Const., art. I, Sec. I.)
Existing law requires the CPUC to determine the requirements for
a smart grid deployment plan. (Pub. Util. Code Sec. 8360 et
seq.) Current CPUC rules require California's largest
investor-owned electrical and gas corporations to replace
traditional utility meters with "smart meters."
This bill would provide that meter data or energy usage data is
the property of the customer, regardless of whether the data
is kept by the customer or retained solely by the utility or
the third-party demand response service provider.
This bill would define "third-party demand response service
provider" ("demand response provider") to mean a person or
corporation that is not an electrical corporation and who
collects customer energy usage data and also provides
equipment, software, or services that enable customers to
reduce their electricity usage.
This bill would specify that individual customer information and
individual electrical end-use customer information ("customer
information") shall remain confidential and would define these
terms to mean energy or electrical usage information and
billing and credit information about an individual, family,
household, or residence.
This bill would prohibit an electrical or gas corporation or
demand response provider from providing customer information
to a third party unless the customer expressly authorizes, in
writing, the release of the information to that third party.
This bill would also require the third party to acknowledge,
in writing, that the information is confidential and shall not
be shared or utilized by any other person, corporation, or
entity without the customer's express written consent.
This bill would permit a customer to authorize the release of
historical information by the utility and would specify that
the customer or third party must pay any reasonable
administrative costs of that release.
�
SB 837 (Florez)
Page 4 of ?
This bill would specify that a customer's written authorization
for the release of confidential information automatically
expires three years from the date of the authorization.
This bill would require any electrical or gas corporation that
installs smart meter technology on customer residences to
adopt a statement of privacy and security principles for smart
meter systems. This requirement also applies to demand
response providers within six months of commencing providing
demand response service on customer residences. In the case
of electrical or gas corporations, the statement must be filed
with and approved by the CPUC. In all cases, the statement
must contain the following specified elements:
a. a customer has a right to transparency in information
gathering and use and the utility must provide customers
with meaningful, clear, and full notice regarding the
collection, use, dissemination, and maintenance of
individual customer information gathered as a result of the
smart meter system;
b. a customer has a right to participate in what and how
information about the customer is collected and used. This
element would require a utility to have a process that, to
the extent practicable, seeks the customer's consent for
the collection, use, dissemination, and maintenance of the
information. A utility would also have to provide
customers with mechanisms to access and correct their
individual customer information;
c. a customer has a right to know each reason information is
being gathered and the utility must tell the customer the
purpose for which individual customer information is being
gathered through use of the smart meter system;
d. maintenance of information shall be minimized and the
utility shall collect or retain only that individual
customer information that is directly relevant and
necessary to accomplish a specified purpose. The utility
should retain individual customer information only for as
long as necessary to achieve the pupose;
e. individual customer information shall be used only for the
purposes for which it was collected and may be shared only
for purposes that are compatible with the original purpose
for which it was collected;
�
SB 837 (Florez)
Page 5 of ?
f. the utility shall maintain the quality and integrity of
information and ensure that, to the extent practicable,
individual customer information is accurate, relevant,
timely, and complete. The utility must provide customers
with a mechanism to easily and confidentially access and
view their information and report errors. The utility
shall correct erroneous information that is challenged by
the consumer;
g. the utility shall maintain the security of the information
gathering system and shall protect individual customer
information through appropriate security safeguards against
risks of loss, unauthorized access or use, destruction,
modification, or unintended or inappropriate disclosure;
and
h. the utility shall undertake reasonable auditing to verify
and ensure compliance with its statement of principles
which shall include employee training.
This bill would require a utility or demand response provider
to adopt a work plan to implement its statement of privacy and
security principles, file that work plan with the CPUC which
must approve it (in the case of utilities), and, once the
statement and work plan are approved, make them available on
the utility's or demand response provider's Web site, and
allow customers to comment and inquire about them.
This bill would require a utility or demand response provider
to ensure that any person, such as a contractor, equipment
supplier, or software supplier is aware of, and agrees to
follow, the statement and work plan.
This bill would require an electrical or gas corporation to
promptly notify the CPUC of any violation of the work plan by
an employee or any person or corporation that is permitted to
have access to the smart grid system.
This bill would require demand response providers to promptly
investigate and take corrective action to prevent any
violation of the work plan by any employee or any person
permitted to have access to the technology used by the demand
response provider.
This bill would provide that its provisions do not limit a
customer's ability to directly and voluntarily provide
�
SB 837 (Florez)
Page 6 of ?
confidential information to a third party.
This bill would also require the CPUC to ensure that smart
grid deployment plans include testing and technology standards
and would require the CPUC to take specified actions
concerning service disconnections.
2.Existing law , the Information Practices Act (IPA), imposes
limitations on state agencies' collection and disclosure of
personal information. (Civ. Code Sec. 1798.1.) The IPA also
provides that an individual's name and address may not be
distributed for commercial purposes, sold, or rented by an
agency unless such action is specifically authorized by law.
(Civ. Code Sec. 1798.60.) The IPA prohibits state agencies
from disclosing any personal information in a manner that
would link the information to the individual concerned, unless
the disclosure is, among other things, with the consent of the
individual, pursuant to the Public Records Act or a search
warrant, or to a governmental agency when required by state or
federal law. (Civ. Code Sec. 1798.24.)
This bill would expand the IPA's definition of "personal
information" to provide that the term includes any information
that identifies or describes a "family, household, or
residence." This bill would also add "utility usage" to the
list of examples of personal information covered by the IPA.
3.Existing law requires a party that seeks production of
personal records using a subpoena duces tecum to serve the
consumer whose personal records will be produced under the
subpoena with: (1) a copy of the subpoena; and (2) a notice
detailing actions the consumer may take to protect his or her
privacy and prevent release of the documents. (Code Civ.
Proc. Sec. 1985.3.)
Existing law defines "personal records" to mean the original,
any copy of books, documents, other writings, or electronic
data pertaining to a consumer and which is maintained by any
"witness" such as, among other things, a physician, dentist,
pharmacist, hospital, state or national bank or credit union,
insurance company, attorney, accountant, telephone
corporation, psychotherapist, or school. (Id.)
Existing law defines "consumer" as an individual, partnership of
five or fewer persons, association, or trust, as specified.
(Id.)
�
SB 837 (Florez)
Page 7 of ?
This bill would amend the definition of "personal records" to
also include records maintained by an electrical or gas
corporation, a publicly owned gas utility, or a local publicly
owned gas utility.
This bill would revise the definition of "consumer" to include a
family, household, or residence.
4.Existing law creates the California Office of Information
Security which is part of the Office of the State Chief
Information Officer and the Office of Privacy Protection, part
of the State and Consumer Services Agency. (Gov. Code Sec.
11549.)
This bill would require each public utility to report the
following information to the Office of Information Security
and Privacy Protection, State and Consumer Services Agency, by
March 1, 2012 and every March 1 thereafter and would require
both the utility and the Office of Information Security and
Privacy Protection, State and Consumer Services Agency to make
the report publicly available on their Web sites:
a. the number of federal warrants, state warrants, grand jury
subpoenas, civil
subpoenas, and administrative subpoenas received by the
utility during the prior
calendar year for information regarding its California
customers;
b. the number and types of actions taken by the utility in
response to each category
of information request listed in paragraph (a);
c. the number of customers whose utility records were
produced in response to each
category of information request listed in paragraph (a);
d. the type of information disclosed about the utility's
customers in response to each
category of information request listed in paragraph (a); and
e. the total amount of money received by the utility to
respond to each category of
information request in paragraph (a).
5.Existing law provides that a judge may order the production of
utility records to law enforcement for the purpose of criminal
investigations and prosecutions only upon a written ex parte
application by a peace officer showing specific and
�
SB 837 (Florez)
Page 8 of ?
articulable facts that there are reasonable grounds to believe
that the records sought are relevant and material to the
investigation of specified felonies. Existing law does not
prohibit the holder of the utility records from notifying the
customer that the holder has received a court order to produce
the records, unless the court orders otherwise. (Pen. Code
Sec. 1326.1.)
This bill would instead require the holder of the utility
records to notify the customer of the order to produce the
records, unless the court orders otherwise. If the court
orders that the customer not be notified, this bill would
require that the order include a statement of the facts as to
why providing notice would impede the investigation.
COMMENT
1. Stated need for the bill
With respect to the privacy-related provisions of this bill, the
author writes:
Due to the increased amount of data collection with the
implementation of Smart Meters, there is a significant risk
regarding the loss of privacy. This bill creates privacy
standards and allows customers to have greater control over
the collection and sharing of their information.
In support of the bill, Privacy Rights Clearinghouse writes:
The information collected by utilities using smart meters is a
rich compendium of personal information. Mishandling of such
information could result in significant compromise of consumer
privacy. The privacy implications of frequent meter readings
being fed into smart grid networks could provide a detailed
time line of activities occurring inside the home. This data
may point to a specific individual or expose sensitive data
about the household.
The constant collection and use of smart meter data has also
raised potential surveillance possibilities which pose
�
SB 837 (Florez)
Page 9 of ?
physical, financial, and reputational risks that must be
addressed. Many more types of data will be collected through
the smart grid than the standard monthly meter readings.
Moreover, numerous additional entities outside of the energy
industry may be accessing such data, including entities that
are creating applications and services specifically for smart
appliances and smart meters.
2. Privacy principles based on Fair Information Practices
This bill restricts how electrical and gas corporations and
third-party demand service providers may use and disclose a
customer's information. Several of the provisions of the bill
are based on privacy principles known as Fair Information
Practices. These principles form the basis of many significant
privacy laws, such as the Information Practices Act and the
federal Fair Credit Reporting Act, and have also formed the
basis for the privacy policies of many organizations and
industry associations.
The principles date back to 1973 when the U.S. Department of
Health, Education, and Welfare first proposed a set of
information-practice guidelines in response to the increasing
use of computers in government recordkeeping. In 1980, the
Organization of Economic Cooperation and Development (OECD)
adopted the "Guidelines on the Protection of Privacy and
Transborder Flows of Personal Data" which set out eight
principles providing, among other things, that: (1) any data
collection should be with the knowledge and consent of the data
subject; (2) the purpose for which the data is collected should
be specified and any use of the data should be limited to that
purpose; (3) the data subject should have the right to know
what information an entity has about him or her and be able to
make corrections, if necessary; and (4) an entity should take
reasonable security safeguards to protect data from loss or
unauthorized access, destruction, use, or disclosure.
This bill would require electrical and gas corporations and
third-party demand service providers that install or provide
smart meter technology on customer residences to adopt a
"statement of privacy and security principles" based in large
part on the Fair Information Practices principles noted above.
For example, the bill would require that the statement contain
specified elements, including that the customer has a right to
transparency and must be provided with meaningful, clear, and
full notice about the collection, use, dissemination, and
�
SB 837 (Florez)
Page 10 of ?
maintenance of their information obtained using the smart meter
technology. Customers must also be permitted to access and
correct their personal information and information may only be
used for the purposes for which it was gathered.
a. Requiring customer consent for disclosures
This bill would prohibit electrical and gas corporations and
third-party demand service providers from sharing a customer's
information with third parties unless the customer expressly
authorizes the disclosure (opt-in). One of the elements,
however, appears to be inconsistent with that prohibition.
That element states that the utility or third-party demand
response service provider must utilize a process when using
individual customer information gathered by the smart meter
system that, "to the extent practicable, seeks the customer's
consent for the collection, use, dissemination, and
maintenance of the information." In order to ensure that the
bill is internally consistent, the author has agreed to amend
the bill to ensure that a customer's consent is required
before his or her information may be disclosed.
Suggested amendments:
On page 18, line 9, delete ", to the extent practicable,"
On page 23, line 7, delete ", to the extent practicable,"
b. Purpose specification
This bill would require electrical and gas corporations and
third-party demand service providers to tell customers with
specificity each purpose for which the information is being
gathered through use of the smart meter system. Those
entities would only be allowed to collect and retain customer
information directly relevant and necessary to accomplish a
"specified purpose." That specified purpose, however, is not
tied back to the original purpose for which the information is
being gathered. As a result, it is possible that it could be
any purpose, including one that the customer is not told
about. In order to correct what appears to be an internal
inconsistency in the bill, the author has agreed to amend the
bill to indicate that the specified purpose must be one which
the customer was notified of under the previous paragraph.
Suggested amendments:
�
SB 837 (Florez)
Page 11 of ?
On page 18, line 22, delete "a specified purpose" and
insert "a purpose specified in subparagraph (C)"
On page 23, line 22, delete "a specified purpose" and
insert "a purpose specified in subparagraph (C)"
c. Disclosure of specified data
This bill would require an electrical or gas corporation to
provide specified data to the customer, his or her electric
service provider, or other third-party entity authorized by
the customer to have read-only access to his or her smart
meter data. The bill would permit the following data to be
disclosed in this instance: meter data used to calculate
charges for electric service, historical load data, and any
other proprietary customer information. This language is
arguably overbroad and so the author has agreed to delete "any
other proprietary customer information."
Suggested amendment:
On page 20, line 21, delete "and any other proprietary
customer information"
d. Third-party demand response service providers: privacy
principles and work plans
This bill requires demand response providers to adopt privacy
principles and work plans implementing those privacy
principles according to specific timeframes, which occur after
the provider has commenced providing demand response service
on customer residences. The author's office has indicated a
desire to revise these timeframes as they would permit a
demand response provider to collect data for lengthy time
periods. The bill should thus be amended as follows:
Suggested amendment:
On page 22, line 32, delete "within six months of
commencing" and insert "before"
On page 24, line 17, delete "No later than six months
following the adoption of the statement of privacy and
security principles for a third-party demand response
service provider," and insert "After adopting privacy and
�
SB 837 (Florez)
Page 12 of ?
security principles and before commencing providing demand
response service on customer residences,"
3. Discriminatory pricing based on privacy choice
This bill would prohibit an electrical or gas corporation or
demand response provider from providing customer information to
a third party unless the customer expressly authorizes, in
writing, the release of the information to that third party.
This opt-in requirement is intended to ensure that customers
have complete control over their information.
There is a concern, however, that customers might face higher
charges if they decide not to opt-into the sharing of their
information. Or, a discount could be offered if a customer
decided to opt-into sharing. In order to address these concerns
that consumers might face discriminatory pricing because they
had exercised their right to protect their privacy under this
bill, the author has agreed to amend the bill to provide that an
electrical or gas corporation or demand response provider may
not offer incentives or discounts to solicit a particular
response by the customer regarding his or her right to control
his or her information.
Suggested amendment:
Add new subdivisions providing that an electrical or gas
corporation or third-party demand response service provider
may not offer incentives or discounts in order to solicit a
particular response by the customer that allows the
corporation or provider to disclose the customer's information
to third parties.
4. Production of personal records using subpoena duces tecum
Under existing law, a person who uses a subpoena to seek
personal records that pertain to a "consumer" is required to
take certain steps to notify the consumer that his or her
records are being sought and explain how he or she may protect
his or her privacy and restrict release of the records. The
purpose of these provisions is "to protect a consumer's right to
privacy in his personal records . . . " (Sasson v. Katash (1983)
146 Cal.App.3d 119.)
The law thus creates a procedure under which the consumer is
notified that his or her records are being sought and is given
�
SB 837 (Florez)
Page 13 of ?
the opportunity to make a motion to quash the subpoena. The
subpoenaing party must serve a copy of the subpoena duces tecum,
the affidavit supporting the issuance of the subpoena, if any,
and the notice described above to the consumer personally, or,
if he or she is a party, to his or her attorney.
This bill would expand the definition of "personal records" to
also include records maintained by an electrical or gas
corporation, a publicly owned gas utility, or a local publicly
owned gas utility. It would also expand the definition of
"consumer" to include "family, household, or residence." The
author indicates that the intent of this provision is to ensure
that consumers are notified when their electric or gas records
are subpoenaed.
The bill's expansion of the definition of "consumer," however,
raises several concerns. First, it is not clear who would get
notice in these instances, and second, this change could
actually cause confusion and reduce the likelihood that a
consumer would receive the notice if it were addressed to the
"family, household, or residence." Also, it is not clear that
the "family, household, or residence" would have standing to
file a motion to quash the subpoena. In order to address these
concerns, the author has agreed to amend the bill to delete its
proposed changes to the definition of "consumer." Such an
amendment would still maintain the addition of records
maintained by an electrical or gas corporation, a publicly owned
gas utility, or a local publicly owned gas utility, thus
providing consumers with notice when these records are
subpoenaed.
Suggested amendment:
On page 8, line 22, delete "family, household, residence"
5. Reporting requirements
This bill requires public utilities to report specified
information to the "Office of Information Security and Privacy
Protection, State and Consumer Services Agency" and requires
that entity to make the report publicly available on its Web
site. Because of recent restructuring, however, the "Office of
Information Security and Privacy Protection, State and Consumer
Services Agency" no longer exists as one entity.
Instead, the Office of Information Security is now part of the
Office of the State Chief Information Officer (OCIO) and deals
�
SB 837 (Florez)
Page 14 of ?
with "statewide information security and privacy policies, and
standards applicable to all state government agencies." The
Office of Privacy Protection, on the other hand, is now part of
State and Consumer Services Agency and has responsibility for
privacy as it relates to consumers. The author indicates that
it is his intent that the report should be made to the Office of
Privacy Protection and, as a result, has agreed to amend the
bill accordingly:
Suggested amendments:
On page 13, line 10, delete "Office of Information Security
and Privacy Protection, State and Consumer Services Agency"
and insert "Office of Privacy Protection"
On page 13, line 35, delete "Office of Information Security
and Privacy Protection, State and Consumer Services Agency"
and insert "Office of Privacy Protection"
On page 13, line 39, delete "Office of Information Security
and Privacy Protection, State and Consumer Services Agency"
and insert "Office of Privacy Protection"
�
SB 837 (Florez)
Page 15 of ?
6. Expansion of Information Practices Act: amendment necessary
This bill would expand the definition of "personal information"
contained in the Information Practices Act, which applies only
to state agencies and imposes limitations on agencies'
collection and disclosure of personal information. The author
has indicated that it was not his intent to revise this
definition and has agreed to amend the bill to delete this
section.
Suggested amendment:
On page 6, beginning on line 20, delete Section 2 of the bill.
7. Clarifying amendments
This bill would prohibit an electrical or gas corporation or
demand response provider from providing customer information to
a third party unless the customer expressly authorizes, in
writing, the release of the information to that third party.
Because the term "provide" is not specific, the author has
agreed to amend the bill to make clear that the following are
subject to the bill's opt-in requirement: sharing, selling,
disclosing, or otherwise making a customer's information
accessible to any third party.
Suggested amendments:
On page 17, line 16, strike "provided" and insert "shared,
sold, disclosed, or otherwise made accessible"
On page 17, line 20, after "shared" insert ", sold, disclosed,
made accessible, "
On page 22, line 21, strike "provided" and insert "shared,
sold, disclosed, or otherwise made accessible"
On page 22, line 26, after "shared" insert ", sold, disclosed,
made accessible, "
This bill would permit a customer to authorize the release of
historical information by the utility. Because it is not clear
what "historical information" means, the author has agreed to
amend the bill to specify prior bills or prior usage records
instead.
�
SB 837 (Florez)
Page 16 of ?
Suggested amendment:
On page 17, line 23, delete "historical information" and
insert "prior bills or usage records"
This bill would define "third-party demand response service
provider" to mean a person or corporation that is not an
electrical corporation and who collects customer energy usage
data and also provides equipment, software, or services that
enable customers to reduce their electricity usage. The author
has indicated that some entities may only collect consumer
energy usage data but not provide equipment, software, or
services. In order to ensure that the bill applies to these
entities, the author would like to amend the bill as follows:
On page 21, line 38 after "data" insert "or who collects
customer energy usage data"
Support : Privacy Rights Clearinghouse
Opposition : None Known
HISTORY
Source : Author
Related Pending Legislation :
SB 1476 (Padilla) would require a utility that uses smart meter
technology that allows a customer to monitor his or her electric
or gas consumption data to ensure that the customer has an
option to access that data without relinquishing personally
identifiable information, including consumption data, to a third
party. The bill also contains restrictions on third-party
sharing. This bill is also scheduled to be heard by the
Committee on April 13, 2010.
AB 2207 (Fong) is currently a spot bill that states Legislative
intent to enact legislation creating a statewide standard for
the termination of residential utility service. This bill has
not been referred.
Prior Legislation : None Known
�
SB 837 (Florez)
Page 17 of ?
**************