On January 1, 2014, California’s new “smart meter” privacy law goes into effect, which may impact Internet Service Providers, financial institutions and other businesses that handle or receive smart meter data. On October 5, 2013, California Governor Brown approved the law passed by the Assembly (A.B. 1274) that will require certain non-utility businesses to obtain the express consent of utility customers before sharing their electrical or natural gas usage information.
In the past, an electrical utility “meter reader” came to a personal residence or commercial establishment to gauge electrical usage and generate billing accordingly. Today, public utilities send that information over the Internet through smart meters. These devices send data, over the Internet, to the public utility in real time and they also allow consumers to monitor their own energy consumption.
According to the Assembly Floor Analysis, almost three years ago, the California legislature enacted S.B. 1476, which prohibited the utilities from sharing or otherwise disclosing a customer’s consumption data and patterns to third parties without the customer’s consent. The bill also required those utilities to use reasonable security procedures, including encryption, for customer usage data gathered through smart meters or otherwise. The new law (codified in A.B. 1274) would extend many of these same prohibitions and restrictions to Internet Service Providers (“ISPs”), financial institutions and other businesses that handle or receive smart meter data.
A.B. 1274 adds Title 1.81.4 (commencing with Section 1798.98) to Part 4 of Division 3 of the Civil Code to prohibit a business (including ISPs and financial institutions) from sharing, disclosing, or otherwise making accessible to any third party a customer’s electrical or natural gas usage data without obtaining the express consent of the customer and conspicuously disclosing to whom the disclosure will be made and how the data will be used. Cal. Civ. Code § 1798.98(b). Further the new law prohibits a business from providing an incentive or discount to the customer for accessing their usage data without the prior consent of the customer. Cal. Civ. Code § 1798.98(e).
The term “business” includes all for-profit entities, including financial institutions. Specifically, the code defines a business as meaning “a sole proprietorship, partnership, corporation, association, or other group, however organized and whether or not organized to operate at a profit, including a financial institution organized, chartered, or holding a license or authorization certificate under the law of this state, any other state, the United States, or of any other country, or the parent or the subsidiary of a financial institution.” The term “customer” is defined as “a customer of an electrical or gas corporation or a local publicly owned electric utility that permits a business to have access to data in association with purchasing or leasing a product or obtaining a service from the business.” Cal. Civ. Code § 1798.98 (a)(1)-(2).
If a business does obtain the express written consent from the customer to share usage data, the new law requires covered businesses to have contractual requirements in place with third parties requiring them to maintain reasonable security procedures and practices to protect the data from unauthorized disclosure. Cal. Civ. Code § 1798.98(c). It also requires covered businesses to take reasonable steps with regard to the disposal of customer data by “(1) shredding, (2) erasing, or (3) otherwise modifying the data in those records to make it unreadable or undecipherable through any means.” Cal. Civ. Code § 1798.98(f).
Finally, the new law adds Civil Code Section 1798.99 to authorize customers to bring civil actions for actual damages not to exceed $500 for each willful violation of the law. The new law will be effective January 1, 2014.
Conclusion
Businesses that are ISPs, financial institutions or otherwise handle customer data from smart meters should familiarize themselves with A.B. 1274, which will take effect on January 1, 2014, as well as other developments in this area to ensure that the appropriate contractual language is incorporated into their agreements and best practices regarding the privacy of smart meter data.