Bill Text: CA AB1274 | 2013-2014 | Regular Session | Amended
NOTE: There are more recent revisions of this legislation. Read Latest Draft
Bill Title: Privacy: customer electrical or natural gas usage data.
Spectrum: Partisan Bill (Democrat 1-0)
Status: (Passed) 2013-10-05 - Chaptered by Secretary of State - Chapter 597, Statutes of 2013. [AB1274 Detail]
Download: California-2013-AB1274-Amended.html
Bill Title: Privacy: customer electrical or natural gas usage data.
Spectrum: Partisan Bill (Democrat 1-0)
Status: (Passed) 2013-10-05 - Chaptered by Secretary of State - Chapter 597, Statutes of 2013. [AB1274 Detail]
Download: California-2013-AB1274-Amended.html
BILL NUMBER: AB 1274 AMENDED BILL TEXT AMENDED IN SENATE JUNE 25, 2013 AMENDED IN SENATE JUNE 11, 2013 AMENDED IN ASSEMBLY APRIL 18, 2013 INTRODUCED BY Assembly Member Bradford FEBRUARY 22, 2013 An act to add Title 1.81.4 (commencing with Section 1798.98) to Part 4 of Division 3 of the Civil Code, relating to privacy. LEGISLATIVE COUNSEL'S DIGEST AB 1274, as amended, Bradford. Privacy:public utilities.customer electrical or natural gas usage data. Existing law prohibits, except as specified, anelectricelectrical corporation or gas corporation, and a local publicly owned utility, from sharing, disclosing, or otherwise making accessible to athird3rd party a consumer's electric or gas usage that is made available as a part of an advanced metering infrastructure, including the name, account number, and residence of the customer (data). Existing law requires the electrical corporation or gas corporation, and alocallylocal publicly owned utility, to use reasonable security procedures and practices to provide a consumer's unencrypted data from unauthorized access, destruction, use, modification, or disclosure. Existing law makes the willful obtaining of personal identifying information, as defined, and use of that information for any unlawful purpose, a felony or misdemeanor. Existing law authorizes a person that has been injured as a result of a violation of this prohibition to bring an action against a claimant, as defined, to establish that they are a victim of identity theft, in connection with the claimant' s claim against that person and to bring a cross-complaint if the claimant has brought an action to recover on a claim against the person. A person who proves that he or she is a victim of identity theft by a preponderance of evidence is entitled to a judgment providing for actual damages, attorney's fees, and costs, and any equitable relief that the court deems appropriate. This bill would prohibitan energy management service provider, as defined, from, among other things, sharing, disclosing, or otherwise making a customer's electrical or gas consumption data accessible to a 3rd party or selling a customer's electrical or gas consumption data, except upon the consent of the customer, as specified. The bill would prohibit an energy management service provider or its contractors from providing an incentive or discount to the customer for accessing the customer's electrical or gas consumption data without the prior consent of the customer. The bill would prohibit an energy management service provider or its contractor from providing a service that allows a customer to monitor his or her electricity or gas usage, except as specified.a business from sharing, disclosing, or otherwise making accessible to any 3rd party a customer's electrical or natural gas usage without obtaining the express consent of the customer and conspicuously disclosing to whom the disclosure will be made and how the data will be used. The bill would require a business and a nonaffiliated 3rd party, pursuant to a contract, to implement and maintain reasonable security procedures and practices to protect the data from unauthorized disclosure. The bill would prohibit a business from providing an incentive or discount to the customer for accessing the data without the prior consent of the customer. The bill would require a business to take reasonable steps with regard to the disposal of customer data no longer to be retained. The bill would authorize a customer to bring a civil action for actual damages not to exceed $500 for each willful violation of these provisions. Vote: majority. Appropriation: no. Fiscal committee: no. State-mandated local program: no. THE PEOPLE OF THE STATE OF CALIFORNIA DO ENACT AS FOLLOWS: SECTION 1 . Title 1.81.4 (commencing with Section 1798.98) is added to Part 4 of Division 3 of the Civil Code , to read: TITLE 1.81.4. PRIVACY OF CUSTOMER ELECTRICAL OR NATURAL GAS USAGE DATA 1798.98. (a) For the purposes of this title, the following definitions shall apply: (1) "Business" means a sole proprietorship, partnership, corporation, association, or other group, however organized and whether or not organized to operate at a profit, including a financial institution organized, chartered, or holding a license or authorization certificate under the law of this state, any other state, the United States, or of any other country, or the parent or the subsidiary of a financial institution. (2) "Customer" means a customer of an electrical or gas corporation or a local publicly owned electric utility that permits a business to have access to data in association with purchasing or leasing a product or obtaining a service from the business. (3) "Data" means a customer's electrical or natural gas usage that is made available to the business as part of an advanced metering infrastructure provided by an electrical corporation, a gas corporation, or a local publicly owned electric utility, and includes the name, account number, or physical address of the customer. (4) "Electrical corporation" has the same meaning as in Section 218 of the Public Utilities Code. (5) "Gas corporation" has the same meaning as in Section 222 of the Public Utilities Code. (6) "Local publicly owned electric utility" has the same meaning as in Section 224.3 of the Public Utilities Code. (b) Unless otherwise required or authorized by federal or state law, a business shall not share, disclose, or otherwise make accessible to any third party a customer's data without obtaining the express consent of the customer and conspicuously disclosing to whom the disclosure will be made and how the data will be used. (c) A business that discloses data, with the express consent of the customer, pursuant to a contract with a nonaffiliated third party, shall require by contract that the third party implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the data from unauthorized access, destruction, use, modification, or disclosure. (d) A business shall implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the data from unauthorized access, destruction, use, modification, or disclosure. (e) A business shall not provide an incentive or discount to the customer for accessing the data without the prior consent of the customer. (f) A business shall take all reasonable steps to dispose, or arrange for the disposal, of customer data within its custody or control when the records are no longer to be retained by the business by (1) shredding, (2) erasing, or (3) otherwise modifying the data in those records to make it unreadable or undecipherable through any means. (g) The provisions of this section do not apply to an electrical corporation, a gas corporation, or a local publicly owned electric utility or a business that secures the data as a result of a contract with an electrical or gas corporation or a local publicly owned electric utility under the provisions of Section 8380 or 8381 of the Public Utilities Code. 1798.99. A customer harmed by the release and unauthorized use of his or her customer data, in violation of Section 1798.98, may bring a civil action to recover actual damages in an amount not to exceed five hundred dollars ($500) for each willful violation. (b) The rights, remedies, and penalties established by this title are in addition to the rights, remedies, or penalties established under any other law. (c) Nothing in this title shall abrogate any authority of the Attorney General to enforce existing law.SECTION 1.Title 1.81.4 (commencing with Section 1798.98) is added to Part 4 of Division 3 of the Civil Code, to read: TITLE 1.81.4. Energy Management Service Providers 1798.98. (a) For the purposes of this section, the following definitions shall apply: (1) "Electrical or gas consumption data" has the meaning used in Section 8380 of the Public Utilities Code. (2) "Energy management service provider" means an entity that receives electrical or gas consumption data from a utility advanced metering system, but excludes an electrical or gas corporation or publicly owned utility or its agent, contractor, or vendor. (3) "Customer" means a residential customer or a nonresidential customer with a demand of 20kW or less during the previous calendar year. (b) An energy management service provider and its contractors shall abide by the following: (1) An energy management service provider shall not share, disclose, or otherwise make accessible to a third party a customer's electrical or gas consumption data, except upon the express consent of the customer. (2) An energy management service provider shall not sell a customer's electrical or gas consumption data or any other personally identifiable information for any purpose, except as provided in subdivision (d). (3) An energy management service provider and its contractors shall not provide an incentive or discount to the customer for accessing the customer's electrical or gas consumption data without the prior consent of the customer. (4) If an energy management service provider or its contractor provides a service that allows a customer to monitor his or her electricity or gas usage, and uses the data for a purpose other than that specified in the agreement between the customer and the energy management service provider, either the energy management service provider shall prominently disclose the purpose and secure the customer's express consent to the use of his or her data for that purpose prior to the use of the data, or the contract between the energy management service provider and its contractor shall provide that the contractor prominently discloses that purpose to the customer and secures the customer's express consent to the use of his or her data for that purpose prior to the use of the data. (5) If an energy management service provider contracts with a third party for any service and that third party uses customer electrical or gas consumption data for a secondary commercial purpose, the energy management service provider shall prominently disclose that secondary commercial purpose and secure the customer's consent to the use of his or her data for that purpose prior to the use of the data. (6) An energy management service provider shall use industry standards for securing a customer's unencrypted electrical or gas consumption data from the unauthorized access, destruction, use, modification, or disclosure of the data. (7) If a customer chooses to disclose his or her electrical or gas consumption data to a third party that is unaffiliated with, and has no other business relationship with, the energy management service provider, the energy management service provider shall not be responsible for the security of that data, or its use or misuse. (c) This section shall not preclude an energy management service provider from using or disclosing electrical or gas consumption data for analysis, research, reporting, sharing with third parties, or program management if the data has been aggregated sufficiently to protect individual customer identity and personally identifying information has been removed. (d) This section shall not preclude an energy management service provider, with the consent of the customer, from disclosing a customer's electrical or gas consumption data to a third party for the operational needs of an electric or natural gas system or electric grid, or the implementation of demand response, energy management, or energy efficiency programs. The third party shall use industry standards for securing customer's unencrypted data from the unauthorized access, destruction, use, modification, or disclosure of the data and for the destruction of data. (e) This section shall not preclude an energy management service provider from disclosing electrical or gas consumption data as required under state or federal law. 1798.99. (a) A customer harmed by the release and unauthorized use of his or her electrical or gas consumption data, as described in Section 1798.98, may bring a civil action to recover actual damages in an amount not to exceed five hundred dollars ($500) for each willful violation. (b) The rights, remedies, and penalties established by this title are in addition to the rights, remedies, or penalties established under any other law. (c) Nothing in this title shall abrogate any authority of the Attorney General to enforce existing law.