Bill Text: CA AB1274 | 2013-2014 | Regular Session | Amended
NOTE: There are more recent revisions of this legislation. Read Latest Draft
Bill Title: Privacy: customer electrical or natural gas usage data.
Spectrum: Partisan Bill (Democrat 1-0)
Status: (Passed) 2013-10-05 - Chaptered by Secretary of State - Chapter 597, Statutes of 2013. [AB1274 Detail]
Download: California-2013-AB1274-Amended.html
Bill Title: Privacy: customer electrical or natural gas usage data.
Spectrum: Partisan Bill (Democrat 1-0)
Status: (Passed) 2013-10-05 - Chaptered by Secretary of State - Chapter 597, Statutes of 2013. [AB1274 Detail]
Download: California-2013-AB1274-Amended.html
BILL NUMBER: AB 1274 AMENDED
BILL TEXT
AMENDED IN SENATE JUNE 25, 2013
AMENDED IN SENATE JUNE 11, 2013
AMENDED IN ASSEMBLY APRIL 18, 2013
INTRODUCED BY Assembly Member Bradford
FEBRUARY 22, 2013
An act to add Title 1.81.4 (commencing with Section 1798.98) to
Part 4 of Division 3 of the Civil Code, relating to privacy.
LEGISLATIVE COUNSEL'S DIGEST
AB 1274, as amended, Bradford. Privacy: public utilities.
customer electrical or natural gas usage data.
Existing law prohibits, except as specified, an electric
electrical corporation or gas corporation, and a
local publicly owned utility, from sharing, disclosing, or otherwise
making accessible to a third 3rd party
a consumer's electric or gas usage that is made available as a part
of an advanced metering infrastructure, including the name, account
number, and residence of the customer (data). Existing law requires
the electrical corporation or gas corporation, and a locally
local publicly owned utility, to use reasonable
security procedures and practices to provide a consumer's
unencrypted data from unauthorized access, destruction, use,
modification, or disclosure.
Existing law makes the willful obtaining of personal identifying
information, as defined, and use of that information for any unlawful
purpose, a felony or misdemeanor. Existing law authorizes a person
that has been injured as a result of a violation of this prohibition
to bring an action against a claimant, as defined, to establish that
they are a victim of identity theft, in connection with the claimant'
s claim against that person and to bring a cross-complaint if the
claimant has brought an action to recover on a claim against the
person. A person who proves that he or she is a victim of identity
theft by a preponderance of evidence is entitled to a judgment
providing for actual damages, attorney's fees, and costs, and any
equitable relief that the court deems appropriate.
This bill would prohibit an energy management service
provider, as defined, from, among other things, sharing, disclosing,
or otherwise making a customer's electrical or gas consumption data
accessible to a 3rd party or selling a customer's electrical or gas
consumption data, except upon the consent of the customer, as
specified. The bill would prohibit an energy management service
provider or its contractors from providing an incentive or discount
to the customer for accessing the customer's electrical or gas
consumption data without the prior consent of the customer. The bill
would prohibit an energy management service provider or its
contractor from providing a service that allows a customer to monitor
his or her electricity or gas usage, except as specified.
a business from sharing, disclosing, or otherwise making
accessible to any 3rd party a customer's electrical or natural gas
usage without obtaining the express consent of the customer and
conspicuously disclosing to whom the disclosure will be made and how
the data will be used. The bill would require a business and a
nonaffiliated 3rd party, pursuant to a contract, to implement and
maintain reasonable security procedures and practices to protect the
data from unauthorized disclosure. The bill would prohibit a business
from providing an incentive or discount to the customer for
accessing the data without the prior consent of the customer. The
bill would require a business to take reasonable steps with regard to
the disposal of customer data no longer to be retained.
The bill would authorize a customer to bring a civil action for
actual damages not to exceed $500 for each willful violation of
these provisions.
Vote: majority. Appropriation: no. Fiscal committee: no.
State-mandated local program: no.
THE PEOPLE OF THE STATE OF CALIFORNIA DO ENACT AS FOLLOWS:
SECTION 1 . Title 1.81.4 (commencing
with Section 1798.98) is added to Part 4 of Division 3 of the
Civil Code , to read:
TITLE 1.81.4. PRIVACY OF CUSTOMER ELECTRICAL OR NATURAL GAS
USAGE DATA
1798.98. (a) For the purposes of this title, the following
definitions shall apply:
(1) "Business" means a sole proprietorship, partnership,
corporation, association, or other group, however organized and
whether or not organized to operate at a profit, including a
financial institution organized, chartered, or holding a license or
authorization certificate under the law of this state, any other
state, the United States, or of any other country, or the parent or
the subsidiary of a financial institution.
(2) "Customer" means a customer of an electrical or gas
corporation or a local publicly owned electric utility that permits a
business to have access to data in association with purchasing or
leasing a product or obtaining a service from the business.
(3) "Data" means a customer's electrical or natural gas usage that
is made available to the business as part of an advanced metering
infrastructure provided by an electrical corporation, a gas
corporation, or a local publicly owned electric utility, and includes
the name, account number, or physical address of the customer.
(4) "Electrical corporation" has the same meaning as in Section
218 of the Public Utilities Code.
(5) "Gas corporation" has the same meaning as in Section 222 of
the Public Utilities Code.
(6) "Local publicly owned electric utility" has the same meaning
as in Section 224.3 of the Public Utilities Code.
(b) Unless otherwise required or authorized by federal or state
law, a business shall not share, disclose, or otherwise make
accessible to any third party a customer's data without obtaining the
express consent of the customer and conspicuously disclosing to whom
the disclosure will be made and how the data will be used.
(c) A business that discloses data, with the express consent of
the customer, pursuant to a contract with a nonaffiliated third
party, shall require by contract that the third party implement and
maintain reasonable security procedures and practices appropriate to
the nature of the information, to protect the data from unauthorized
access, destruction, use, modification, or disclosure.
(d) A business shall implement and maintain reasonable security
procedures and practices appropriate to the nature of the information
to protect the data from unauthorized access, destruction, use,
modification, or disclosure.
(e) A business shall not provide an incentive or discount to the
customer for accessing the data without the prior consent of the
customer.
(f) A business shall take all reasonable steps to dispose, or
arrange for the disposal, of customer data within its custody or
control when the records are no longer to be retained by the business
by (1) shredding, (2) erasing, or (3) otherwise modifying the data
in those records to make it unreadable or undecipherable through any
means.
(g) The provisions of this section do not apply to an electrical
corporation, a gas corporation, or a local publicly owned electric
utility or a business that secures the data as a result of a contract
with an electrical or gas corporation or a local publicly owned
electric utility under the provisions of Section 8380 or 8381 of the
Public Utilities Code.
1798.99. A customer harmed by the release and unauthorized use of
his or her customer data, in violation of Section 1798.98, may bring
a civil action to recover actual damages in an amount not to exceed
five hundred dollars ($500) for each willful violation.
(b) The rights, remedies, and penalties established by this title
are in addition to the rights, remedies, or penalties established
under any other law.
(c) Nothing in this title shall abrogate any authority of the
Attorney General to enforce existing law.
SECTION 1. Title 1.81.4 (commencing with
Section 1798.98) is added to Part 4 of Division 3 of the Civil Code,
to read:
TITLE 1.81.4. Energy Management Service Providers
1798.98. (a) For the purposes of this section, the following
definitions shall apply:
(1) "Electrical or gas consumption data" has the meaning used in
Section 8380 of the Public Utilities Code.
(2) "Energy management service provider" means an entity that
receives electrical or gas consumption data from a utility advanced
metering system, but excludes an electrical or gas corporation or
publicly owned utility or its agent, contractor, or vendor.
(3) "Customer" means a residential customer or a nonresidential
customer with a demand of 20kW or less during the previous calendar
year.
(b) An energy management service provider and its contractors
shall abide by the following:
(1) An energy management service provider shall not share,
disclose, or otherwise make accessible to a third party a customer's
electrical or gas consumption data, except upon the express consent
of the customer.
(2) An energy management service provider shall not sell a
customer's electrical or gas consumption data or any other personally
identifiable information for any purpose, except as provided in
subdivision (d).
(3) An energy management service provider and its contractors
shall not provide an incentive or discount to the customer for
accessing the customer's electrical or gas consumption data without
the prior consent of the customer.
(4) If an energy management service provider or its contractor
provides a service that allows a customer to monitor his or her
electricity or gas usage, and uses the data for a purpose other than
that specified in the agreement between the customer and the energy
management service provider, either the energy management service
provider shall prominently disclose the purpose and secure the
customer's express consent to the use of his or her data for that
purpose prior to the use of the data, or the contract between the
energy management service provider and its contractor shall provide
that the contractor prominently discloses that purpose to the
customer and secures the customer's express consent to the use of his
or her data for that purpose prior to the use of the data.
(5) If an energy management service provider contracts with a
third party for any service and that third party uses customer
electrical or gas consumption data for a secondary commercial
purpose, the energy management service provider shall prominently
disclose that secondary commercial purpose and secure the customer's
consent to the use of his or her data for that purpose prior to the
use of the data.
(6) An energy management service provider shall use industry
standards for securing a customer's unencrypted electrical or gas
consumption data from the unauthorized access, destruction, use,
modification, or disclosure of the data.
(7) If a customer chooses to disclose his or her electrical or gas
consumption data to a third party that is unaffiliated with, and has
no other business relationship with, the energy management service
provider, the energy management service provider shall not be
responsible for the security of that data, or its use or misuse.
(c) This section shall not preclude an energy management service
provider from using or disclosing electrical or gas consumption data
for analysis, research, reporting, sharing with third parties, or
program management if the data has been aggregated sufficiently to
protect individual customer identity and personally identifying
information has been removed.
(d) This section shall not preclude an energy management service
provider, with the consent of the customer, from disclosing a
customer's electrical or gas consumption data to a third party for
the operational needs of an electric or natural gas system or
electric grid, or the implementation of demand response, energy
management, or energy efficiency programs. The third party shall use
industry standards for securing customer's unencrypted data from the
unauthorized access, destruction, use, modification, or disclosure of
the data and for the destruction of data.
(e) This section shall not preclude an energy management service
provider from disclosing electrical or gas consumption data as
required under state or federal law.
1798.99. (a) A customer harmed by the release and unauthorized
use of his or her electrical or gas consumption data, as described in
Section 1798.98, may bring a civil action to recover actual damages
in an amount not to exceed five hundred dollars ($500) for each
willful violation.
(b) The rights, remedies, and penalties established by this title
are in addition to the rights, remedies, or penalties established
under any other law.
(c) Nothing in this title shall abrogate any authority of the
Attorney General to enforce existing law.
