Smart Meter Customer Data Privacy: California Proposes New Rules

PG&E Meter on Angele Island.

Image via Wikipedia

California Public Utility Commission President Michael Peevey issued a notice of proposed decision in Rulemaking 08-12-009 concerning the privacy protections expected of California’s jurisdictional investor owned utilities in the handling of customer meter and energy use data from the deployment of smart meters.

The rules are needed to assure customer data privacy is protected while, at the same time, enabling customers to permit access to third-party vendors they approve in order to gain access to and receive proposals for energy management, demand response and other customer service applications expected to use smart meter data.

Under the proposed rules utilities must offer residential customers bill-to-date, bill forecast data, projected month-end tiered rate, a rate calculator, and notifications to customers as they cross rate tiers.  They must also work with the CAISO to streamline customer access to wholesale electricity prices.  To enforce the new rules, the CPUC will require PG&E, SCE, and SDG&E each to file an advice letter within six months that provides customers with access to usage, price, and billing data. Each utility must also conduct a pilot study within six months on demonstrate how they will provide real-time or near real-time pricing information to customers.

The proposed decision makes California data privacy practices consistent with the best national privacy and security practices adopted by the Department of Homeland Security and with the policies adopted in Senate Bill 1476 approved by the California Legislature and signed by the Governor in September 2010.

How will California’s Data Privacy Rules Work?

  1. Customer Data Access Tariffs. California’s big three utilities Pacific Gas & Electric, Southern California Edison and San Diego Gas & Electric would file tariffs for CPUC approval that require third parties that seek access to utility customer energy data to agree to follow the same data privacy requirements the CPUC is imposing on the utility.
  2. Third Party Compliance with CPUC Data Privacy Rules. The data privacy rules apply to any home device that uses smart meter data and is “locked” into a single provider’s platform or technology but permits customer-owned data sources outside of its authority. The ruling also to any service that keep collecting and using data without any active role on the customers’ part, once the customer has given permission to access.  This is needed to authorize constant energy management services a customer might contract with an outside vendor such as EnerNOC, Comverge or C-Power to provide.
  3. Third Party Registration for Tariff Participation and Utility Deadline for Start-up. Companies that seek to provide services using smart meter data sign up for each utilities’ tariff programs to gain access to the data.  The CPUC ruling would give the utilities six months file their tariffs and get their data access programs in service.
  4. Who is NOT Covered by the Proposed Data Privacy Rules.  Customers may provide their own data to third party vendors without regard to the proposed rules or tariffs. Home energy devices that aren’t “locked” and don’t automatically transfer information to a third party fall under a different category. CPUC lacks authority over data from devices we own and use directly as customers directly because they don’t depend on acquiring data directly from the utility. Examples are dashboards, energy monitors and similar devices, home security monitoring systems like iControl and AlertMe, or home broadband and home automation systems sold by communications companies like Verizon or AT&T.  The CPUC’s proposed rule says utilities must provide customers with “information concerning the potential uses and abuses of usage data should the customer forward or otherwise provide the data to another entity” for example, if they switch from one services provider to another.

Data privacy advocates may not be satisfied

Some had sought tougher standards that would cover independent third parties like Google and other internet service providers in their zeal to protect individual privacy.  But that debate set off alarms of overreach by a state regulatory agency that has no jurisdiction over non-utility market participants like Google.

In narrowing its rulemaking to be applicable to the CPUC’s jurisdictional utilities and requiring them to file tariffs that subsequently require third parties who seek access to customer utility data to promise both to get the customer’s permission to access their data and also indemnify the utility by complying with the same data privacy rules the CPUC imposes on the utility to assure that it remains in compliance, the CPUC hopes to avoid protracted litigation over its decision.

The proposed decision now goes to the full CPUC for approval expected over the next several months.