DRA supports the CPUC's Decision adopted July 28, 2011 that creates a framework and rules to protect the privacy and security of customer usage data, but believes it should be modified to:
Close loopholes: The PD allows customer information to be released without consent if for a "primary purpose."
Regulate all third parties to fill customer protection gaps: The PD limits CPUC jurisdiction to IOUs, its contractors, and third parties using a "locked" device.
Privacy rules must be adopted that limit uses of energy usage data to purposes of meeting the energy policy goals of the state, and are equally applicable to all entities seeking to use such data. If not, large loopholes will exist that undermine any attempts to protect consumer privacy.
DRA supports Fair Information Practice Principles (FIPPs), which were adopted by the CPUC in July 2010 as a framework for privacy rules:
- Transparency: Provide clear, meaningful notice about collection, uses and disclosure.
- Individual Participation: Consent to collect, use, and/or disclose data, required any time changes are made, and revocable at any time.
- Purpose Specification: Articulate specific purposes for which data will be used.
- Data Minimization: Collect only data necessary to fulfill specific purposes and keep only as long as needed.
- Use Limitation: Use data only for specified purposes.
- Data Quality and Integrity: Ensure data is accurate, relevant, timely, and complete and provide tools to correct mistakes or challenge errors.
- Data Security: Must protect customer data with appropriate security safeguards.
- Accountability and Auditing: Must comply, audit for compliance, and provide employee and contractor training.
Center for Democracy and Technology and the Electronic Frontier Foundation developed polices and procedures that translated FIPPs into practical and useable rules that were submitted to the CPUC in October 2010.
DRA provided input to the rules and supported them with amendments to: 1) limit appropriate uses of data to those purposes specifically related to fulfilling energy policy goals and operational needs, and 2) the rules should follow the data, regardless of what entity accesses the data.