DRA Finds New CPUC Smart Grid Privacy Rules Provide Consumer Protections, But Don’t Go Far Enough

 

SAN FRANCISCO, July 28, 2011 – The Division of Ratepayer Advocates (DRA), an independent consumer advocacy division of the California Public Utilities Commission (CPUC), said that on balance, the CPUC’s decision today adopts smart grid privacy rules based on sound principles.  However, DRA is disappointed that the decision does not apply those rules to all entities, beyond the investor owned energy utilities, thereby creating loopholes that will leave customers vulnerable.

Under Senate Bill 1476, investor-owned utilities using smart meters, which include Pacific Gas and Electric Company, Southern California Edison Company and San Diego Gas & Electric Company, are required to allow customers to access their own energy usage data without requiring them to share personally identifiable information to non-utility entities.  The CPUC had the opportunity to ensure that customer privacy is protected by any non-utility private company with whom customers share their data, yet the decision approved by the CPUC today only applies privacy rules to some entities, putting the responsibility for protecting their own privacy solely on the customers themselves.

“While the CPUC’s decision puts forward some very good protections for consumers, I am concerned that it places the burden on customers to be vigilant to protect their own privacy,” said DRA acting director Joe Como.  “The CPUC does not require non-utility companies to be accountable, which will leave customers’ personal information at risk.”

Today’s decision appropriately adopts most of the privacy rules proposed by the Center for Democracy and Technology and the Electronic Frontier Foundation.  It also adopts the Fair Information Practice Principles as California policy for the smart grid, which promote transparency, security, and accountability.  The decision ensures that no entities can access customer energy usage data for certain purposes unrelated to essential energy utility services, without customer consent.  However, the decision declines to require the CPUC or the utilities to monitor the privacy policies of non-utility companies.  Instead, the CPUC requires the utilities to inform customers of the potential uses and abuses of sharing customer energy usage data with non-utility entities.

Customers may be unaware that energy usage data being collected by smart meters may disclose intimate personal details about a customer’s presence in or absence from the home, health issues, purchasing preferences, or co-habitation arrangements.

“Many states are looking to California to pave the way on smart grid policies and rules,” Como said.  “With this decision, the Commission has gone a long way toward providing leadership in protecting customer privacy, but it could have gone farther.”