The Act seeks to establish standards to govern the use and disclosure of electric utility usage data (including personal information) by electric utilities, customers of electric utilities and third parties. The Act also requires electric utility companies to maintain the confidentiality of customer data and allow customers to access the data. State Rep. Scott Martin noted that customers will see energy savings from the Smart Grid, but are vulnerable to potential access of their data by third parties. “This legislation should ensure customers can reap the many benefits of this new system without having to fear someone getting access to their data without permission,” said Martin. The legislation is said to have the support of the Oklahoma Gas & Electric Company, which has already converted 100,000 standard meters to smart meters in the state and plans to install 800,000 smart meters in the next two years.
The proposed Data Protection Act governs the use and disclosure of “usage data” in both identifiable and aggregated format. The Act defines “usage data” as information relating to both (i) the amount of electricity consumed at a residence or customer premises; and (ii) the characteristics of that consumption. “Usage data” includes the dates and times when electricity is consumed and information about the appliances and devices that consume the electricity. The Act also provides utility customers with the right to access their usage data.
The Act deems usage data “customer-identifiable” when it is associated with any information that identifies or is uniquely associated with a customer, such as a name, Social Security or taxpayer identification number, street address, telephone number, electric utility account number, meter number or financial account information. Notably, the scope of “identifiable” data is not limited to information about individuals. Rather, the Act defines a “customer” as an individual, a business or a legal entity receiving service from an electric utility.
The Act permits utilities to use customer-identifiable usage data without customer consent for “business purposes” such as (i) the provision of services; (ii) billing; (iii) support of the infrastructure; (iv) the development, enhancement, marketing or provision of energy-related products and services; and (v) the promotion of public policy objectives, including energy efficiency and environmental initiatives.
Pursuant to the Act, a utility may disclose identifiable usage data without customer consent to affiliates and third parties that assist the utility in providing services and carrying out business objectives. The affiliate or third party that receives the usage data must agree in writing that it will maintain the confidentiality of the data and use the data only for the permissible purposes. Customer consent also is not required for disclosures of usage data to comply with legal requirements, in the event of a merger or a sale of assets, or in an emergency.
The Act also permits utilities to disclose a customer’s usage data to a third party if the customer provides an informed consent to the disclosure.
The Oklahoma bill is one of the many state-level initiatives that seek to regulate the use and disclosure of personal data that utilities and other entities collect, use and disclose in connection with the Smart Grid. We have written on our blog about the ABA’s effort to catalogue these efforts. Check back often as we continue to discuss Smart Grid-related privacy legislation and other privacy initiatives.