Article by Nicole Friess
On August 29, 2011, Administrative Law Judge G. Harris Adams issued a recommended decision before the Colorado Public Utilities Commission (PUC) on proposed Smart Grid data privacy rules to regulate the information practices of electric utilities.
The proposed rules will revise the current rules applicable to Smart Meter data privacy and disclosure rules in the Code of Colorado Regulations.
According to the PUC, the new rules will provide more clarity on data privacy concerns and protect customer information from unauthorized disclosure, while at the same time granting customers access to their own information.
A number of interested parties filed exceptions to the proposed rules, and on October 17, 2011, the PUC held a hearing to discuss and rule on the exceptions. Some of the highlights of the PUC hearing are discussed below.
The rules grant utilities unfettered use of customer data for regulated utility purposes. However, utilities will generally be permitted to share a customer’s data with third parties only after the customer provides informed consent. Utilities may obtain customer consent under the rules if a customer submits a consent form – which will be prescribed and supplied the PUC – electronically or by postal mail.
The PUC granted an exception to the rule which will also allow customers to provide consent in person, provided that the customer produces appropriate identification. Customer consent will have no expiration date. The PUC rejected the Administrative Law Judge’s proposal that consent forms must be notarized, as the commissioners agreed that the notarization process is burdensome and unnecessary for authenticating customer consent.
Utilities must also obtain the customer’s consent before using customer data for unregulated services. The rules permit a utility to disclose customer data to a contracted agent, as long as the agent uses the data solely for the purpose of the contract between the agent and the utility.
Several interested parties filed an exception to the rule, asking that contracted agents be granted unlimited secondary use of customer data. The PUC denied the exception, noting that this proposed exception was contrary to the purpose and spirit of the regulations.
The regulations will continue to prohibit contracted agents from using customer data for a secondary commercial purpose unrelated to the purpose of the contract without first obtaining the customer’s consent. While a number of the filed exceptions were denied by the PUC, the commissioners did agree to strike proposed Rule 3032, which would have given customers the option to place a data freeze on their utility account.
The data freeze provisions provided customers with an opt-in opportunity to prevent utilities from disclosing customer data to third parties. However, since the proposed rules operate under the basic assumption that customer data will not be disclosed to third parties without customer consent, the commissioners agreed that the Rule 3032 was redundant and unnecessary.
Another notable decision of the PUC was the commissioners’ affirmation of the penalties as set forth in proposed Rule 3036. Interested parties argued that, without a cap on total liability, penalties issued under the Rule would be excessive. However, the PUC denied the exceptions to Rule 3036.
Although the Rule provides for penalties that have the potential to be rather large, the PUC indicated that penalties will only apply for “intentional” violations of the rules.
The rules also require utilities to provide annual written notice to customers explaining their privacy and security policies governing access to and disclosure of customer data and aggregated data to third parties. During the hearing, the PUC agreed to allow utilities to deliver this notice to customers electronically.
The PUC also agreed to give electric utilities until March 1, 2012 to file their compliance tariffs. Colorado joins several other states that are seeking to regulate utilities’ use and disclosure of customer data.
While some issues remain unresolved after the hearing, PUC staff will be circulating an updated draft of the rules that reflects the PUC’s recent decisions. We will continue to discuss this and other utility-related privacy initiatives on our blog as they develop, so check back often.
Cross-posted from InfoLawGroup