Peevey Agenda Dec Revision 4 Attachments A-E
Word Document PDF Document

COM/MP1/tcg/jt2 DRAFT Agenda ID #10387 (Revision 4)

Decision PROPOSED DECISION OF PRESIDENT PEEVEY (Mailed 5/6/2011)

BEFORE THE PUBLIC UTILITIES COMMISSION OF THE STATE OF CALIFORNIA

Order Instituting Rulemaking to Consider Smart Grid Technologies Pursuant to Federal Legislation and on the Commission's own Motion to Actively Guide Policy in California's Development of a Smart Grid System.

Rulemaking 08-12-009

(Filed December 18, 2008)

DECISION ADOPTING RULES TO PROTECT THE PRIVACY AND SECURITY OF THE ELECTRICITY USAGE DATA OF THE CUSTOMERS OF PACIFIC GAS AND ELECTRIC COMPANY, SOUTHERN CALIFORNIA EDISON COMPANY, AND SAN DIEGO GAS & ELECTRIC COMPANY

Attachment A - Senate Bill 1476

Attachment B - List of Current Statutes, Regulations, Decisions and Protocols Related to Customer Privacy Applicable to California Energy Utilities from Appendix A of Opening Responses of Pacific Gas and Electric Company to Assigned Commissioner's Ruling on Customer Privacy and Security Issues, October 15, 2010

Attachment C - Appendix A-2 of Center for Democracy and Technology's Reply Comments of November 12, 2010, Revised Privacy Policies and Procedures Recommended by CDT

Attachment D - Rules Regarding Privacy and Security Protections for Energy Usage Data

Attachment E - Phase 2 Service List

DECISION ADOPTING RULES TO PROTECT THE PRIVACY AND SECURITY OF THE ELECTRICITY USAGE DATA OF THE CUSTOMERS OF PACIFIC GAS AND ELECTRIC COMPANY, SOUTHERN CALIFORNIA EDISON COMPANY, AND SAN DIEGO GAS & ELECTRIC COMPANY

1. Summary

This decision adopts rules to protect the privacy and security of customer data generated by Smart Meters concerning the usage of electricity that are deployed by Pacific Gas and Electric Company (PG&E), Southern California Edison Company (SCE), and San Diego Gas & Electric Company (SDG&E). The rules adopted implement the protections ordered by Senate Bill (SB) 1476 (Chapter 497, Statutes of 2010). The adopted rules are also consistent with other sections of the Public Utilities Code and past Commission privacy policies. Attachment D, Rules Regarding Privacy and Security Protections for Energy Usage Data, lists the adopted privacy and security rules.

The adopted privacy and security rules apply to PG&E, SCE, and SDG&E, the companies that assist them in utility operations, companies under contract with the utilities, and other companies that, after authorization by a customer or by the action of the Commission, gain access to the customer's usage data directly from the utility. Each utility must file within 90 days a Tier 2 advice letter proposing whatever tariff changes are necessary to conform its corporate policies concerning customer usage data to the Rules Regarding Privacy and Security Protections for Energy Usage Data in Attachment D of this decision.

In addition to the adopted rules protecting the privacy and security of usage data, the decision adopts policies to govern access to customer usage data by customers and by authorized third parties. PG&E and SCE must continue to provide and SDG&E must provide access to customer usage data. Each utility must provide pricing, usage and cost data to customers in the customer-friendly manners discussed below. Specifically, within six months, PG&E, SCE, and SDG&E must each file a Tier 2 advice letter including tariff changes to make price, usage and cost information available to its customers online and updated at least on a daily basis. Each day's usage data, along with applicable price and cost details, and with hourly or 15-minute granularity (matching the time granularity programmed into the customer's smart meter), must be available by the next day. The tariff changes must offer residential customers bill-to-date, bill forecast data, projected month-end tiered rate, and notifications as the customers cross rate tiers as part of the pricing data provided to customers. The prices must state an "all in" price the customers pay for electricity.

In addition, the three utilities are directed to work with the California Independent System Operator (CAISO) in developing a methodology to make wholesale prices available to customers on each company's website. The utilities shall report on this work with the CAISO in their advice letter filings. The advice letter filings should also contain a proposal for the provision of wholesale prices to interested customers.

Within six months of the mailing of this decision, PG&E, SCE and SDG&E must each file an application that includes tariff changes which will provide third parties access to a customer's usage data via the utility's backhaul when authorized by the customer. The three utilities should propose a common data format to the extent possible and be consistent with ongoing national standards efforts. The program and procedures must be consistent with the policies adopted in the Rules Regarding Privacy and Security Protections for Energy Usage Data (Attachment D to this decision). The applications should propose eligibility criteria, a process for determining eligibility, and a process whereby the Commission can exercise oversight over third parties, such as a registration process. The three utilities are encouraged to participate in a technical workshop to be held by the Commission in advance of the filing date. The applications may seek recovery of incremental costs associated with this program.1 The resulting Commission proceeding will determine whether and how this information will be made available.

Within six months of the mailing of this decision, PG&E, SCE, and SDG&E must, separately or jointly, commence a pilot study to provide price information to customers in real time or near-real time. The pilot study shall be of a size that yields meaningful results. Each utility shall file status reports semi-annually with the Energy Division Director for a period of two years, unless directed by Energy Division director to continue such reports for a specified additional period of time.

The decision orders PG&E, SCE, and SDG&E to each file a Tier 3 advice letter advice letter within four months to develop Smart Meter Home Area Network implementation plans specific to each. The plans must include an initial rollout of service to up to 5000 Home Area Network (HAN) devices that would allow HAN activation for early adopters upon request. The details of these implementation plans are specified in this decision. The full rollout shall require smart meters to transmit energy usage data to the home so that it can be received by a HAN device of the consumer's choice.

The decision also adopts reporting and audit requirements regarding the utilities' customer data privacy and security practices, third-party access to customer usage information, and any security breaches of customer usage information.

The adopted privacy and security rules and policies providing access to billing and usage data are reasonable. They will protect the privacy and security of customer usage data while ensuring customer access to usage information and enabling utilities and authorized third parties to use the information to provide useful energy management and conservation services. In addition, the rules and policies are consistent with privacy and security principles adopted by the Department of Homeland Security and with the policies adopted in SB 1476. Thus, these rules will bring California practices into conformity with the best national privacy and security practices.

The rules and policies adopted in this decision do not apply to other electrical corporations, gas corporations, community choice aggregators, or electric service providers. This decision, however, commences a new phase of this proceeding to explore how the Rules Regarding Privacy and Security Protections for Energy Usage Data in Attachment D of this decision and other requirements of this decision should apply to gas corporations, community choice aggregators, and electric service providers. Consistent with statutory provisions, an amended scoping memo will determine a schedule for this new phase of the proceeding and set a new deadline for the resolution of this proceeding consistent with § 1701.5. Finally, this decision requires that when and if Bear Valley Electric Service (a division of Golden State Water Company, U913E), Mountain Utilities (U906E) PacifiCorp (dba Pacific Power Company, U901E) and California Pacific Electric Company, LLC (CalPeco) (U903E) file an application to deploy Smart Meters, then that application shall address how these privacy protections should apply to their operations.

2. Background: The Evolution of the Question of How to Promote Private, Secure, Useful and Timely Access to Electricity Usage Data

The changing laws and policies pertaining to the Smart Grid have complicated the procedural history of this proceeding and have altered the shape of the issues that the Commission must address. This section describes the procedural and statutory history that is relevant for developing Smart Grid policies to protect the privacy and security of usage data and to permit customers and authorized third parties to access that usage data.

With the enactment of Senate Bill (SB) 1476 (Padilla),2 compliance with its specific requirements became a major aspect of the Commission's efforts to ensure that the privacy and security rules adopted by the Commission protect consumers.

The origins of the privacy and security issues in this proceeding, however, preceded the enactment of SB 1476.3 On July 30, 2010, an Assigned Commissioner and Administrative Law Judge's Joint Ruling (Joint Ruling) set a Prehearing Conference (PHC) for August 20, 2010 to consider issues relating to data privacy, security of the Smart Grid, and access to data by customers and third parties. The Joint Ruling also invited the filing of PHC Statements no later than August 13, 2010. Thus, the Joint Ruling set as a central issue in this phase of the proceeding the determination of the best ways to implement and use Smart Grid technologies to promote California's energy policies while protecting consumer interests.

In advance of the PHC, CTIA - The Wireless Association; AT&T California (U1001C), AT&T Communications of California, Inc. (U5002C), and New Cingular Wireless PCS, LLC (U3060C) (filing jointly as AT&T); the Consumer Federation of California (CFC); Pacific Gas and Electric Company (U39E) (PG&E); Southern California Edison Company (U338E) (SCE); the Technology Network (TechNet); Tendril Networks Inc. (Tendril); San Diego Gas & Electric Company (U902E) (SDG&E) and Southern California Gas Company (U904G) (SoCalGas), filing jointly; The Utility Reform Network (TURN); the Division of Ratepayer Advocates (DRA); the Center for Democracy & Technology and the Electronic Frontier Foundation, filing jointly (CDT/EFF); the California Independent System Operator (CAISO); and OPOWER, Inc. (OPOWER) provided PHC Statements.

On August 20, 2010, a PHC took place in San Francisco. At the PHC, parties constructively discussed the steps needed to establish a record to permit the Commission to decide issues associated with customer and third-party access to usage data and the related issues of privacy and security. The most constructive suggestions to emerge in the PHC were those that recommended that the Commission stop further consideration of abstract principles and instead focus on issues related to privacy and security protections for the usage data generated by Smart Meters and communicated on the Smart Grid. These suggestions called for a direct consideration of the proposed uses of the Smart Grid data and the planned access to the data that a utility will provide to customers and to third parties.4

On September 27, 2010, an Assigned Commissioner's Ruling (ACR) ruled that PG&E, SCE, and SDG&E must file comments on certain privacy and access questions. In addition, the ACR ordered PG&E to provide an overview of the statutory scheme adopted in California to protect customer privacy. The ACR also ordered SDG&E to provide information on its program that offers third- party access to usage data. The ACR invited proposals from any party that would help ensure the security of customer data while permitting access to the information by authorized third parties. These comments were due on October 15, 2010.

On September 29, 2010, SB 14765 was signed into law and chaptered by the Secretary of State. SB 1476 added sections 8380 and 8381 to the Pub. Util. Code. These new sections addressed issues of privacy arising from the use of Smart Meters.

On October 15, 2010, the Local Government Sustainability Energy Coalition, OPOWER, PG&E, Utility Consumer Action Network (UCAN), Verizon California Inc. (Verizon),6 TechNet, Tendril, SCE, CDT/EFF, CFC, DRA, SDG&E, EnerNOC, Inc. (EnerNOC), AT&T, TURN, California Large Energy Consumers Association (CLECA) filed opening comments.7 In addition to the information sought by the ACR, PG&E's review of applicable statutes provided many details concerning the newly enacted SB 1476 and other statutes that create a framework to protect consumer privacy.8

On October 25 and 26, 2010, workshops took place in which parties discussed the proposals contained in the opening comments and the requirements of SB 1476.

Because of regulatory and legal complexities that the workshops identified, an Administrative Law Judge (ALJ) Ruling on October 29, 2010 extended the deadline for reply comments to November 8, 2010 and established a briefing cycle for parties to address issues concerning the extent of the Commission's authority over entities that acquire access to information on a consumer's energy usage either through the utility or through some other means.

By November 8, 2010, the Center for Energy Efficiency and Renewable Technologies (CEERT), TURN, AT&T, the Future of Privacy Forum, CDT, SCE, PG&E, the State Privacy & Security Coalition and TechNet (filing jointly), Verizon, CAISO, CFC, EnerNOC, UCAN, SoCalGas, DRA, Control4 Corporation (Control4), and SDG&E filed reply comments.9

By November 22, 2010, responding parties filed opening briefs on jurisdictional issues. Several parties filed jointly. Specifically, the high technology parties EnerNOC, TechNet, Control4 and Tendril (Technology Companies) filed jointly. The consumer groups DRA, TURN and UCAN (Customer Representatives) filed jointly. Verizon and AT&T (Telephone Companies) filed jointly. SDG&E and SoCalGas (Sempra Utilities) filed jointly. PG&E, SCE, and CFC filed separate briefs.

By December 6, 2010, parties filed reply briefs. The Technology Companies filed a joint reply brief. The Customer Representatives also filed a joint reply brief. The Telephone Companies filed a joint reply brief. The Future of Privacy Forum, SCE, and CFC separately filed reply briefs.

On January 1, 2011, SB 1476 went into effect.

3. Commission's Authority over Smart Grid Issues Enhanced and Clarified by Recent Legislation

As noted above, recent legislation including SB 1476, SB 17 (Padilla)10 and the Energy Independence and Security Act of 200711 (EISA) have addressed issues arising from the Smart Grid and have required both interpretation and implementation throughout this proceeding. In addition, the Pub. Util. Code and past Commission decisions reflect California's long-standing interest in the protection of the privacy of utility customers.

Because of the recency of some statutory provisions and the long-standing nature of other privacy and security policies, it is prudent to review the relationship between the Fair Information Practice (FIP) Principles, endorsed in Decision (D.) 10-06-047, and applicable statutes and past Commission decisions that apply to the privacy issues posed by Smart Meters and the Smart Grid. Such a review can help ensure a regulatory approach consistent with law and precedent, determine whether the FIP principles are consistent with SB 1476, and determine whether the FIP principles can be used to develop privacy rules consistent with statutory requirements.

3.1. SB 1476 Seeks to Protect the Privacy of Usage Information

SB 1476 contains a preface that explains the legislative intent of § 8380, a section that it adds to the Pub. Util. Code:

This bill would prohibit an electrical corporation or gas corporation from sharing, disclosing, or otherwise making accessible to any 3rd party a customer's electrical or gas consumption data, as defined, except as specified, and would require those utilities to use reasonable security procedures and practices to protect a customer's unencrypted electrical and gas consumption data from unauthorized access, destruction, use, modification, or disclosure.

The bill would prohibit an electrical corporation or gas corporation from selling a customer's electrical or gas consumption data or any other personally identifiable information for any purpose.

The bill would prohibit an electrical corporation or gas corporation from providing an incentive or discount to a customer for accessing the customer's electrical or gas consumption data without the prior consent of the customers.

The bill would require that an electrical or gas corporation that utilizes an advanced metering infrastructure that allows a customer to access the customer's electrical and gas consumption data to ensure that the customer has an option to access that data without being required to agree to the sharing of his or her personally identifiable information with a 3rd party.

The bill would provide that, if the electrical corporation or gas corporation contracts with a 3rd party for a service that allows a customer to monitor his or her electricity or gas usage, and the 3rd party uses the data for a secondary commercial purpose, the contract between the electrical or gas corporation and the 3rd party shall provide that the 3rd party prominently discloses that secondary commercial purpose to the customer.12

This clear statement of policy guides our implementation of § 8380.

3.2. Are FIP Principles Consistent with SB 1476 and Other California Statutes?

On March 9, 2010, CDT/EFF filed comments in this proceeding proposing that the Commission adopt FIP principles to protect the privacy of consumers. CDT/EFF noted that these FIP principles were adopted by the Department of Homeland Security and argued that "a framework developed for information systems affecting the national security is also well-suited to the issues posed by the Smart Grid."13

CDT/EFF stated that "[t]he DHS framework includes the following eight principles: (1) Transparency, (2) Individual Participation, (3) Purpose Specification, (4) Data Minimization, (5) Use Limitation, (6) Data Quality and Integrity, (7) Security, and (8) Accountability and Auditing."14

In October 15, 2010 Comments, the CDT/EFF renewed its request that the Commission adopt the FIP principles and demonstrated how these principles could lead to specific proposals to protect privacy.15

PG&E, at the request of the ALJ, provided a compendium of California law and Commission decisions applicable to privacy practices pertaining to the usage of electricity consumers as part of its opening response to the September 27, 2010 ACR.16 Subsequently, in preparation for the October 25-26 workshops, PG&E mapped California statutes to the FIP principles,17 as follows:

1. Transparency - SB 1476, Pub. Util. Code § 8380(c) adopts requirements that make the use of a consumer's energy data transparent to the consumer. Section 8380(c) states: "If an electrical corporation or gas corporation contracts with a third party for a service that allows a customer to monitor his or her electricity usage, and that third party uses the data for a secondary commercial purpose, the contract between the electrical corporation or gas corporation and the third party shall provide that the third party prominently discloses that secondary commercial purpose to the customer."

CA Business and Professions Code § 22575 requires online posting of a privacy and third-party access policies of California businesses, including energy utilities.

2. Individual Participation - SB 1476, Pub. Util. Code § 8380(b)(1) anticipates the participation of individuals in protecting their own privacy by requiring a customer's consent before disclosure of information to a third party. Section 8380(b)(1) states: "An electrical corporation or gas corporation shall not share, disclose or otherwise make accessible to any third party a customer's electrical or gas consumption data, except as provided in subdivision (e) or upon the consent of the customer."

CA Civil Code Section 1633.1 et seq. - authorizes the use of electronic transactions/signatures to satisfy laws requiring records to be in writing.

3. Purpose Specification - SB 1476, Pub. Util. Code § 8380(e)(2) designates certain purposes for which disclosure of usage information is expected and automatically approved. Section 8380(e)(2) states: "Nothing in this section shall preclude an electrical corporation or gas corporation from disclosing a customer's electrical or gas consumption data to a third party for system, grid, or operational needs, or the implementation of demand response, energy management, or energy efficiency programs, provided that, for contracts entered into after January 1, 2011, the utility has required by contract that the third party implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure, and prohibits the use of the data for a secondary commercial purpose not related to the primary purpose of the contract without the customer's consent."

4. Data Minimization - Although a principle of data minimization is not explicitly required in SB 1476, Commission actions frequently set requirements concerning the collection, retention and reporting of data. Commission rate cases, general regulation, and the Pub. Util. Code often state periods for data retention or reporting of data. For example, Pub. Util. Code § 6354(e), which states: "Energy utilities must report to municipalities the names and addresses of customers who transport gas or electricity, for the purposes of enforcing taxes and fees. Municipalities shall not disclose such customer information to third parties." Thus, even if policies of data minimization are not explicitly contained in SB 1476, data collection and retention, the key to a FIP of data minimization, certainly falls within the purview of the Commission.

5. Use Limitation - SB 1476, Pub. Util. Code § 8380(e) (2) - cited above, limits the use of electricity usage information. Specifically, § 8380(e) (2) prohibits the use of energy consumption data for a secondary commercial purpose not related to the primary purpose of the contract without the customer's consent.

6. Data Quality and Integrity - Although a principle supporting data quality and integrity is not explicitly required in SB 1476, Commission regulation of utility operations and services requires the accuracy of underlying information. Most directly, it is clear that ensuring the accuracy of data is consistent with consumer protection initiatives in the Pub. Util. Code that require that rates and bills be reasonable.

7. Data Security - SB 1476, Pub. Util. Code § 8380(d) explicitly calls for keeping the information associated with the smart grid safe. Section 8380(d) states: "An electrical corporation or gas corporation shall use reasonable security procedures and practices to protect a customer's unencrypted electrical or gas consumption data from unauthorized access, destruction, use, modification, or disclosure."

In summary, the FIP principles are closely related to SB 1476 and the consumer protection initiatives that have developed out of the Pub. Util. Code, and each principle is supported by law and precedent.

3.3. Should the Commission Use FIP Principles to Develop Privacy and Security Regulations?

With the passage of SB 1476, an issue arose in this proceeding over whether to adopt the FIP principles and then develop regulations proceeding from the principles, or whether to proceed directly from the statute to the regulations.

CDT/EFF was the first to address this matter, and presented proposed rules in their Opening Comments. A goal of CDT/EFF's comments and proposed rules was to operationalize the FIP principles. In Reply Comments, CDT further argued that the rules proposed by CDT/EFF constitute "a concrete set of Smart Grid privacy safeguards, based on the widely accepted Fair Information Practice principles."18

CDT's presentation of its rules relied on the FIP principles, thereby demonstrating the usefulness of these principles for developing rules to protect the privacy and security of energy usage information.

In comments, DRA argued that the Commission has already decided the issue of whether to rely on the FIP principles. DRA claimed that D.10-06-047 adopted the FIP principles "as a framework for privacy rules"19 and recommended that the Commission simply proceed "to adopt more specific rules."20

Other consumer groups also supported the FIP principles. UCAN strongly supported the FIP principles in Opening Comments, stating:

For the purposes of protecting personal information, a time-tested approach to policy development is to utilize the Principles of Fair Information Practices.21

TURN similarly supported the CDT/EFF proposed rules based on the FIP principles, stating:

TURN has reviewed a draft of the comments being submitted by the CDT/EFF and strongly supports their proposed rules that operationalize the Fair Information Practice Policies.22

The Future of Privacy Forum also endorsed the FIP principles, stating:

We encourage the Commission to adopt rules that encompass the principles embodied in the well-accepted Fair Information Practice Principles, covering all collection, use, retention, and sharing of data.23

In the wake of the adoption of SB 1476, PG&E provided a workshop presentation, summarized above, to show how SB 1476 provides statutory support for the major elements of the FIP principles. Subsequently, PG&E argued that it "jointly presented [with CDT] a draft of privacy principles which reflected ...a possible consensus for adoption by the Commission."24

SCE also responded favorably to the usage of the FIP principles. SCE stated that SCE "focuses its reply on customer data privacy issues on CDT's `straw' proposal,"25 which was built on the FIP principles. Thus, SCE's proposals implicitly presume that the FIP principles are reasonable guiding principles for privacy and security rules.

Not all parties, however, took such a supportive view of the FIP principles. SDG&E, in particular, urged a more tentative approach to the adoption of the FIP principles. SDG&E argued:

SDG&E agrees in principle with the efforts made by CDT & EFF in their proposal, but suggests that the scheme requires further analysis in order to achieve greater consistency in provisions and reasonably accommodation before the [Commission] considers establishing electric utility operational FIPs.26

SDG&E, a member of Sempra Utilities, urged caution, stating:

At a minimum, SDG&E submits that a technical working group should be established to create a common "straw man proposal" or set of "use cases" to foster a better overall understanding of how the FIP's privacy principles may be implemented or applied to the electric IOUs.27

SoCalGas, another member of the Sempra Utilities, expressed skepticism concerning the ability of the Commission to make operational the FIP principles. SoCalGas argued:

SoCalGas believes that current laws are sufficient and adequate enough to protect the customer's privacy. Overall, SoCalGas agrees with the Center for Democracy and Technology and Electronic Frontier Foundation proposal and the Fair Information Practice principles, however, the intentional vagueness of the proposal, although accommodating a myriad of circumstances, is not specific enough for implementation. SB 1476 is sufficient for the operation of the gas [Advanced Meter Infrastructure] network to be deployed by SoCalGas pursuant to D.10-04-027.28

More specifically, SoCalGas stated that:

SoCal Gas does not believe that the Commission has yet provided a clear direction that the policies being considered in this proceeding should be expanded beyond the electric grid system. Conversely if the Commission wants to apply the FIP's standards to gas corporations, then SoCalGas would urge those issues be further discussed, analyzed or vetted within the gas service provider context.29

EnerNOC also saw no need for addressing FIP principles, and instead argued:

The Commission should focus on implementing SB 1476 as simply and as quickly as possible. No further restrictions or privacy protections are needed, especially in the CI&I sector.30

CEERT advocated a more mixed position. CEERT did not object to the FIP principles, and argued that: "Fair Information Principles practices are a good basis for protecting customer privacy, if necessary, but NIST [National Institute of Standards and Technology] cyber-security standards should form the basis of keeping customer data secure."31 On the other hand, CEERT also argued that "... SB 1476, therefore, does not signify that this Commission is authorized to identify all `potential' abuses related to `energy consumption data,' but rather is required to follow the express dictates of Section 8380 in terms of adopting rules applicable to jurisdictional IOUs."32

AT&T did not directly address the FIP principles and their relationship to SB 1476. Instead, AT&T summarized its position on privacy and security as:

AT&T encourages the Commission to avoid the adoption of rigid, burdensome consumer privacy rules. Instead, the Commission should seek to adopt a simple framework based on the requirements of SB 1476.33

Verizon, similarly, did not object to FIP principles, but cautioned that "overly broad and granular rules ... will stifle the development of innovative new products and services without providing useful benefits to consumers."34

3.4. Discussion: FIP Principles are Consistent with Pub. Util. Code and Offer a Good Basis for Developing Privacy and Security Regulations

This decision adopts the FIP principles as guides for developing California policies and regulations that aim to protect the privacy and security of the electricity usage data of consumers.

The analysis conducted by PG&E and other parties in this proceeding allows us to affirm that the FIP principles are consistent with SB 1476, the Pub. Util. Code, and emerging national privacy and security practices.

Moreover, the comments and discussion of the parties permit us to remove any uncertainty concerning the utility of the FIP principles for development of a regulatory program to protect privacy. D.10-06-047 took the first step towards adopting the FIP principles as the framework for privacy policy in California. D.10-06-047 states:

... we agree with CDT-EFF and Researchers that an assessment of privacy and grid security issues should be included as part of this baseline report.35

D.10-06-047 then noted, with favor, that:

CDT-EFF suggests that this privacy assessment should be responsive to the principles outlined in the Fair Information Practices.36

D.10-06-047, however, did not clearly adopt the FIP principles as California policy for the Smart Grid. This decision does so now.

PG&E's analysis, quoted above, links five of the seven FIP principles to specific statutory provisions in SB 1467 and the Pub. Util. Code. This analysis makes it clear that these five principles - Transparency, Individual Participation, Purpose Specification, Use Limitation and Data Security - are consistent with California statutory requirements and are necessary for ensuring that a regulatory program to promote policy meets the statutory requirements of the Pub. Util. Code.

The two principles not specifically linked to statutory requirements in the analysis above - Data Minimization and Data Quality and Integrity - are also reasonable principles and consistent with California law and policy objectives. A principle and practice of "Data Minimization" will clearly promote the security of data. Limiting the collection of personal data to just what is needed reduces the amount of data that requires protection and reduces the risks that arise from a security breach. Thus, a principle of data minimization follows directly from the public interest in keeping data secure.

The FIP principle of promoting Data Quality and Integrity is also both reasonable and consistent with California law. Data quality and integrity are critical to the rendering of accurate and reasonable bills. Moreover, accurate data helps protect consumers from the adverse consequence of false consumption and payment data.

In conclusion, this decision adopts the FIP principles as the framework for developing specific regulations to protect consumer privacy because these principles are consistent with California law, consistent with emerging national privacy and security policies, and supported by the record in this proceeding. A statement of the FIP principles brings clarity to the goals of California privacy and security regulations. A subsequent section of this decision will adopt regulations to protect privacy and security that operationalize the FIP principles. Our ability to translate the principles into a regulatory program belies the criticisms that the FIP principles are "not specific enough for implementation." 37

4. Jurisdiction: What is the Extent of the Commission's Authority and Obligation to Protect Confidential Consumer Information?

The technology of the Smart Grid and the participants in Smart Grid include companies other than investor owned utilities. In addition, much state and federal legislation concerning the Smart Grid is new. In light of the novelty of this technology and the laws setting policy, it is unsurprising that legal issues arise over the extent of the Commission's jurisdictional authority over data generated by Smart Meters. As noted in the procedural history section above, the Commission asked parties to brief issues pertaining to the Commission's jurisdiction over the data created by Smart Meters and over those who obtain access to this data, either through the utilities or through some other means. A goal of this briefing cycle was to clarify jurisdictional issues arising from new laws and new technologies in order to ensure that the Commission possesses the statutory authority necessary to support the program that it adopts.

The record in this proceeding has demonstrated that the data on energy consumption generated by Smart Meters and transmitted by the Smart Grid will prove critical to future conservation and grid management efforts. Enabling consumers and companies to assess and act on this information is key to advancing many of California's energy policies, such as promoting conservation, reducing demand in response to grid events and price signals, reducing summer peak demands, and efficiently incorporating renewable energy and electric vehicles into grid operations.

Our investigation shows that access to detailed, disaggregated data on energy consumption can reveal some information that people may consider private. Thus, the inadvertent release or the theft of this data could provide information that diminishes the privacy of electricity users.

The workshops on privacy in this proceeding held on October 25 and 26, 2010, revealed substantive disagreements over the reach of the Commission's authority and the Commission's ability to protect the privacy of the information that is generated by the Smart Meters and transmitted through the Smart Grid. Subsequent to the workshops, an October 29, 2010 ALJ Ruling posed two questions for the parties to this proceeding to brief:

1) What authority does the Commission have over entities that receive information on a consumer's energy usage from the utility? What actions, if any, can the Commission take in response to misuse of data by such an entity?

2) What authority, if any, does the Commission have over entities that receive information on a consumer's energy usage from sources other than the utility (from a HAN device or from the customer, for example)? What actions, if any, can the Commission take in response to misuse of data by such an entity?38

Opening Briefs were due by November 22, 2010 and Reply Briefs were due by December 6, 2010.

4.1. Arguments of Parties in Briefs

The briefs filed in this proceeding included a mix of statutory and policy analyses. As they did in the workshops, parties differed substantially in their views concerning the authority of the Commission to protect the data generated by Smart Meters and the prudency of adopting far-reaching rules at this time.

There was, however, little controversy concerning the authority of the Commission to protect the privacy of information in the hands of the utility. The argument in support of Commission authority over usage data in the hands of the utility was perhaps most forcefully made by the Customer Representatives. The Customer Representatives argued that the discussion at the workshops "made clear that if the IOU or its contractor receives data generated from smart meters or related devices, the Commission has full jurisdiction to apply and enforce privacy rules."39 To a large extent, this is the practice in place for data generated today in the course of the utility's business.

The Customer Representatives argued further that "[t]he real issue for decision is whether the Commission can apply and enforce rules on parties who seek energy usage data directly from the customer, and who are not in privity/contract with the IOUs."40 The Customer Representatives argued that the Commission has the authority "to adopt privacy rules applicable to all parties that seek to possess and use Smart Grid-related data."41

This position was opposed by many parties, and the central issue that was disputed in briefs was what authority the Commission has over those entities not involved in utility operations that have obtained customer approval to access their usage data.

On this matter, the Customer Representatives argued that the Commission has authority over those who have access to usage data. The Customer Representatives articulated a three step argument in their Opening Brief that supported their expansive interpretation of the statutory authority of the Commission, arguing that the authority of the Commission reaches anyone with the data. The argument included three steps as follows:

Step 1: Pub. Util. Code Section 701 confers broad power on the Commission to regulate public utilities.42

Step 2: "In PG&E Corp v. Public Utilities Comm.,43 the court made clear that the Commission may enforce conditions against non-public utilities (in that particular case, utility holding companies) where such jurisdiction was not barred by statute and was essential to the Commission's assertion of regulatory authority over utilities. 118 Cal. App. 4th at 1199."44 This court decision established the "cognate and germane" criteria (discussed below) for determining the reach of Commission authority.

Step 3: The regulation of third parties interaction with customers over access to their energy usage data "is an exercise of authority that is cognate and germane to the Commission's regulation of IOUs [investor owned utilities] and therefore permissible under Public Utilities Code § 701."45 Therefore, the Commission has authority over any third party who obtains access to a customer's energy usage data.

In addition to this legal argument based on § 701 and court precedent, the Customer Representatives argued that SB 1476 strengthens the Commission's jurisdiction over third parties because it "reaffirmed the importance of protecting customer's privacy rights inherent in Smart Grid data."46 The Customer Representatives contended that although the statute is silent on the full extent of authority over third parties, the legislative history states that the bill:

... would provide that a customer's electric or gas consumption data shall be securely kept by the local publicly owned electric utility or electrical or gas corporation and shall not be accessible by a third party, unless a customer chooses to access his or her consumption data from a third party using a smart meter, after being given the option not to relinquish his or her data.47

The Customer Representatives contended that this legislative intent, combined with the statutory authority conveyed, has provided the Commission with full authority to protect consumers by regulating access to and the use of electricity consumption data by any party in its possession.

Finally, the Customer Representatives argued that the Commission has a "long-standing enforcement obligation to protect California's electric customers."48 To meet this obligation, Customer Representatives recommended that the Commission "[a]dopt a registration process for all third parties seeking customer Smart Grid data and ensure that oversight agencies will enforce customers' privacy rights against any third-party party [sic] that misuses their energy consumption or other energy-related data."49

CFC, like the Customer Representatives, argued that there is broad Commission authority over any third party who acquires data on energy consumption, no matter what the source. CFC also argues that regulation to protect the privacy of this data is "cognate and germane" to the exercise of the Commission's regulatory authority.50

SCE's Opening Brief offered a detailed analysis of the jurisdictional questions posed in the ACR. In response to Question 1 - Commission authority over those obtaining consumption data from the utility - SCE argued that Commission authority over utilities and their contractors is well settled. Concerning Commission authority over other third parties, SCE argued that "absent a statutory grant of authority, the Commission has no jurisdiction to enforce the consumer protections compliance of these third parties."51 SCE, however, noted that this is not the end of the story because "the Commission has full authority to establish IOU tariffs governing third-party access to customer data from the IOUs"52 and that "tariffs can authorize the IOUs - and advise or require customers - to take appropriate precautions in releasing customer data to third parties.53

In response to question 2 - concerning Commission authority over entities that acquire consumption data through channels that do not include the utility - SCE argued that "absent a statutory grant of authority, the Commission has no jurisdiction to enforce the consumer protections compliance of these third parties."54 Here, however, SCE found that "the Commission has full authority to direct the IOUs to help customers"55 because "[c]ustomer awareness is likely to be one of the most effective tools against misuses of customer data by third parties."56

PG&E's Brief, rather than arguing for a single position concerning Commission jurisdiction, presented arguments for and against the Commission's authority to enforce privacy rules in specific situations and identified approaches that permit the Commission, in its view, to exercise authority over the terms of data use without incurring a high litigation risk.

PG&E found that the nexus between the utility and its provision of consumption data to a third party can extend Commission jurisdiction to the third party. PG&E argued that based on its reading of Hillsboro57 and PG&E Corp.,58 "the regulation of the third party's use and access to the information is arguably `cognate and germane' to the jurisdictional activities of the utility itself."59 PG&E, however, also argued that:

...the recent enactment of Public Utilities Code Section 8380 by the California Legislature calls into question whether that reach extends to non-utilities even when they receive consumer energy usage information directly from a utility. Under the canon of statutory construction expressio unius est exclusio alterius, the fact that Section 8380 confers authority on the Commission to directly regulate utilities but not their non-utility agents and contractors, arguably would support a conclusion that the Legislature intends the Commission to only regulate utilities on these matters.60

Like SCE, PG&E found a resolution to this potentially limited authority in tariffs:

... for nearly twenty years, [Commission]-jurisdictional utilities have implemented specific tariffs and other restrictions on access to customer-specific information under Commission rules and orders. To the extent these tariffs and underlying Commission rules and orders dictate the terms and conditions of non-utility access to consumer energy usage information, any breach of those access restrictions can be remedied by a Commission order enjoining a utility from continuing to provide such information to the non-utility.61

Thus, PG&E ultimately found merit to the argument that the Commission's authority over tariffs can be used to promote the privacy of consumer data.

PG&E argued that the Commission's authority over third parties that acquire consumption information from a customer device is limited, arguing that "... the Commission's interest and jurisdiction to regulate that appears more attenuated than other utility-related regulations."62 On the other hand, PG&E noted that the utility can control the access of any device to the Smart Meter, and PG&E contends that "the Commission could attempt to indirectly regulate the privacy of information generated by HAN-enabled or other commercially available consumer devices `beyond the meter' through conditions applied to a utility's registration of such devices on its Home Area Network."63

The Sempra Utilities also argued that the Commission has clear authority over the uses of data by the utility or by those in contract to the utility to perform a utility operation. The Sempra Utilities, however, argued that the Commission's authority over third-parties who acquire information from a non-utility measurement device, such as the commercially available "TED" device,64 or from a customer who transfers data to a third party from a HAN that is registered with the Smart Meter, is "uncertain."65

The Telephone Companies argued that under SB 1476,

... legislation prohibits utilities to "share disclose or otherwise make accessible to any third party a customer's electrical or gas consumption data" absent a contractual requirement with the third party to "implement and maintain reasonable security procedures and practices appropriate to the nature of the information" and to "protect the personal information from unauthorized access, destruction, use, modification, or disclosure."66

The Telephone Companies also argued that "new certification and reporting requirements on third parties" and prohibiting "third parties from even being allowed to seek customer consent to the use of personal data for `secondary commercial purposes' is contrary to the plain language of SB 1476."67 Instead, the Telephone Companies contended that "the Commission should decline to exercise that authority [§ 701] at this time in reliance on the principles of competitive and technological neutrality previously discussed."68

The Technology Companies also argued for a restrictive view of the Commission's authority over third-parties and their HAN networks, which they call "non-utility devices." Concerning SB 1476, the Technology Companies contended that "the Legislature has not expanded this Commission's jurisdiction to regulate customers or authorized third parties with respect to data access or their use of non-utility devices within the privacy of their homes or businesses."69 In addition, the Technology Companies argued that "the Commission has no regulatory jurisdiction over non-utility devices or `sources' of `energy consumption data.'"70

In the Reply Briefs, parties both supported their arguments and identified the weaknesses of others and therefore this decision will not discuss each Reply Brief. One Reply Brief, however, deserves special comment. The Customer Representatives, in their Reply Brief, argued that PG&E misstated D.09-03-026 when PG&E concluded that the Commission has already endorsed the ability of third-parties to link their commercially-available HAN devices to utility Smart Meters without regulation of the customer/third party relationship. Instead, the Customer Representatives contended that D.09-03-026 "says nothing to indicate that the Commission has precluded regulation of the customer/third-party relationship."71

4.2. Discussion: Jurisdiction Over Utilities and Their Contractors/Agents is Clear; Other Determinations Deferred

Because a major goal of this decision is to adopt a regulatory program to protect the privacy and security of usage data collected by the three electrical corporations that are the subject of this proceeding, the Commission need not consider the Commission's authority over data in the abstract. Instead, the Commission need only inquire as to whether the Commission has the authority to take specific regulatory actions to protect the interests of consumers.72

In the situation before us, SB 1476 provides specific guidance and grants the Commission authority to accomplish the legislative goals and requirements. The relevant sections added to the Pub. Util. Code are:

8380(b)

(1) An electrical corporation or gas corporation shall not share, disclose, or otherwise make accessible to any third party a customer's electrical or gas consumption data, except as provided in subdivision (e) or upon the consent of the customer.

(2) An electrical corporation or gas corporation shall not sell a customer's electrical or gas consumption data or any other personally identifiable information for any purpose.

(3) The electrical corporation or gas corporation or its contractors shall not provide an incentive or discount to the customer for accessing the customer's electrical or gas consumption data without the prior consent of the customer.73

8380(d) An electrical corporation or gas corporation shall use reasonable security procedures and practices to protect a customer's unencrypted electrical or gas consumption data from unauthorized access, destruction, use, modification, or disclosure.74

SB 1476 also envisions that a utility may contract with third parties to conduct basic utility operations. In these situations, SB 1476 requires privacy protections similar to those under which a utility operates.

The Commission can also ensure that utility contracts, which the Commission has the authority to review, contain privacy protections. In addition, the statute provides treatment for demand response, energy management and energy efficiency programs that is equal to system, grid or operations needed to provide energy services:

8380(e)(2) Nothing in this section shall preclude an electrical corporation or gas corporation from disclosing a customer's electrical or gas consumption data to a third party for system, grid, or operational needs, or the implementation of demand response, energy management, or energy efficiency programs, provided that, for contracts entered into after January 1, 2011, the utility has required by contract that the third party implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure, and prohibits the use of the data for a secondary commercial purpose not related to the primary purpose of the contract without the customer's consent.75

If an electric utility enters into a contract with a third party to provide a service to the utility customer using the data from a Smart Meter, SB 1476 also sets specific requirements concerning what the contract must contain:

8380(c) If an electrical corporation or gas corporation contracts with a third party for a service that allows a customer to monitor his or her electricity or gas usage, and that third party uses the data for a secondary commercial purpose, the contract between the electrical corporation or gas corporation and the third party shall provide that the third party prominently discloses that secondary commercial purpose to the customer.76

This statutory language leads us to conclude that the Commission has both broad powers and a legislative mandate to develop rules and regulations to protect the usage data of utility customers vis-à-vis the utility, its operational contractors, and those with whom a utility contracts to provide energy monitoring services to utility customers.

In addition to parties contracting directly with a utility for the performance of a "primary purpose," the Commission also oversees third party access to energy data in support of specific energy programs that serve a "primary purpose." Currently, there are about 200 firms or other providers of energy efficiency services who have Commission authorization to conduct energy efficiency programs or energy efficiency program evaluations and have access to information for this primary purpose under contract with the Commission. Beyond these firms, other government entities, such as local government and state agencies, implement energy efficiency programs and obtain access to consumption data under the Commission's supervision. In these situations, the protection of consumer privacy is an element of the Commission's review prior to authorizing access to customer usage data and the Commission's ongoing oversight of these energy efficiency programs. All entities receiving data for energy efficiency or energy efficiency evaluation purposes pursuant to Commission authorization receive and handle such data under strict controls, either as a result of a specific authorization by the Commission for a governmental entity to perform energy efficiency programs or, in the case of non-governmental entities, in a contract between the Commission and the non-governmental third party. As the statutory language makes clear, providing access to this information when used for demand response, energy management, or energy efficiency programs by government agencies and by other third parties under contract with and on behalf of the Commission qualifies for treatment equal to that given to information used for system, grid or operational activities necessary for the provision of energy services. Providing usage data to governmental entities that implement energy efficiency programs or evaluate energy efficiency programs authorized and overseen by the Commission and to other third parties carrying out energy efficiency or energy efficiency evaluation programs under contract with and authorized by the Commission is not a discretionary act for the utility, and it is not reasonable to hold utilities liable for the uses of this data. Therefore, the utilities have no new liability concerning how this data is used. (This limitation on liability does not apply when a utility has acted recklessly.)

Still other third parties may acquire consumption data: 1) from the utility via the "backhaul" with the consumer's authorization and pursuant to tariff conditions (currently Google obtains information in this matter from San Diego); 2) via a HAN-enabled device installed at the customer's house which obtains data from the Smart Meter and passes it on; or, 3) from the customer, who obtains it from the utility or from the Smart Meter77 in an electronic form that permits forwarding to the third party. In these situations, the utility is not liable for the third party's use of the usage data since the usage data is not provided to the third party pursuant to a contractual arrangement with the utility. (This limitation on liability does not apply when a utility has acted recklessly.) In these situations, the Commission will rely on a combination of Commission oversight and customer education and vigilance to ensure the proper treatment of the data.

At this time in the evolution of the Smart Grid, the distinctions drawn here are reasonable for several reasons. First, the consumer has a right to the usage data. Second, under the rules adopted in this decision, the consumer can elect at any time to discontinue the provision of the data to the third party. Third, it is not reasonable to require utilities to police privacy policies of those entities who receive information pursuant to Commission requirement or customer wishes.

In conjunction with activating the transfer of usage data from a Smart Meter to a customer device or via the "backhaul" to a third party, the Commission will require that the utility provide the customer with information concerning the potential uses and abuses of usage data. These steps will help ensure that the customer understands the risks to privacy that this usage data can pose. Furthermore, in the proceeding to consider tariffs for providing usage data to third parties with consumer authorization in a common format via the backhaul, the Commission will determine whether it is reasonable to establish a registration process to ensure that the practices of the third party receiving usage data from the utility comport with the privacy and security rules adopted.

Consequently, under the policies adopted in this decision, the Commission does not need to determine at this time whether the Commission has the authority to regulate entities that acquire energy usage data directly from the consumer.

In summary, the Commission has authority and requires that PG&E, SCE, and SDG&E within 90 days of the mailing of this decision file advice letters to implement policies that the utility and those with whom it contracts for utility operations must follow to protect the privacy and security of consumer usage information.78 Furthermore, the Commission has authority and requires PG&E, SCE, and SDG&E to follow rules and procedures adopted in this decision to protect the privacy and security of consumer usage information when the utility contracts with a third party to perform a utility operation.79

The Commission also has authority and requires PG&E, SCE, and SDG&E80 to file applications within six months of the adoption of this decision to permit the transmission of consumer usage data to third parties via the backhaul. The tariff provisions shall require that the customer agree to the transfer of the data. At the time that the Commission considers the tariff, the Commission will also consider whether to create a "registration process" to ensure that the third party that receives the data agrees to follow the privacy and security rules that the decision adopts below. The utilities, however, will bear no new liability for the actions of third party's that acquire information via this tariff.81 (This limitation on liability does not apply when a utility has acted recklessly.)

In Rulemaking (R.) 07-01-041 (Phase 4), the Commission may establish certain limited protocols for customer data transfers between IOUs and demand response providers. These protocols may be a subset of the proposals that are requested to be filed via Application, as noted above. If the Commission has otherwise adopted related protocols by the time of the filing of the Applications the utility Applications shall be consistent with those protocols.  If the Commission has not yet adopted data transfer protocols in other proceedings, the utility applications shall consider the information already developed in those proceedings as part of its filing. When filed, the Applications shall be served to both the R.08-12-009 and R.07-01-041 service lists.

Finally, the Commission also has authority and requires PG&E, SCE, and SDG&E to develop within six months tariffs that initiate a phased rollout for registering a customer's HAN-enabled devices with the Smart Meter. At the time of registering the device, the utility will provide the customer with information concerning the sensitivity of usage data and the need for the customer to protect his or her privacy. The details of the initial and subsequent roll outs of HAN-enabled services are discussed in more detail below.

5. The CDT/EFF Recommendations Serve as a Starting Point for Consideration of Privacy and Security Rules to Protect Usage Data

The central privacy and security issues before the Commission in this proceeding are the determination of what privacy and security rules the Commission should adopt to protect electricity usage data.

The most comprehensive efforts to address this question were the recommended rules offered by CDT and EFF to protect customer privacy interests, which are contained in Appendix A of their joint October 15, 2010 Response to the ACR.

As noted above, CDT (filing alone), after discussion with several parties in the time leading to the October 25 and 26, 2010, workshops, presented revised recommended rules that became a focus of the workshops. CDT filed this revised proposal in its Reply Comments of November 12, 2010 as Appendix A-2 (and this is appended to this decision as Attachment C). In support of its recommendations, CDT stated:

Our revised rule continues to reflect the Commission's decision, and the parties' broad general consensus, to implement the FIP principles. The revisions we have made reflect useful and constructive feedback from workshop discussions, including comments from PG&E, DRA, TURN, and other parties. More generally, our revised rule continues to reflect the goals of the Commission and parties to protect customer usage data, to bring order to the welter of regulations covering various aspects of the Smart Grid environment, and to accommodate and support innovation in technology and business practices. Importantly, the proposed rule fills gaps in the present framework-especially those gaps created by the inadequate and outdated "notice-and-choice" model of privacy protection-by using the full set of FIPs and "operationalizing" them for easy implementation by Smart Grid entities.82

The recommended rules of CDT/EFF played a central role in the development of the record in this proceeding. Most commenters focused on the CDT/EFF recommended rules and argued for acceptance, rejection or revision. The analysis that follows covers the record of this proceeding through discussing the revised rules recommended by CDT and the arguments of parties pertaining to each provision. Each section considers the revised rules recommended by CDT and adopts rules based on the record in this proceeding.

5.1. What Rules Should Determine Who is Covered, What Information is Covered, and Which Uses of Information are Primary?

CDT/EFF's recommended rules for protecting privacy and security of usage information begin with a set of definitions. These definitions are used throughout the recommended rules. The effect of these definitions is to determine to whom the recommended privacy rules apply and to determine the information covered by the recommended privacy rules.

The definitions also envision two categories of usage information and recommend rules pertaining to each category to protect privacy of consumers and the security of the information. The two categories are: 1) Primary Purpose information - associated organically with the provision of utility, demand response, energy management and energy efficiency services; and 2) All other uses of the information.

This decision begins its discussion of these recommended rules with a presentation of the recommended definitions as contained in the CDT Reply Comments and subsequently considers and adopts rules based on the record in this proceeding. The recommended definitions follow:

1. DEFINITIONS

(a) Covered Entity. A "covered entity" is (1) any electric service provider, electrical corporation, gas corporation or community choice aggregator, or (2) any third party that collects, stores, uses, or discloses covered information [relating to __ or more households or residences].

(b) Covered Information. "Covered information" is any electrical or gas usage information when associated with any information that can reasonably be used to identify an individual, family, household, or residence, or non-residential customer, except that covered information does not include electrical or gas usage information from which identifying information has been removed such that an individual, family, household, or residence or non-residential customer cannot reasonably be identified or re-identified.

(c) Primary Purposes. The "primary purposes" for the collection, storage, use or disclosure of covered information are to-

(1) provide or bill for electrical power or natural gas,

(2) fulfill other operational needs of the electrical or natural gas system or grid,

(3) provide services as required by state or federal law or specifically authorized by an order of the Commission, or

(4) implement demand response, energy management, or energy efficiency programs operated by, or on behalf of and under contract with, an electrical or gas corporation, electric service provider, or community choice aggregator.

(d) Secondary Purpose. "Secondary purpose" means any purpose that is not a primary purpose.

In support of these recommended rules, CDT argued that "the Commission's jurisdiction includes, at a minimum, third parties that obtain covered information under contract with or as an agent of a utility"83 and that "the concept of `obtaining covered information from a utility' encompasses entities that receive data from the meters (which is, after all, a utility-owned device)."84 CDT argued that "it seems that the third parties taking data from the meter are doing so under agreement with the utility and thus should come under the jurisdiction of the Commission just as much as entities that receive data from a point further upstream in the utility's network."85

Concerning the definition of primary purpose, CDT argued that:

... the distinction between primary and secondary purposes (Sections 1(c) and 1(d)) must be clear and must be maintained ... Because primary purposes are excepted from the customer consent requirement, the Commission should take care not to enlarge this category to include any purposes that would leave customers vulnerable to unexpected or unknown collection, use, or disclosure of the highly revealing information that is covered by the rule. As such, uncontested ("primary") purposes must be tied directly to the provision of energy services and utility operations that have been approved by and subject to oversight by the Commission.86

CDT stressed that the distinction between primary and secondary purpose is an aspect of the proposed rules that "must not be revised."87

5.1.1. Position of Parties

PG&E supported the formulation of the definitions that CDT proposed. Of particular concern to PG&E was the clarification, incorporated in the above definitions, that Commission-authorized purposes constitute a "primary purpose."

SCE argued for the inclusion of words that define "customer." SCE would define customer as follows:

Customer. For purposes of this rule, a "customer" is any individual, household, residence or business receiving retail generation, distribution or transmission service from an investor-owned utility.88

SCE then proposed revisions to substitute "customer" wherever the definition contains a litany of those whose usage information is subject to these rules. A goal of SCE's proposal was to leave the rules unchanged.

TechNet and the State Privacy and Security Coalition raised cautionary notes, stating that

The requirement that a specific purpose be indicated for each category of information collected and that the specific identity of third parties to which it is disclosed also be indicated suggests that relatively minor changes in services or products could trigger long notices that customer do not pay attention to, or repeated, annoying notice and consent requests to consumers. Requiring an entity to provide new notice every time it collaborates with another entity, for example, to provide an updated service or to begin to work with a new third party, even if the service to the customer is the same, appears unduly burdensome.89

TURN argued for the inclusion of gas aggregators in the covered entities, noting that "gas meters will be collecting and sending gas consumption data."90 In addition, TURN supported a broad interpretation of covered data, including "power quality data" which "may be relevant to promoting energy management solutions."91

SoCalGas, however, raised the fundamental question of whether non-electric utilities fall with the scope of this proceeding. SoCalGas stated:

Although SoCalGas was in fact ordered [to] participate in this proceeding, SoCalGas wanted to raise a question of whether CDT/EFF's proposed definition matches the scope of this proceeding which to date seems to only be addressing the electric grid system. This is a fundamental question that the Commission must clarify before weighing the merits of CDT/EFF's proposed privacy policies and procedures. SoCalGas does not believe that the Commission has yet provided a clear direction that the policies being considered in this proceeding should be expanded beyond the electric grid system.92

The definition of "primary purpose" in the proposed decision (PD) attracted much comment. In particular, DRA argued in Comments on the PD that the definition of "primary purpose" "should be limited to activities necessary to provide basic service" and that demand response, energy management and energy efficiency be deemed a "secondary purpose."93 DRA argued further that as formulated, "any activity that may be related to DR, EE, or energy management-however tangentially-would not require customer consent for third-party access ..."94

In contrast, CEERT, in Comments on the PD, called for full access by third parties on par with the access provided to utilities.95 In Comments on the PD, PG&E sought clarification that parties under contract to a utility for the performance of a "primary purpose" have no disclosure responsibilities, that "customer notices, communications and interactions need only be provided through the utility...96 SDG&E, in Comments on the PD, sought clarification that "covered entities" included "(1) any electrical corporation; (2) any third party affiliated with or in business relationship with an electrical corporation; or (3) any other third party, when authorized by the customer, that accesses, stores, uses or discloses covered information relating to 11 or more customers who obtains this information from an electrical corporation."97

5.1.2. Discussion

The definitions that determine the scope of the applicability of the rules recommended by CDT offer a reasonable starting place.

Some modifications, however, must be made before adopting the recommended rules.

First, based on the discussion in the previous section, it is necessary to clarify the definition of "covered entity." Covered entities to which these rules apply include electrical utilities, third parties under direct contract with electrical utilities for conducting a primary purpose, third parties that the Commission either selects, authorizes, or funds for conducting a primary purpose, and third parties who acquire data from the utility with the authorization of the customer.

There is substantial merit to SoCalGas's request that the Commission clarify whether this proceeding will adopt privacy rules affecting gas utilities. Although the record of this proceeding makes it clear that the privacy issues that the Smart Meters raise are relevant for energy service providers, electrical corporations, gas corporations and community choice aggregators, the OIR initiating this proceeding defined a scope that now limits our work to issues affecting electricity provided by electrical corporations to their customers. Specifically, the OIR set the scope of this proceeding as follows:

The general scope of this proceeding is to consider further actions, if needed, to comply with the requirements of EISA [Energy Independence and Security Act] and also to consider policy and performance guidelines to enable the electric utilities to develop and implement a smart grid system in California.98

Since the initial phases of this proceeding were most relevant for PG&E, SCE, and SDG&E, the Commission, in D.09-07-039 excused PacifiCorp, Sierra Pacific Power, Bear Valley Electric Service and Mountain Utilities from participation in this proceeding.99 Because the current scope of this proceeding applies to PG&E, SCE, and SDG&E, at this point it is not appropriate to adopt privacy rules for other companies without again modifying the scope of the proceeding and notifying potentially affected parties. For this reason, the definitions and regulations that we adopt will include a footnote to reflect that for now our rules apply only to PG&E, SCE, and SDG&E.

Since SB 1476, however, applies to gas corporations, this decision modifies the scope of the proceeding and orders a separate new phase to consider how the rules and policies adopted in this decision should apply to gas corporations.

In addition, community choice aggregators and electric service providers, should they use Smart Meters in the provision of service, will have exactly the same information that was the subject of the privacy protections adopted in this decision. Phase 2 of this proceeding will also explore how the rules and policies adopted in this decision should also apply to community choice aggregators and electrical service providers.

In Comments on the PD, the California Association of Small and Multijurisdictional Utilities (CASMU) argued that:

Because CASMU members are not pursuing an [Advanced Metering Infrastructure] AMI or other Smart Grid measures for their California territories, consideration of the applicability of the Privacy and Security Rules in these territories is not necessary or constructive at this time.100

This request is reasonable, and this decision does not include these smaller electrical corporations in Phase II of this proceeding. However, when and if Bear Valley Electric Service (a division of Golden State Water Company, U913E), Mountain Utilities (U906E) PacifiCorp (dba Pacific Power Company, U901E) and California Pacific Electric Company, LLC (CalPeco) (U903E) file an application to deploy Smart Meters, then that application must address how these privacy protections should apply to their operations.

To provide notice to affected parties, the Commission will serve a copy of this decision on the remaining electrical corporations, gas corporations, community choice aggregators and electric service providers. These are listed in Attachment E to this order. Furthermore, the Commission will serve a copy of this decision on the service list in Rulemaking 10-05-005, a recent major gas industry proceeding.

In addition, the Commission exempts from privacy requirements those situations in which an individual or entity, with the consent of the consumer, receives usage information from a very small number of consumers. There is no need, for example, to regulate those situations in which a family member or friend takes care of the affairs of a small number of other people because of infirmity, age, or disability. This decision therefore exempts third parties obtaining information on ten or fewer households from all requirements, except for the requirement of obtaining the consumer's authorization for accessing usage data.

As noted in the jurisdictional discussion above, the Commission does not plan to regulate what the consumer does with usage data at this time. .

In addition, to the extent the Commission itself seeks information to implement or review utility programs and practices, the Commission is not considered to be a "Covered Entity" and that information is not considered to be "Covered Information" for the purposes of this decision. The Commission's access to customer information has its basis in statutes other than SB 1476. These statutes provide the Commission and its agents, including but not limited to contractors and consultants, with broad access to information in the possession of utilities.

To the extent other governmental organizations, such as the California Energy Commission or local governments, may seek Covered Information in a manner not provided in these rules, the Commission will determine such access in the context of the program for which information is being sought absent specific Legislative direction.

In Comments and Reply Comments on the PD, as discussed below, parties sought clarification of who is covered by the privacy rules.

As revised, this decision applies privacy rules to several groups. Privacy rules apply to PG&E, SCE, and SDG&E and to those receiving covered data from the utilities in order to perform a utility operation.

This decision also applies privacy rules to several other entities that obtain access to covered data. Firms and government agencies providing energy programs pursuant to Commission authorization who receive covered data from the utilities are subject to these rules unless specifically exempted by the Commission or by law.

The decision also applies privacy rules to third parties who, with the authorization of the consumer, obtain covered data directly from the utility via an internet connection pursuant to tariff. As mentioned earlier, at the time that the utilities file applications with tariffs to provide covered data to third parties over the backhaul, the Commission will consider whether to create a registration process or some other regulatory process to ensure that those receiving the data comport with the privacy rules adopted by the Commission.

The rules for protecting covered data, however, do not apply to consumers, to the devices that a consumer installs, and to those to whom the consumer directly provides covered data.

The reasoning that led to these revisions is contained in Section 9.1, which discusses the comments and replies on the PD pertaining to this subject at length. The changes are, however, included here to ensure that this section reflects the policies adopted.

Other revisions based on the comments have also been incorporated. CDT/EFF, for example, argued persuasively that defining "customer" did not add to clarity, and that is now removed.101

In other comments on the PD, SDG&E requested a modification to the wording of primary purpose (Rule 1(c)(2), asking that it track the language of SB 1476 and read 1(c)(2) "provide for system, grid, or operational needs."102 No party objected to this change. Since Rule 1(c)(2) seeks to capture the intent of SB 1476, this decision agrees with SDG&E that tracking the statutory language avoids an inadvertent narrowing of the scope of primary purposes. The decision, as revised, tracks this language

SDG&E's Comments on the PD make a distinction between third party accessing and collecting information. 103 This decision now makes clear that "accessing" information should also be a covered activity and we have revised the rules to reflect that point.

As revised, the definitions that the Commission finds reasonable and adopts are as follows:

1. DEFINITIONS

(a) Covered Entity. A "covered entity" is (1) any electrical corporation104 or any third party that provides services to an electrical corporation under contract, (2) any third party who accesses, stores, uses or discloses covered information pursuant to an order or resolution of the Commission, unless exempted by the Commission, or (3) any third party, when authorized by the customer, that accesses, stores, uses, or discloses covered information relating to 11 or more customers who obtains this information from an electrical corporation.105

(b) Covered Information. "Covered information" is any usage information obtained through the use of the capabilities of Advanced Metering Infrastructure when associated with any information that can reasonably be used to identify an individual, family, household, residence, or non-residential customer, except that covered information does not include usage information from which identifying information has been removed such that an individual, family, household or residence, or non-residential customer cannot reasonably be identified or re-identified. Covered information, however, does not include information provided to the Commission pursuant to its oversight responsibilities.

(c) Primary Purposes. The "primary purposes" for the collection, storage, use or disclosure of covered information are to-

(1) provide or bill for electrical power or gas,

(2) provide for system, grid, or operational needs,

(3) provide services as required by state or federal law or specifically authorized by an order of the Commission, or

(4) plan, implement, or evaluate demand response, energy management, or energy efficiency programs under contract with an electrical corporation, under contract with the Commission or as part of a Commission authorized program conducted by a governmental entity under the supervision of the Commission.

(d) Secondary Purpose. "Secondary purpose" means any purpose that is not a primary purpose.

5.2. What Rules Reasonably Promote the FIP Principle of Transparency?

The CDT recommended the following rules as a reasonable way to achieve the FIP principle of transparency:

2. TRANSPARENCY (NOTICE)

(a) Generally. Covered entities shall provide customers with meaningful, clear, accurate, specific, and comprehensive notice regarding the collection, storage, use, and disclosure of covered information.

(b) When Provided. Covered entities shall provide notice in their first paper or electronic correspondence with the customer, if any, and shall provide conspicuous posting of the notice or link to the notice on the home page of their website.

(c) Form. The notice shall be labeled "Privacy Policy: Notice of Collection, Storage, Use and Disclosure of Energy Usage Information" and shall-

    (1) be written in easily understandable language, and

    (2) be no longer than is necessary to convey the requisite information.

(d) Content. The notice shall state clearly-

    (1) the identity of the covered entity,

    (2) the effective date of the notice,

    (3) the covered entity's process for altering the notice, including how the customer will be informed of any alterations, and where prior versions will be made available to customers, and

    (4) the title and contact information, including email address, postal address, and telephone number, of an official at the covered entity who can assist the customer with privacy questions, concerns, or complaints regarding the collection, storage, use, or distribution of covered information.

5.2.1. Position of Parties on Recommended Rule to Promote Transparency

Concerning this recommended rule, PG&E supported adoption by the Commission without change.106

SCE provided comments recommending the replacement of the word "notice" with "notice or posted privacy policy" and provided extensive comments objecting to an earlier form of this proposed rule which implied that transactions and notice should be provided by paper. SCE objected to the extensive use of paper disclosures as costly, and inconsistent with the SCE policy to encourage the use of "on-line billing and notices as a means of cutting costs and environmental waste associated with paper bills."107 As an alternative, SCE argued that providing information at least twice a year on "how customers can view and obtain a copy of the covered entity's privacy policy on the collection, storage, usage and disclosure of energy usage data" offered a better approach.

CDT/EFF, in Comments on the PD, suggested several clarifying modifications. Noting that under California law an "electronic notice" constitutes "written notice," CDT/EFF suggested that the decision eliminate references to "written or electronic notice."108 CDT/EFF also requested that the disclosure notice accurately reflect that the Commission is adopting an information disclosure policy, not a privacy policy.109

Similarly, TechNet pointed out in Comments on the PD that:

Under the California Uniform Electronic Transactions Act an authorization, acknowledgment, or consent should satisfy a requirement that it be "in writing" if made by an "electronic record" that includes either an "electronic signature" as these terms are defined in Civil Code Section 1633.1 or a "digital signature" as that term is defined in Civil Code Section 1633. Paper, which is antithetical to the environmental goals of the Smart Grid, should not be a requirement and TechNet urges the Commission to make it clear that an electronic signature will satisfy the requirements in the Proposed Rules.110

In a similar vein, PG&E noted in its Comments on the PD that the notice requirement could require multiple simultaneous notices and recommended a revision.111

Verizon, in the context of warning the Commission against the adoption of regulations that are "counterproductive, confusing and unduly burdensome,"112 identified elements of this rule as unclear and burdensome. Specifically, Verizon argued that requiring an exact title for the notice "would result in a separate privacy policy for smart grid data for the vast majority of organizations that are not traditional electric utilities" and "would likely cause much confusion."113 In addition, Verizon contended that it is not "clear by what standard the `easily understandable language' requirement will be judged or enforced" and that "having multiple outdated notices be delivered to a consumer is wasteful, confusing, and in direct conflict with the need to provide easily understandable notice."114

TURN, like SCE, also objected to the focus on "paper" (rather than "electronic") communications that characterized an earlier draft of the CDT proposals.

5.2.2. Discussion: With Modifications, the Recommended Transparency Rule is Reasonable and Consistent with the Law; Paper is Not Necessary

The Transparency Rule recommended by CDT offers a reasonable approach to meeting the FIP goal of transparency, but requires modifications to improve its operation.

As CDT points out, it is important to provide information on privacy policy when confirming a new customer account and/or relationship. On the other hand, this need not be done by paper communication. In particular, the changes recommended by SCE to anticipate the growing use of electronic transactions are reasonable in light of the increasing importance of electronic transactions throughout the economy.

Verizon's argument that there is no need to specify the exact title of the document containing the Smart Grid privacy policy can lead to confusion. As Verizon points out, it makes no sense to create a separate "Smart Grid privacy page" separate from other privacy pages. On the other hand, labeling the section of the privacy page that contains data derived from the Smart Meter as "Notice of Accessing, Collecting, Storing, Using and Disclosing Energy Usage Information" accurately indicates what a company is doing with energy usage information.

Verizon's argument that the standard of "reasonably understandable" will be difficult to enforce is not convincing. Much utility regulation relies on a reasonableness standard and the record in this proceeding does not support the adoption of another standard.

Although there is no need to provide customers with prior versions of the privacy policies, we conclude that they should remain available for customers who desire them, but that they need not be routinely displayed.

In response to the request for clarification that the policy adopted in this decision does not require "paper" notification, the decision now uses the words "written notification," which, pursuant to California law, means either by paper or electronic means.

In addition, in response to the arguments of several parties on the high frequency of required notifications, the decision now requires notification at the time of initiating service and annually.

This decision finds reasonable and adopts the following transparency rule:

2. TRANSPARENCY (NOTICE)

(a) Generally. Covered entities shall provide customers with meaningful, clear, accurate, specific, and comprehensive notice regarding the accessing, collection, storage, use, and disclosure of covered information. Provided, however, that covered entities using covered data solely for a primary purpose on behalf of and under contract with utilities are not required to provide notice separate from that provided by the utility.

(b) When Provided. Covered entities shall provide written or electronic notice when confirming a new customer account and at least once a year shall inform customers how they may obtain a copy of the covered entity's notice regarding the accessing, collection, storage, use, and disclosure of covered information, and shall provide conspicuous posting of the notice and privacy policy or link to the notice and privacy policy on the home page of their website, and shall include a link to their notice and privacy policy in all electronic correspondence to customers.

(c) Form. The notice shall be labeled Notice of Accessing, Collecting, Storing, Using and Disclosing Energy Usage Information, and shall-

    (1) be written in easily understandable language, and

    (2) be no longer than is necessary to convey the requisite information.

(d) Content. The notice and the posted privacy policy shall state clearly-

    (1) the identity of the covered entity,

    (2) the effective date of the notice or posted privacy policy,

    (3) the covered entity's process for altering the notice or posted privacy policy, including how the customer will be informed of any alterations, and where prior versions will be made available to customers, and

    (4) the title and contact information, including email address, postal address, and telephone number, of an official at the covered entity who can assist the customer with privacy questions, concerns, or complaints regarding the collection, storage, use, or distribution of covered information.

5.3. What Rule Best Operationalizes the FIP Principle of Specifying the Purpose for Collecting or Disclosing Information?

The CDT recommended the following rule to achieve the FIP principle of insuring that the data is collected to serve a clear and specific purpose:

3. PURPOSE SPECIFICATION

The notice required under section 2 shall provide-

(a) an explicit description of-

(1) each category of covered information collected, used, stored or disclosed by the covered entity, and, for each category of covered information, the reasonably specific purposes for which it will be collected, stored, used, or disclosed, and

(2) each category of covered information that is disclosed to third parties, and, for each such category, (i) the purposes for which it is disclosed, and (ii) the identities of the third parties to which it is disclosed;

(b) the periods of time that covered information is retained by the covered entity;

(c) a description of-

(1) the means by which customers may view, inquire about, or dispute their covered information, and

(2) the means, if any, by which customers may limit the collection, use, storage or disclosure of covered information and the consequences to customers if they exercise such limits.

CDT argued that "[t]he purpose specification is the linchpin of the proposed rules ... If purposes are not specifically described, the other elements of the rule become meaningless."115

5.3.1. Positions of Parties on Purpose Specification

PG&E, although generally supportive of the CDT proposal, argued that the requirement to disclose the identity of all companies receiving information, as 3(a)(2) requires, is not reasonable. PG&E explained that "PG&E contracts with hundreds of third parties for the purposes of operating its utility system and providing utility services to customers, and thus providing the identity of each and every contractor with whom it shares covered information for utility operational purposes is commercially unreasonable."116 PG&E, although opposing an automatic disclosure of each contractor's identity, noted that the "Commission retains the discretion to request the identity of each contractor from utilities as part of normal regulatory oversight."117

SCE, similarly to PG&E, claimed that it also uses a large number of contractors and that a requirement to disclose all third parties would be "overly burdensome and costly."118 SCE argued that disclosing the categories of companies receiving the information, rather than the identities, would provide adequate information to the consumers while being less burdensome.

TechNet and the State Privacy and Security Coalition raised cautionary notes pertaining to CDT's recommended regulation, stating that:

The requirement that a specific purpose be indicated for each category of information collected and that the specific identity of third parties to which it is disclosed also be indicated suggests that relatively minor changes in services or products could trigger long notices that customer do not pay attention to, or repeated, annoying notice and consent requests to consumers. Requiring an entity to provide new notice every time it collaborates with another entity, for example, to provide an updated service or to begin to work with a new third party, even if the service to the customer is the same, appears unduly burdensome.119

Verizon also claimed that such a policy would be "incredibly burdensome to implement and result in repeated changes to a privacy policy."120

In comments on the PD, CDT/EFF agreed that these requests were reasonable, but recommended that the Commission require disclosure of the identities of third parties receiving data for secondary purposes.121

Verizon, in Comments on the PD, noted that data may be kept for various periods, depending on its uses and objects to the disclosure of retention times could "confuse and overwhelm" customers.122

5.3.2. Discussion: Recommended Rule with Revisions can Meet FIP Goal with Reduced Regulatory Burdens and Less Potential Consumer Confusion

The recommended rule whereby the notice to customers states the purpose for which the data is collected is a reasonable approach to operationalizing the FIP principle of specifying the purpose for collecting or disclosing information, but some changes are needed in light of the immense scope and complexity of utility operations.

PG&E, TechNet and the State Privacy and Security Coalition, and Verizon argued persuasively that the recommended disclosure of the identities of all companies receiving information is not a reasonable requirement because of the large and changing number of companies that assist a utility in its operations. Not only would such a requirement prove burdensome, but the multiple notices that current operations would require may confuse consumers and lead to a barrage of communications.

It is, however, reasonable for the Commission to hold a utility responsible for assuring that all companies assisting the utility in its utility operations comply with privacy rules adopted by the Commission. Since the Commission can always obtain access to the names of the companies receiving data and the utility is responsible for the conduct of the firms with which it contracts, the Commission does not need to require automatic disclosure of the names of all the companies receiving information.

SCE argued persuasively that providing information on the categories of companies receiving information provides sufficient information to customers about the potential uses of their information. Such an approach is consistent with the spirit of the FIP principles because it will inform customers without deluging the customers with information.

Once again, utilities remain responsible for ensuring that companies supporting utilities in utility operations follow the same rules as the utility itself and do not use the information for any purpose other than that for which the utility had contracted their services. This requirement, along with the Commission's ability to obtain the names of all companies receiving covered data, makes the disclosure of individual company names unnecessary for protecting customer interests. Moreover, by only requiring the disclosure of the categories of companies to whom data is disclosed, the utilities and consumers will avoid the burdensome and frequent notices that disclosure of minor changes in services, products, or vendors would require.

On the other hand, it is reasonable to require the disclosure of the identities of third parties who receive data for secondary purposes.

Concerning retention of data, since our purpose is not to "confuse nor overwhelm" customers, the policy now asks for disclosure of the "approximate" period of time that the data will be retained.

For the reasons outlined above, it is reasonable to adopt a rule pertaining to the disclosure of the specific purposes for which the information is collected as follows:

3. PURPOSE SPECIFICATION

The notice required under section 2 shall provide-

(a) an explicit description of-

(1) each category of covered information collected, used, stored or disclosed by the covered entity, and, for each category of covered information, the reasonably specific purposes for which it will be collected, stored, used, or disclosed, and

(2) each category of covered information that is disclosed to third parties, and, for each such category, (i) the purposes for which it is disclosed, and (ii) the number and categories of third parties to which it is disclosed; , and

(3) the identities of those third parties to whom data is disclosed for secondary purposes, and the secondary purposes for which the information is disclosed;

(b) the approximate periods of time that covered information will be retained by the covered entity;

(c) a description of-

(1) the means by which customers may view, inquire about, or dispute their covered information, and

(2) the means, if any, by which customers may limit the collection, use, storage or disclosure of covered information and the consequences to customers if they exercise such limits.

5.4. What Rules Reasonably Promote the FIP Principle of Individual Access and Control of Smart Meter Data?

The CDT recommended that the Commission adopt the following rules to achieve the FIP principle of individual participation in the privacy and control of data:

4. INDIVIDUAL PARTICIPATION (ACCESS AND CONTROL)

(a) Access. Covered entities shall provide to customers upon request convenient and secure access to their covered information-

(1) in an easily readable format that is at a level no less detailed than that at which the covered entity discloses the data to third parties.

(2) The Commission shall, by subsequent rule, prescribe what is a reasonable time for responding to customer requests for access.

(b) Control. Covered entities shall provide customers with convenient mechanisms for-

(1) granting and revoking authorization for secondary uses of covered information,

(2) disputing the accuracy or completeness of covered information that the covered entity is storing or distributing for any primary or secondary purpose, and

(3) requesting corrections or amendments to covered information that the covered entity is collecting, storing, using, or distributing for any primary or secondary purpose.

(c) Disclosure Pursuant to Legal Process.

(1) Except as otherwise provided in this rule or expressly authorized by state or federal law or by order of the Commission, a covered entity shall not disclose covered information except pursuant to a warrant or other court order naming with specificity the customers whose information is sought. Unless otherwise directed by a court, law, or order of the Commission, covered entities shall treat requests for real-time access to covered information as wiretaps, requiring approval under the federal or state wiretap law as necessary.

(2) Unless otherwise prohibited by court order, law, or order of the Commission, a covered entity, upon receipt of a demand for disclosure of covered information pursuant to legal process, shall, prior to complying, notify the customer in writing and allow the customer 7 days to appear and contest the claim of the person or entity seeking disclosure.

(3) Nothing in this rule prevents a person or entity seeking covered information from demanding such information from the customer under any applicable legal procedure or authority.

(4) Nothing in this section prohibits a covered entity from disclosing covered information with the consent of the customer, where the consent is express, written and specific to the purpose and to the person or entity seeking the information.

(5) Nothing in this rule prevents a covered entity from disclosing, in response to a subpoena, the name, address and other contact information regarding a customer.

(6) On an annual basis, covered entities shall report to the Commission the number of times that customer data has been sought pursuant to legal process without customer consent, and for each such instance, whether it was a civil or criminal case, whether the covered entity complied with the request as initially presented or as modified in form or scope, and how many customers' records were disclosed. The Commission may require the covered entity to make such reports publicly available without identifying the affected customers, unless making such reports public is prohibited by state or federal law or by order of the Commission.

5.4.1. Position of Parties

On this particular rule recommended by CDT, PG&E noted that it had proffered several revisions to ensure that the access and control conforms to common legal practices of the Commission and courts regarding access to information. CDT incorporated PG&E's proposed changes into text before filing its Reply with the Commission, and PG&E had no further comments on this rule.

SCE objected to 4(c)(2) above, which requires customer notification in writing and allowing the customer seven days to appear and contest the disclosure. SCE argued that this practice "exceeds current requirements for the IOUs under law and Commission order, and would place the IOUs in a position of possibly interfering with law enforcement activities."123 SCE provided a compelling example that suggests that the rule recommended by CDT is too broad:

For example, Section 588 of the Public Utilities Code allows the district attorney to access customer confidential information (except usage information) from public utilities in child abduction cases. Nothing in Section 588 prohibits an IOU from notifying the customer whose information is sought in advance of the mandatory disclosure; yet doing so may interfere with the district attorney's efforts to locate and recover an abducted child.124

SCE argued that it is clear that in a situation such as this, when time and confidentiality are both critical, to delay the release of information and to provide customer notice of a potential disclosure of information would be inconsistent with the intent of the law granting the district attorney this authority in these cases. SCE recommended that the Commission, when adopting a rule on this issue, delete requirement 4(c)(2).

SCE also argued that the recommended annual reporting requirement, contained in 4(c)(6) is "overly burdensome, costly to comply with, and unnecessary because the Commission can request this information at any time from the IOUs and other entities over whom the Commission has jurisdiction for consumer protection purposes..."125 SCE then recommended a reformulation of the recommended rules to read:

4(c)(6) Upon request of the Commission, covered entities shall report to the Commission on disclosures of covered information made pursuant to legal process. The Commission may make such reports publicly available without identifying the affected customers, unless making such reports public is prohibited by state or federal law or by order of the Commission.126

In comments on the PD, CDT/EFF pointed out that "CDT, EFF, other advocates and the press routinely review and comment upon reports published by the Administrative Office of the U.S. Courts on wiretapping and the numerical reports issued by the government on national security surveillance."127 Thus, CDT/EFF argued that public reports serve a useful purpose.

5.4.2. Discussion: Recommended Rules Provide a Reasonable Approach to Providing Customer with Access and Control of Usage Data, but Modifications Are Warranted

The rules recommended by CDT provide a reasonable approach to providing a customer with access to covered data and control of that covered data.

Some modifications, however, are warranted in the rules recommended pertaining to disclosures made pursuant to a legal process to ensure that the adopted rule contains the flexibility needed to address the range of situations that can occur.

In particular, SCE's criticism of requirement 4(c)(2), which would require the advance notice of a request by an authority for any access to data, is well taken. As SCE's example makes clear, the proposed rule lacks the flexibility to address extreme cases, such as the child abduction scenario hypothesized. Such advance notice, however, is clearly warranted in the case of a subpoena, and 4(c)(2) is therefore modified to require advance notice only in the case when a subpoena demanding information concerning a customer is served on the utility.

SCE's recommendation to change the reporting requirement from a mandated annual report on disclosures pursuant to legal process or imminent threats to one that would be prepared only upon the request of the Commission is rejected. CDT/EFF notes that at the national level similar reports are commonly used by privacy advocates and the press. Such efforts to bring privacy issues before the public will benefit California as well.

Section 2891(d)(5), which sets out rules to protect the privacy of telephone customers, specifically does not apply to "[i]nformation provided to an emergency service agency responding to a 911 telephone call or any other call communicating an imminent threat to life or property."128 Since smart meters may be able to communicate information that may indicate an imminent threat to life or property, such as the fact of a gas leak or an electric short, prudence dictates that the Commission should adopt a similar stance towards this information.

This decision finds reasonable and adopts this rule as follows:

4. INDIVIDUAL PARTICIPATION (ACCESS AND CONTROL)

(a) Access. Covered entities shall provide to customers upon request convenient and secure access to their covered information-

(1) in an easily readable format that is at a level no less detailed than that at which the covered entity discloses the data to third parties.

(2) The Commission shall, by subsequent rule, prescribe what is a reasonable time for responding to customer requests for access.

(b) Control. Covered entities shall provide customers with convenient mechanisms for-

(1) granting and revoking authorization for secondary uses of covered information,

(2) disputing the accuracy or completeness of covered information that the covered entity is storing or distributing for any primary or secondary purpose, and

(3) requesting corrections or amendments to covered information that the covered entity is collecting, storing, using, or distributing for any primary or secondary purpose.

(c) Disclosure Pursuant to Legal Process.

(1) Except as otherwise provided in this rule or expressly authorized by state or federal law or by order of the Commission, a covered entity shall not disclose covered information except pursuant to a warrant or other court order naming with specificity the customers whose information is sought. Unless otherwise directed by a court, law, or order of the Commission, covered entities shall treat requests for real-time access to covered information as wiretaps, requiring approval under the federal or state wiretap law as necessary.

(2) Unless otherwise prohibited by court order, law, or order of the Commission, a covered entity, upon receipt of a subpoena for disclosure of covered information pursuant to legal process, shall, prior to complying, notify the customer in writing and allow the customer seven (7) days to appear and contest the claim of the person or entity seeking disclosure.

(3) Nothing in this rule prevents a person or entity seeking covered information from demanding such information from the customer under any applicable legal procedure or authority.

(4) Nothing in this section prohibits a covered entity from disclosing covered information with the consent of the customer, where the consent is express, in written form, and specific to the purpose and to the person or entity seeking the information.

(5) Nothing in this rule prevents a covered entity from disclosing, in response to a subpoena, the name, address and other contact information regarding a customer.

(6) On an annual basis, covered entities shall report to the Commission the number of demands received for disclosure of customer data pursuant to legal process or pursuant to situations of imminent threat to life or property and the number of customers whose records were disclosed. Upon request of the Commission, covered entities shall report additional information to the Commission on such disclosures. The Commission may make such reports publicly available without identifying the affected customers, unless making such reports public is prohibited by state or federal law or by order of the Commission.

(d) Disclosure of Information in Situations of Imminent Threat to Life or Property. These rules concerning access, control and disclosure do not apply to information provided to emergency responders in situations involving an imminent threat to life or property. Emergency disclosures, however, remain subject to reporting rule 4(c)(6).

5.5. What Rules Reasonably Promote the FIP Principle of Data Minimization?

Data minimization is one of the key FIP principles, and the CDT has recommended the following rules pertaining to data minimization to the Commission for adoption:

5. DATA MINIMIZATION

(a) Generally. Covered entities shall collect, store, use, and disclose only as much covered information as is reasonably necessary or as authorized by the Commission to accomplish a specific primary purpose identified in the notice required under section 2 or for a specific secondary purpose authorized by the customer.

(b) Data Retention. Covered entities shall maintain covered information only for as long as reasonably necessary or as authorized by the Commission to accomplish a specific primary purpose identified in the notice required under section 2 or for a specific secondary purpose authorized by the customer.

(c) Data Disclosure. Covered entities shall not disclose to any third party more covered information than is reasonably necessary or as authorized by the Commission to carry out on behalf of the covered entity a specific primary purpose identified in the notice required under section 2 or for a specific secondary purpose authorized by the customer.

In support of these recommended rules, CDT argued that:

... data minimization is a powerful tool for protecting against security and privacy threats. It is a basic security "best practice" that customers will and should be able to expect of any entity using revealing covered information. Moreover, in light of many recent high-profile breaches of sensitive consumer data, customer confidence that Smart Grid technologies and business practices employ sufficient privacy and security practices will be key to the growth and development of the Smart Grid marketplace.129

5.5.1. Positions of Parties on Data Minimization

The principle of data minimization generated much comment. PG&E argued that:

PG&E agrees with the general goal of minimizing the scope and retention of covered information, but this goal should be balanced against the need by the Commission and utilities to maintain records and data for operational and policy purposes, such as resolution of customer billing disputes; energy policy planning and analysis; and cost of service review authorized by the Commission.130

UCAN supported a data minimization strategy with a few caveats. UCAN argued:

... the potential for privacy to be compromised is minimized if the amount of personal and household information that is captured and retained by the utility and third-parties is limited. Data retention is an important subset of this issue. Personal information that is collected via Smart Grid systems should be retained only as long as needed for the purposes identified by the consumer.131

SDG&E, on the other hand, detailed its opposition to the principle of data minimization. SDG&E argued:

... the [proposed regulatory] scheme requires further analysis in order to achieve greater consistency in provisions and reasonably [sic] accommodation before the CPUC considers establishing electric utility operational FIPs. For example, SDG&E finds that the recommendation for implementation of the "Data Minimization Principle" requires further party and stakeholder discussion in order to fit the business needs of the electric utilities existing and potentially [sic] future operations. In addition, terminology used in the CDT & EFF proposal such as "shall" and "reasonable" is extremely vague, expression application is too broad, and the language may be subject to a variety of interpretations.132

AT&T also opposed CDT's data retention requirements. AT&T contended:

The data retention requirements are both too limiting and too vague. It proposes energy usage information be kept "only for as long as necessary..." It is unclear under this standard whether a company that maintains Smart Grid data for 2 years could be liable for maintaining the data too long if its competitor maintains the same data for only 1 year. Moreover, it would seem to preclude Smart Grid applications that rely on several years of historical data.133

TechNet and the State Privacy and Security Coalition (filing jointly) similarly argued that "the Commission should not impose a binding data minimization requirement."134 Specifically, TechNet and the State Privacy and Security Coalition objected to an earlier formulation by CDT of this requirement that lacked the word "reasonably" and appeared to impose both a requirement and a liability on any company that collected data that was not absolutely "necessary." TechNet and the State Privacy and Security Coalition also argued that "data minimization provisions were rejected by the Legislature on multiple occasions" and then proceeded to cite from the legislative history of SB 837.135

In Comments on the PD, CDT/EFF recommended the "Privacy by Design" approach to data minimization.136 Similarly, Ontario Information and Privacy Commissioner (Ontario) argued that the "Privacy by Design" methodology ensures that "protection of privacy is proactive, not reactive; preventative, not remedial."137

5.5.2. Discussion: Data Minimization Requirement is Reasonable

In reply comments (and incorporated in the rule as presented above), CDT incorporated major changes that resolved many of the defects in this recommended rule cited by commenters. As revised by CDT in its reply comments, the recommended rule is reasonable and we adopt this rule.

Adopting this rule is reasonable because data minimization promotes privacy and security by limiting the amount of personal data collected and the amount that must be secured and protected. As such, it offers a practical strategy for protecting sensitive information. Thus, a principle of data minimization should guide the development of utility and regulatory policies towards data.

Adopting a principle of data minimization will, however, constitute a new approach to regulatory oversight for both utilities and this Commission. The data historically collected by the Commission and by utilities most commonly concerned the information needed to ensure that rates were reasonable and service reliable. The information collected commonly included such items as company costs, aggregate demand, and company revenues. Little data collected or available would disclose the daily activities of individual utility customers.

There is, however, a natural tension between a data minimization rule and current practices regarding utility information. The endorsement of a principle of "data minimization" will serve as a guide for the revision of other regulations in specific regulatory proceedings. Adopting a principle of "data minimization" does not change any regulations that currently require the retention of data for periods of time nor does it change any specific reporting requirements. Moreover, it does not preclude any Commission requests for information. Still, the Commission adopts this principle to signal our interest in incorporating this strategy into our program to protect consumer privacy and to keep data secure.

These rules conform to the realities of Commission regulation. The rules permit the retention of as much information as "is reasonably necessary" and for as long as is "reasonably necessary." In addition, the rules formally recognize the role of the Commission in creating data collection and retention requirements through inclusion of the words "as authorized by the Commission" in the formulation of this requirement.

These recommended rules create no new liability that would fall upon utilities and other entities in conjunction with data retention. Instead, these rules make clear that as a utility proposes to collect personal information, it should propose for consideration by this Commission both limitations on the amount of personal information collected and the time period for data retention.

No further study of this requirement is warranted. As the discussion above has made clear, the privacy protection provisions are closely tied to SB 1476 (not SB 837, which TechNet and the State Privacy Coalition cite but fail to note never became law.138) Although SB 1476 does not include a requirement for data minimization or a limitation on data retention, the practical role that a principle of data minimization plays as a "best practice" in a data privacy and security strategy make it consistent with both the goals of SB 1476 and the Pub. Util. Code.

Finally, the "Privacy by Design" methodology offers a promising approach to ensuring that data practices promote privacy, not just in the FIP of data minimization, but in all aspects of privacy planning.

5.6. What Use and Disclosure Limitations Reasonably Protect Consumers Yet Permit the Authorized Use and Disclosure of Electricity Consumption Information?

The heart of any privacy program is the limitations placed on the use and disclosure of the information that the program seeks to protect. CDT recommended the following rules to protect energy covered data in its Reply Comments, and these rules serve as a good starting point for our discussion.

6. USE AND DISCLOSURE LIMITATION

(a) Generally. Covered information shall be used solely for the purposes specified by the covered entity in accordance with section 3.

(b) Primary Purposes. An electric service provider, electrical corporation, gas corporation or community choice aggregator may collect, store and use covered information for primary purposes without customer consent. Other covered entities may collect, store and use covered information only with prior customer consent, except as otherwise provided here.

(c) Disclosures to Third Parties.

(1) Initial Disclosure by a Covered Entity. A covered entity may disclose covered information to a third party without customer consent for a primary purpose being carried out under contract with and on behalf of the entity disclosing the data, provided that the covered entity disclosing the data shall, by contract, require the third party to agree to collect, store, use, and disclose the covered information under policies, practices and notification requirements no less protective than those under which the covered entity itself operates as required under this rule and, if the information is being disclosed for demand response, energy management or energy efficiency purposes, the disclosing entity permits customers to opt out of such disclosure.

(2) Subsequent Disclosures. Any entity that receives covered information derived initially from a gas or electrical corporation, electric service provider or community choice aggregator may disclose such covered information to another entity without customer consent for a primary purpose, provided that the entity disclosing the covered information shall, by contract, require the entity receiving the covered information to use the covered information only for such primary purpose and to agree to store, use, and disclose the covered information under policies, practices and notification requirements no less protective than those under which the gas or electrical corporation, electric service provider or community choice aggregator from which the covered information was initially derived itself operates as required by this rule.

(3) Terminating Disclosures to Entities Failing to Comply With Their Privacy Assurances. When an entity discloses covered information to any other entity under this subsection 6(c), it shall specify by contract that it shall be considered a material breach if the receiving entity engages in a pattern or practice of storing, using or disclosing the covered information in violation of the receiving entity's commitment to handle the covered information under policies no less protective than those under which the gas or electrical corporation, electric service provider or community choice aggregator from which the covered information was initially derived itself operates in compliance with this rule. If an entity disclosing covered information finds that an entity to which it disclosed covered information is engaged in a pattern or practice of storing, using or disclosing covered information in violation of the receiving entity's privacy and data security commitments related to handling covered information, the disclosing entity shall cease disclosing covered information to such receiving entity.

(d) Secondary Purposes. No covered entity shall use or disclose covered information for any secondary purpose without obtaining the customer's prior, express, written authorization for each such purpose, provided that authorization is not required when information is-

(1) provided to a law enforcement agency in response to lawful process;

(2) authorized by the Commission pursuant to its jurisdiction and control.

(e) Customer Authorization.

(1) Authorization. Separate authorization by each customer must be obtained for each secondary purpose.

(2) Revocation. Customers have the right to revoke, at any time, any previously granted authorization.

(3) Expiration. Customer consent shall be deemed to expire after two years, after which time customers will need to reauthorize any secondary purposes.

(f) Parity. Covered entities shall permit customers to cancel authorization for any secondary purpose of their covered information by the same mechanism initially used to grant authorization.

In support of these recommended rules, CDT argued that where "the provision of the [utility] service and the collection, storage and use of the information are so inextricably intertwined ... consent could not realistically be withheld" and therefore "a provider ... [of electric service] should not have to obtain customer consent to collect, store or use energy information in the course of providing the energy service."139 CDT also contended that "[w]here data ... is disclosed to third parties for use in providing energy-related services on behalf of and under contract with the utility ..., prior customer consent is not needed ... for the disclosure."140

CDT, however, argued that disclosure to other parties is far different, and "[w]hen covered information is collected by or flows to entities that are not utilities and is being used for purposes ... other than providing services under contract with a utility, prior consent must be obtained" 141 because such a requirement is consistent with "customer expectations."142

Finally, CDT argued that its "chain of responsibility" proposal, contained in 6(c)(3), is key to Commission enforcement of its privacy regulations. CDT described its "chain of responsibility" as "a concept widely accepted in the commercial sphere: a contractual chain of downstream responsibility, in which the party at the top of the stream has the right to insist that its next immediate downstream partner abides by privacy rules ... and so on."143

5.6.1. Positions of Parties

PG&E objected to the "chain of downstream responsibility" concept. PG&E argued that:

... as a matter of public policy and practical implementation, PG&E does not recommend that utilities or their third party contractors or agents be required to enforce these privacy principles through the indirect means of commercial lawsuits or civil action for breach of contract. PG&E also does not recommend that such parties be required to directly register or be certified by the Commission because the benefit of such third party certification is likely to be offset by the deterrence of third parties from developing and providing new products and services to customers using covered information in a manner consistent with privacy rules already applicable to all entities under general law.144

SCE was similarly skeptical about the rules pertaining to the "chain of downstream responsibility" pertaining to disclosures. In addition, SCE recommended the use of the words "covered entity" and "third party" in part to address the question of whether energy service providers or gas utilities have received proper notice that these privacy rules could apply to these companies with minor changes.

In comments on the PD, DRA argued that it is unreasonable for IOU's to be liable for third parties absent a contractual obligation.145 In comments on the PD, SDG&E asked for clarification that the "chain of responsibility" applies only to companies with which it has a contractual relationship.146

TechNet and the State Privacy and Security Coalition objected to the automatic expiration of a customer's consent to the provision of data for a secondary purpose. TechNet and the State Privacy and Security Coalition argued:

Customers who have signed up for a service and continue to expect to receive it face potential interruption of service if they do not provide consent. Companies will face significant costs to keep track of, notify and obtain consent from a constantly evolving customer database. Even for a large company, this is burdensome and costly. For a small company, this is an onerous expense, potentially diverting resources away from research and development.147

Verizon similarly argued against the expiration rule, contending:

Consumer expect that the choices they make regarding their data use preferences remain in effect until and unless they change them, and they should have the option to make changes at any time they choose. However, requiring an arbitrary expiration of consumer consent after a two-year period is neither beneficial or convenient to consumers and should not be adopted.148

AT&T also made a similar argument against the automatic expiration rule, and argued further that the customer authorization requirements are "too prescriptive"149 and "unnecessary and burdensome to the customer." 150 Instead, AT&T argued that "[a] less burdensome way to accomplish the same goal would be for providers to remind customers every two years that they may change or revoke their privacy selections at any time."151

EnerNOC also argued that "the two-year sunset on authorization to share data recommended by TURN and DRA is inappropriate for CI&I customers."152 EnerNOC stated that "CI&I customers typically sign contracts that require the provision of energy usage data to implement ... For these customers, authorization to share their data should coincide with the term of their contract."153

SCE, in comments on the PD, pointed out that there in "no justification for preventing customers from revoking their consent at any time, in their sole discretion."154

Concerning the issue of disclosure for a secondary purpose, TURN recommended "that the language should be simplified to state that disclosure to any third party who is not under contract with the utility is prohibited absent explicit customer authorization."155

DRA proposed narrower limits on the disclosure of energy covered data, and argued that "[s]ince the Smart Grid is intended to save energy, increase electricity reliability and reduce greenhouse gases, allowed uses should be limited to these same purposes."156 DRA also argued for a limited interpretation of "primary purpose," and argued that primary purpose "should be limited to activities necessary to provide basic electric service."157

5.6.2. Discussion: Enforcement Critical to Privacy Rules

The "chain of responsibility" approach to protecting privacy and enforcing policy rules is a reasonable approach to ensuring that the privacy rules are followed. This decision therefore declines requests by PG&E and SCE to reject this approach. As many parties have pointed out, ensuring compliance with privacy policies is a key element of an effective privacy policy. Electric utilities are already responsible for the protection of customer privacy whenever they use a third party to perform utility operations. The "chain of responsibility" currently works in these contractual relationships. It currently provides a reasonable approach to the protection of customer privacy and it can continue to do so.

The decision, however, now distinguishes between third parties who receive data via a free interaction with the utility for a contractual purpose and those who receive data via the direction and under the supervision of the Commission or via the authorization of the customer, whether the provision of data is made via contract or via tariff conditions. Responsibility follows free contractual relationships, but responsibilities are different when data is disclosed to a third party pursuant to Commission direction or a tariff.

Even if disclosed to a third party by a utility - not via direction of the Commission or the customer - the information is still subject to all the rules and protections that apply to the utility. Disclosure should take place only pursuant to a contract that ensures compliance with privacy and security measures, as SB 1476 requires.

In addition, to the extent customer covered information becomes available to consumers and third parties pursuant to utility tariffs, rather than contracts, the tariffs can require that customers demonstrate that they have authorized the transfer of information. Furthermore, the tariffs can and should permit a customer to withdraw the authorization at any time. At the time when utilities file applications with tariffs to make information available to third parties, the Commission can consider what procedures make sense to ensure that the covered information remains protected. (This matter is discussed in greater detail in the sections on subsequent filings below.)

The request of SCE to use the words "covered entity" and "third party" is reasonable. At this time, rules that this decision adopts apply only to the three electric utilities - PG&E, SCE, and SDG&E - and to certain third parties who gain access to this covered data. The broader language, nevertheless, recognizes that even though the Commission has not provided electric service providers, community choice aggregators, or gas corporations with notice that the rules and policies adopted in this decision could eventually apply to them. The broader language, which is restricted by a footnote at this time, permits ready extension to these entities should the Commission, after a proceeding undertaken for this purpose, elect to do so.

There is merit in the arguments of TechNet and the State Privacy and Security Coalition, Verizon and AT&T that an automatic expiration of disclosure authority after two years is not in the customer interest and would be burdensome to the customer. This decision concludes that an automatic expiration of an authorization is not reasonable. Instead, this decision adopts a requirement that a covered entity to which covered information for a non-primary purpose is disclosed must provide an annual reminder of the prior authorization along with an opportunity to opt out. This requirement offers a reasonable approach to ensure that customers continue to have control over the disclosure of their covered information without producing unneeded disruptions to service.

EnerNOC's comments raise important issues concerning contractual arrangements involving commercial, industrial, and institutional (CII) customers. The disclosure rules that this decision adopts do not prohibit non-residential customers to agree to disclose covered information pursuant to the terms of any commercial contract. Nevertheless, since the disclosure of information arises from the relationship between the customer and the utility, which cannot be expected to know of contract terms between a customer and a third party, the rules adopted in this decision permit all parties to revoke authorization at any time. Violations of contract provisions, if any, can be resolved under the provision of the contract or through civil courts.

Concerning TURN's request for clarifying language, the language that this decision adopts provides the clarification that TURN desires - no disclosure for a secondary purpose would be permitted without consumer authorization.

Concerning DRA's request that the Commission prohibit disclosure for secondary purposes beyond those related to energy policies, this decision declines to adopt this policy for several reasons. First, the consumer should have control of his or her data, and restricting the consumer's ability to disclose this data is inconsistent with our view of consumer sovereignty. Second, limiting disclosure to only those purposes related to energy policies would be burdensome to both the consumer and the Commission. In particular, a number of purposes - such as the marketing of efficient appliances or software applications - would require a Commission determination of whether they are "eligible" for disclosure because they serve a mixture of profit-oriented marketing and energy efficiency goals. If the regulatory process must sort its way through each of use of consumption data to determine whether it is an "eligible" purpose, the regulatory reviews will have a chilling effect on innovation and will impose a burden for the regulatory process by consuming resources better used to protect consumers who are harmed.

Furthermore, in reviewing the recommended exceptions to the requirement of "prior authorization" for disclosures for secondary purposes contained in 6(d), this decision adopts the language "pursuant to legal process" contained in 4(d) above. This formulation clearly embraces "law enforcement pursuant to legal process." In addition, it is also reasonable and prudent to create an exception to this requirement in situations where there is an imminent threat to life or property, as was done in 4(d) above.

Finally, SB 1476 allows an electric or gas utility to use aggregated consumption data, provided that "all information has been removed regarding the individual identity of a customer."158 Furthermore, Pub. Util. Code § 394.4(a) allows electric service providers to release customer data on an aggregated level as long as that the release of the information does not reveal customer specific information. As a result, this decision affirms that the availability and use of aggregated data, with all personally identifiable information removed, is consistent with the terms of Pub. Util. Code §§ 8380 and 394.4(a) and does not require the authorization of the customer.

Based on these considerations, this decision finds reasonable and adopts the following rule:

6. USE AND DISCLOSURE LIMITATION

(a) Generally. Covered information shall be used solely for the purposes specified by the covered entity in accordance with section 3.

(b) Primary Purposes. An electrical corporation, a third party acting under contract with the Commission to provide energy efficiency or energy efficiency evaluation services authorized pursuant to an order or resolution of the Commission, or a governmental entity providing energy efficiency or energy efficiency evaluation services pursuant to an order or resolution of the Commission may access, collect, store and use covered information for primary purposes without customer consent. Other covered entities may collect, store and use covered information only with prior customer consent, except as otherwise provided here.

(c) Disclosures to Third Parties.

(1) Initial Disclosure by an Electrical Corporation. An electrical corporation may disclose covered information without customer consent to a third party acting under contract with the Commission for the purpose of providing energy efficiency or energy efficiency evaluation services authorized pursuant to an order or resolution of the Commission or to a governmental entity for the purpose of providing energy efficiency or energy efficiency evaluation services pursuant to an order or resolution of the Commission. An electrical corporation may disclose covered information to a third party without customer consent

    a. when explicitly ordered to do so by the Commission; or

    b. for a primary purpose being carried out under contract with and on behalf of the electrical corporation disclosing the data;

    provided that the electrical corporation disclosing the data shall, by contract, require the third party to agree to access, collect, store, use, and disclose the covered information under policies, practices and notification requirements no less protective than those under which the covered entity itself operates as required under this rule, unless otherwise directed by the Commission.

(2) Subsequent Disclosures. Any entity that receives covered information derived initially from a covered entity may disclose such covered information to another entity without customer consent for a primary purpose, provided that the entity disclosing the covered information shall, by contract, require the entity receiving the covered information to use the covered information only for such primary purpose and to agree to store, use, and disclose the covered information under policies, practices and notification requirements no less protective than those under which the covered entity from which the covered information was initially derived operates as required by this rule, unless otherwise directed by the Commission.

(3) Terminating Disclosures to Entities Failing to Comply With Their Privacy Assurances. When a covered entity discloses covered information to a third party under this subsection 6(c), it shall specify by contract, unless otherwise directed by the Commission, that it shall be considered a material breach if the third party engages in a pattern or practice of accessing storing, using or disclosing the covered information in violation of the third party's contractual obligations to handle the covered information under policies no less protective than those under which the covered entity from which the covered information was initially derived operates in compliance with this rule.

    · If a covered entity disclosing covered information for a primary purpose being carried out under contract with and on behalf of the entity disclosing the data finds that a third party contractor to which it disclosed covered information is engaged in a pattern or practice of accessing, storing, using or disclosing covered information in violation of the third party's contractual obligations related to handling covered information, the disclosing entity shall promptly cease disclosing covered information to such third party.

    · If a covered entity disclosing covered information to a Commission-authorized or customer-authorized third party receives a customer complaint about the third party's misuse of data or other violation of the privacy rules, the disclosing entity shall, upon customer request or at the Commission's direction, promptly cease disclosing that customer's information to such third party. The disclosing entity shall notify the Commission of any such complaints or suspected violations.

(4) Liability. Nothing in this section shall be construed to impose any liability on an electrical corporation relating to disclosures of information by a third party when: i) the Commission orders the provision of covered data to a third party; or ii) a customer authorizes or discloses covered data to a third party entity that is unaffiliated with and has no other business relationship with the electrical corporation. After a secure transfer, the electrical corporation shall not be responsible for the security of the covered data or its use or misuse by such third party. This limitation on liability does not apply when a utility has acted recklessly.

(d) Secondary Purposes. No covered entity shall use or disclose covered information for any secondary purpose without obtaining the customer's prior, express, written authorization for each type of purpose. This authorization is not required when information is-

(1) provided pursuant to a legal process as described in 4(c) above;

(2) provided in situations of imminent threat to life or property as described in 4(d) above; or

(3) authorized by the Commission pursuant to its jurisdiction and control.

(e) Customer Authorization.

(1) Authorization. Separate authorization by each customer must be obtained for all disclosures of covered information except as otherwise provided for herein.

(2) Revocation. Customers have the right to revoke, at any time, any previously granted authorization.

(3) Opportunity to Revoke. The consent of a customer shall continue without expiration, but an entity receiving information pursuant to a residential customer's authorization shall contact the customer, at least annually, to inform the customer of the authorization granted and to provide an opportunity for revocation. The consent of a non-residential customer shall continue in the same way, unless specified otherwise in a contract of finite duration, but an entity receiving information pursuant to a non-residential customer's authorization shall contact the customer, to inform the customer of the authorization granted and to provide an opportunity for revocation either upon the termination of the contract, or annually if there is no contract.

(f) Parity. Covered entities shall permit customers to cancel authorization for any secondary purpose of their covered information by the same mechanism initially used to grant authorization.

(g) Availability of Aggregated Usage Data. Covered entities shall permit the use of aggregated usage data that is removed of all personally-identifiable information to be used for analysis, reporting or program management provided that the release of that data does not disclose or reveal specific customer information because of the size of the group, rate classification, or nature of the information.

5.7. What Rules Reasonably Ensure the Quality and Integrity of Data and Protect its Security?

A principle of FIP is that the data collected, stored and disseminated must be reasonably accurate and complete. Another key FIP principle is that the collected data must be secure and protected from those seeking unauthorized access. To meet these two concerns, CDT recommended that the Commission adopt the following two rules:

7. DATA QUALITY AND INTEGRITY

Covered entities shall ensure that covered information they collect, store, use, and disclose is reasonably accurate and complete or otherwise compliant with applicable rules and tariffs regarding the quality of energy usage data.

8. DATA SECURITY

(a) Generally. Covered entities shall implement reasonable administrative, technical, and physical safeguards to protect covered information from unauthorized access, destruction, use, modification, or disclosure.

(b) Notification of Breach. Upon request by the Commission, covered entities shall notify the Commission of security breaches of covered information.

5.7.1. Position of Parties

PG&E argued that there is no need for regulation pertaining to data quality and integrity because "Commission rules and tariffs already specify the accuracy and completeness required for various types of utility information."159

Several other parties argued in support of the proposed Rule 8, which requires notification of the Commission concerning breaches when the Commission seeks that information.

Still other parties argued that there is no need to mandate disclosure of information breaches because notification of those affected is already required by state and federal law. PG&E contended that "[e]xisting federal and state `red flag' laws already regulate and provide for notification of specific privacy breaches to the customers affected by the breaches."160 CFC also argued that Civil Code § 1798.82 requires a business to "disclose any breach of the security of the system following discovery or notification of the breach in security of the data to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person."161

PG&E and SCE argued in support of providing information on security breaches when requested by the Commission as a more practical approach than a requirement that automatically requires the provision of information.

5.7.2. Discussion: Modified Rules Can Promote the Quality and Security of Data

This decision rejects PG&E's recommendation to delete Rule 7, which calls for data quality and integrity. Although PG&E is correct that law and regulation already call for accurate data, since we are expanding the amount, type, and quality of consumption data that the utility will be collecting and communicating, it is appropriate to adopt this requirement.

Concerning Rule 8 on data security, it is reasonable to require utilities to notify the Commission of a breach whenever the Commission requests such a notification. Utilities should also provide an annual notification of all breaches in addition to providing such data when requested. Automatic notifications must also be provided to the Commission whenever there are significant security breaches. Utilities must notify the Commission immediately when a security breach affects more that 1,000 customers. In addition, this decision leaves unmodified federal and state laws under which covered entities must notify customers of security breaches.

In summary, this decision adopts regulation 7 as recommended by CDT for adoption by the Commission and modifies and adopts regulation 8 as follows:

8. DATA SECURITY

(a) Generally. Covered entities shall implement reasonable administrative, technical, and physical safeguards to protect covered information from unauthorized access, destruction, use, modification, or disclosure.

(b) Notification of Breach. A covered third party shall notify the covered electrical corporation that is the source of the covered data within one week of the detection of a breach. Upon a breach affecting 1,000 or more customers, whether by a covered electrical corporation or by a covered third party, the covered electrical corporation shall notify the Commission's Executive Director of security breaches of covered information within two weeks of the detection of a breach or within one week of notification by a covered third party of such a breach. Upon request by the Commission, electrical corporations shall notify the Commission's Executive Director of security breaches of covered information.

(c) Annual Report of Breaches. In addition, electrical corporations shall file an annual report with the Commission's Executive Director, commencing with the calendar year 2012, that is due within 120 days of the end of the calendar year and notifies the Commission of all security breaches within the calendar year affecting covered information, whether by the covered electrical corporation or by a third party.

5.8. What Rules Reasonably Assure the Accountability of Entities for Complying with Privacy Policies?

Based on its analysis, CDT recommends the following rule pertaining to accountability and auditing to promote compliance with the adopted privacy policies:

9. ACCOUNTABILITY AND AUDITING

(a) Generally. Covered entities shall be accountable for complying with the requirements herein, and must make available to the Commission upon request or audit-

(1) the privacy notices that they provide to customers,

(2) their internal privacy and data security policies,

(3) the identities of agents, contractors and other third parties to which they disclose covered information, the purposes for which that information is disclosed, indicating for each category of disclosure whether it is for a primary purpose or a secondary purpose, and

(4) copies of any secondary-use authorization forms by which the covered party secures customer authorization for secondary uses of covered data.

(b) Customer Complaints. Covered entities shall provide customers with a process for reasonable access to covered information, for correction of inaccurate covered information, and for addressing customer complaints regarding covered information under these rules.

(c) Training. Covered entities shall provide reasonable training to all employees and contractors who use, store or process covered information.

(d) Audits. Each covered entity shall conduct an independent audit of its data privacy and security practices periodically as required by the Commission to monitor compliance with its data privacy and security commitments, and shall report the findings to the Commission.

(e) Disclosures. On an annual basis, covered entities shall disclose to the Commission-

(1) the number of authorized third parties accessing covered information,

(2) the number of non-compliances with this rule or with contractual provisions required by this rule experienced by the covered entities or authorized third parties, and the number of customers affected by such non-compliances.

CDT argued strongly for these recommended accountability and auditing rules. CDT contended:

Without robust and predictable accountability and auditing requirements, including regular disclosures of relevant practices to the Commission and meaningful customer redress mechanisms, there can be no oversight or enforcement, rendering the customer privacy protections fundamental to the rule ineffective. For this reason, accountability and enforcement are crucial to implementing the overall FIPs [Fair Information Practices] framework.162

5.8.1. Positions of Parties

PG&E's comments expressed support for the rules as written and voiced concern that these rules avoid upending current Commission practices for addressing complaints and conducting audits.

SCE asked that the audit requirements be "triggered upon the request of the Commission."163 The CDT proposed rules, as amended in the reply comments, now achieve this result.

TURN stated that:

TURN continues to be extremely troubled by the potential lack of enforcement and lack of potential penalties to deter violations.... TURN strongly recommends the adoption of a set fine as a deterrent. We also suggest a registration process, and violations should lead to suspension, similarly to the provision for deregistering an ESP [energy service provider] under PUC Section 394.1.164

In comments on the PD, PG&E argued that reporting the identity of each entity that received covered data pursuant to a primary purpose is burdensome and confusing. PG&E proposed that the disclosure of the identities of entities that received covered data be limited to those entities receiving data for a secondary purpose. PG&E also requested that companies not maintain lists of those receiving data pursuant to a primary purpose, but instead offered to make available to the Commission information indicating whether a specific entity received covered information.165

5.8.2. Discussion: The Accounting and Auditing Rule Permits the Monitoring and Enforcement of Compliance with Privacy Policies

Rule 9, as recommended by CDT, offers a reasonable approach to accounting and auditing at this time. In particular, Rule 9 enables the Commission to obtain information readily so that the Commission can monitor privacy practices and exercise oversight.

Concerning PG&E's request for more limited disclosures, this decision now modifies the regulations to require only the reporting of the categories of entities obtaining covered data for a primary purpose, but a utility must disclose the identity of each entity receiving data for a secondary purpose and must make a full list of each entity receiving covered data available to the Commission upon request. Each utility remains responsible for knowing the identity of each entity that receives covered data from it, whether for a primary or secondary purpose. The decision amends the reporting requirements consistent with this discussion.

The recommended rules, however, fail to provide adequate specificity concerning the filing of the required reports. For this reason, this decision adopts rules to require the privacy and security audits to take place as part of the review of a utility's operations conducted in general rate cases after 2012. In addition, the decision adopts an annual reporting requirement concerning the disclosure of information to third parties and non-compliance with contractual provisions pertaining to the privacy rules.

This decision finds reasonable and adopts the following rule:

9. ACCOUNTABILITY AND AUDITING

(a) Generally. Covered entities shall be accountable for complying with the requirements herein, and must make available to the Commission upon request or audit-

(1) the privacy notices that they provide to customers,

(2) their internal privacy and data security policies,

(3) the categories of agents, contractors and other third parties to which they disclose covered information for a primary purpose, the identities of agents, contractors and other third parties to which they disclose covered information for a secondary purpose, the purposes for which all such information is disclosed, indicating for each category of disclosure whether it is for a primary purpose or a secondary purpose. (A covered entity shall retain and make available to the Commission upon request information concerning who has received covered information from the covered entity.),, and

(4) copies of any secondary-use authorization forms by which the covered party secures customer authorization for secondary uses of covered data.

(b) Customer Complaints. Covered entities shall provide customers with a process for reasonable access to covered information, for correction of inaccurate covered information, and for addressing customer complaints regarding covered information under these rules.

(c) Training. Covered entities shall provide reasonable training to all employees and contractors who use, store or process covered information.

(d) Audits. Each electrical corporation shall conduct an independent audit of its data privacy and security practices in conjunction with general rate case proceedings following 2012 and at other times as required by order of the Commission. The audit shall monitor compliance with data privacy and security commitments, and the electrical corporation shall report the findings to the Commission as part of the utility's general rate case filing.

(e) Reporting Requirements. On an annual basis, each electrical corporation shall disclose to the Commission as part of an annual report required by Rule 8.b, the following information:

(1) the number of authorized third parties accessing covered information,

(2) the number of non-compliances with this rule or with contractual provisions required by this rule experienced by the utility, and the number of customers affected by each non-compliance and a detailed description of each non-compliance.

5.9. Should We Adopt Rules Now or is Further Study Needed?

Although the Commission did not ask whether further study was needed before the adoption of privacy rules, several parties placed this issue before the Commission and the comments of many parties implicitly addressed the issue of timing. For this reason, this decision addresses this issue.

5.9.1. Position of Parties

SDG&E argued that "existing laws and regulations at the federal and state level, as well as numerous CPUC decisions, currently provide an adequate and proper framework to protect California citizens' energy data."166 Nevertheless, SDG&E also proposed "to have a Commission sponsored technical working session with CDT & EFF, the IOUs and other interested parties or stakeholder to discuss the proposal and potential to `operationalize' the adopted FIPs in more detail."167 SDG&E proposed that the workshops develop "a set of `use cases' to foster a better understanding of how the FIPs privacy principles may be implemented..."168

TURN stated that it "strongly supports the rules proposed by CDT/EFF, with some minor changes." TURN, however, also argued that "these rules still require additional details to operationalize the principles in disclosure forms, contract terms or tariff language."169

PG&E adopted a position similar to TURN's. PG&E stated that:

...[It] proposes that the Commission consider adopting a new or revised General Order or policy statement on customer privacy consistent with these comments. The General Order or policy statement would reaffirm and codify the Commission's existing standards and orders on customer privacy, and would also implement the customer privacy standards enacted in SB 1476.170

Implicit in the positions of TURN and PG&E is that the rules proposed by CDT offer a good start, but that the Commission should follow with a more general proceeding aimed at producing a new General Order on privacy.

SCE, in contrast, argued that a modified CDT proposal "would be a reasonable means of addressing customer data privacy in the context of customer interval usage data."171

Verizon argued that the Commission should not adopt privacy rules, but instead "should monitor the smart grid market for specific privacy concerns to determine whether existing privacy laws, regulations, and industry best practices adequately address such concerns or whether additional legislative or regulatory guidance is needed."172 Implicit in this position is that the Commission can rely on SB 1476 without additional codification into regulatory rules.

5.9.2. Discussion: It is Reasonable to Adopt Rules Now

The record developed in this proceeding concerning privacy is substantial, and additional workshops to develop privacy policies, as recommended by SDG&E, are not necessary.

TURN's observation that additional details are needed to operationalize the privacy rules is well taken. The development of these details, however, can occur in the Tier 2 advice letter filings as needed. Each of PG&E, SCE and SDG&E must file a Tier 2 advice letter within 90 days of the mailing of this decision that includes revisions to tariffs, where needed, to bring current practices into conformity with the privacy and security policies adopted herein.

Finally, the rules that we adopt advance the requirements and policy goals of SB 1476 and strengthen the existing statutory and regulatory frameworks that protect privacy. We therefore reject the approach recommended by some that the Commission focus on monitoring for failures to protect policy and taking remedial actions when failures occur.

6. Should Utilities Provide Price Information to Customers? What Price Information Should they Provide?

16 USC § 2621(d)(19)(B), enacted as part of national policy for the Smart Grid, contains the following requirement:

(B) Information

Information provided under this section, to the extent practicable, shall include:

(i) Prices. Purchasers and other interested persons shall be provided with information on-

    (I) time-based electricity prices in the wholesale electricity market; and

    (II) time-based electricity retail prices or rates that are available to the purchasers.

D.09-12-046 found it unnecessary to order California utilities to provide this information because "prior Commission actions constitute a `prior state action' and, pursuant to [16 USC] § 2622(d), no further action is required at this time,"173 At the same time, D.09-12-046 also stated that "this decision establishes a policy goal that SCE, PG&E, and SDG&E provide consumers with access to electricity price information by the end of 2010."174

Despite the clear guidance in Federal law and the Commission's own decision to establish the provision of pricing information as a policy goal, substantial issues concerning the definition of price and the usefulness of wholesale pricing information have arisen in this proceeding. This section reviews the positions of parties on this matter and decides the next steps.

6.1. Positions of Parties

Concerning the communication of pricing information, PG&E noted that it currently "provides both residential and non-residential customers with pricing information on PG&E's website, and specifically customers can obtain information about their current rate via an on-line rate information center."175 PG&E also stated that it currently provides customers "web-based tools for forecasting and calculating their energy usage costs" and "customers can also sign up to receive email, text or phone messages as they transition from one of the upper tiers into a higher tier."176 PG&E, however, cautioned that "the Commission should not mandate or provide prescriptive direction to utilities regarding exactly what form, or how that pricing information should be provided to customers."177

SCE stated that it currently provides customers with pricing data, and that "pricing data is readily available to SCE customers on SCE.com, on the customer's monthly bill, or through SCE's call center."178 SCE also stated that it "plans to provide customers with Edison Smart Connect meters ... with bill-to-date and bill-forecast information, as well as optional alerts ..."179

Concerning pricing information in real-time or near real-time, SCE argued that "the provision of retail pricing in near real-time is not useful information to most customers, as tiered rate structures distort the intended affect [sic] of providing near real-time retail rates."180 SCE claimed that this information "may cause confusion" and that "customers are far more interested in tools that help them manage their electricity bills."181 Regarding access to pricing information in near-real time, SCE argued "the Commission should consider the value associated with performing a pilot to assess the costs and benefits..."182 Finally, SCE argued that customers "do not face (wholesale)" prices183 and that "there are only limited benefits from the provision of wholesale price information to customers, and any such benefits would primarily accrue to non-residential customers."184 Based on these concerns, SCE recommended "that the Commission consider a pilot study"185 and that "the IOUs and CAISO ... work jointly in the demand response proceeding to further refine the pricing signals to develop a more effective correlation with wholesale prices."186

SDG&E stated that currently it "does not provide timely pricing data with the usage information to residential customers."187 Concerning what pricing information it should provide, SDG&E opined "that the most useful pricing information would be an estimated price based on the expected marginal end of month bill impact given the current month-to-date consumption and consumption patterns in past, similar periods."188

In sharp contrast to the position of utilities, the ISO stated that it is strongly committed to the provision of wholesale price information to customers, arguing that "[w]hile the precise wholesale price may not always convey actionable information to retail customers, providing a meaningful signal correlated with the ISO wholesale price can help customers understand when their individual action can have the greatest impact on the grid."189 The ISO described a rapidly evolving energy market and argued that opposition to the provision of wholesale pricing data "does not fully account for likely future developments in the area of demand response."190

DRA stated that it is skeptical concerning new initiatives that "require ratepayers to fund network upgrades to allow [real time] pricing signals..."191 DRA argued that "if pricing information is to serve customers, it must be `actionable and useful' by making clear to residential and small business customers how to save energy and money on bills."192 Specifically, DRA supported the provision of "the fully bundled rate."193 Concerning wholesale pricing, DRA argued that "[w]holesale pricing information will not provide useful information to residential and small business customers at this time."194 Furthermore, in comments in the PD, DRA argued that including a "rate calculator" may be both costly and complex.195 DRA argued further that a pilot on the provision of real-time prices may be costly and too complex for practical use.196

In comments on the PD, the CAISO supported the PD's requirement that the utilities communicate wholesale as well as retail prices to customers, recommends the development of a "price to device" system, and requested that the Commission hold a workshop to enable parties work together before the tariff filings.197

TURN stated that it "strongly supports the comments of [DRA] and of SCE concerning the need to provide understandable and actionable data."198 In particular, TURN supported the "provision of bill-to-date and bill forecast data"199 and the "projected month-end tiered rate"200 to customers. Concerning wholesale price information, TURN stated that it "appreciates the concern [that wholesale prices] ... will simply confuse customers and actually promote undesirable behaviors"201 and recommends that the Commission "redirect its focus to promote the provision of other data, at least in the near term."202 In summary, TURN stated that it "strongly recommends that the Commission order the utilities in its next decision to implement automatic tier notification, to maximize consumer enrollment, and to report back on the statistics of enrollment."203

UCAN supported the provision of pricing data to customers, and argued that "[p]ricing data must incorporate the fully bundled rate per kWh rather than be limited to the commodity price."204

6.2. Discussion: PG&E, SCE, and SDG&E Should Provide Retail Price Information and Make Wholesale Price Information Available

The parties have presented comments on three aspects of the issue of pricing: 1) approximations of retail prices; 2) pricing information in near real-time; and 3) wholesale prices.

On the issue of the provision of approximate price information, our record shows both substantial agreement among parties and substantial progress on the part of PG&E and SCE in making price and bill information available to customers. We find that SDG&E should join its sister utilities in making an approximate price, actual usage and an estimate of bill available to its customers a soon as possible. This information should be done in a manner consistent with PG&E and SCE in that the information should be, at a minimum, provided to customers online, available one day later, in hourly or 15 minute increments (matching the time granularity programmed into the customer's smart meter) and updated at least daily. In particular, each of the three companies should ensure that the information made available to residential and small commercial customers is updated at least on a daily basis, with each day's usage data available by the next day (the current practice), along with applicable price and cost details and with hourly or 15-minute granularity (matching the time granularity programmed into the customer's smart meter).

TURN, DRA, and UCAN provide strong support for the policy of providing "actionable" pricing data to consumers. The cautions raised by PG&E against adopting overly prescriptive disclosure requirements, particularly at this time when technology, markets, and prices are changing so rapidly, are reasonable. Nevertheless, PG&E, SCE, and SDG&E should offer to their residential customers, as TURN recommends, bill-to-date, bill forecast data, projected month-end tiered rate, and notifications as ratepayers cross rate tiers. Furthermore, the prices conveyed should, as UCAN recommends, state the "all in" price that customers pay for electricity. It is encouraging that PG&E and SCE already provide many of these pricing data and services to their customers. At this time, pricing information does not appear to be presented in a uniform or standard manner across the utilities. As explained more fully below, PG&E, SCE, and SDG&E should provide this pricing and usage data to consumers in as near a uniform manner as possible. Based on DRA's arguments in comments on the PD, the decision no longer requires the inclusion of a "rate calculator."

Although DRA may be correct on the complexities concerning the provision of real-time prices, the decision continues to require a pilot. The decision views the ability to tell customers the price of their consumption of electricity at any particular time a key building block for empowering customers.

As noted in D.09-12-046, EISA envisions that wholesale price information will be available to all customers.205 Concerning wholesale prices, this decision follows SCE's suggestions and orders SCE, PG&E, SDG&E, and the ISO to work together to further refine the ability to provide the wholesale price of electricity to consumers. The ISO is certainly right in its view that allowing consumers to respond to price and system conditions will require the availability of information on the status of the wholesale market. Moreover, through our workshops and the filings in this proceeding, it is clear that the ISO currently streams information continuously on its website stating several forms of the wholesale price of electricity. Thus, it should not be expensive for SCE, SDG&E, or PG&E to use this streaming information to provide information to consumers concerning a measure of prices in the wholesale market. Unfortunately, to those who are not expert in the wholesale market, the information on wholesale prices currently provided by the ISO is impenetrable. Furthermore, CASIO recommendation of a wholesale "price to device" system is reasonable.

Therefore, SCE, SDG&E, and PG&E, the ISO, and consumer groups should work together to develop a cost-effective way of modifying this data to provide accessible information on prices in electric wholesale markets. The Commission will schedule a workshop to facilitate the development of consensus on how to provide wholesale pricing information. The workshop will also consider whether communicating a "price to device" is feasible and cost-effective.

Although this decision has ordered SCE, SDG&E, and PG&E to make available bill-to-date, bill forecast data, projected month-end tiered rate, and notifications as ratepayers cross rate tiers, this decision does not prescribe how a utility should make that information available nor has it limited the information provided. As long as SCE, SDG&E, and PG&E offer to provide the information and notifications as ordered, the IOU is free to offer other information that it believes useful to its business or to advancing California energy policy.

In addition, this decision does not order SCE, SDG&E, and PG&E to use a specific technology to make the price information available. For example, a utility may wish to send the notifications of a change in rate tier via e-mail, text message, tweet, chat, or some other form of rapid communication. SCE, SDG&E, and PG&E may each propose whatever it deems a useful and cost effective way of communicating price information. The Commission's desire for the communication of pricing information, however, is not a blank check for investing in a communications backbone to establish broadband connections with meters. SCE, SDG&E, and PG&E should use as low-cost as possible means to provide pricing information, similar to the methods that they now use. SCE, SDG&E, and PG&E should make use of standardized formatting, when available, for providing this information to consumers.206

In summary, PG&E, SCE, and SDG&E must therefore each file a Tier 2 advice letter with the Commission within six months of the mailing of this decision that details how the utility either currently does or plans to provide retail price, wholesale price, usage, and bill data to customers using the disaggregated information provided by the Smart Meter.

Finally, concerning the provision of price information in near real-time, this price information will become most useful following the deployment of HAN-enabled devices and for those customers on more dynamic tariffs, such as critical peak pricing, peak time rebate programs, and, eventually, real-time pricing. Moreover, with the complexity of current utility tariff schedules in which the rates and tiers faced by most residential customers vary by location, by day, and by amount used within the billing period, it is difficult to determine the near real-time retail price. Indeed, at several points throughout the workshops in this proceeding, it was observed that simpler tariffs would likely benefit energy customers. These considerations make us reluctant to order the provision of price information in real-time at this time, but the Commission expects to reexamine this issue in the context of the deployment of HAN and HAN-enabled devices.

In the face of this complexity and uncertainty, SCE's suggestion that the Commission encourage pilot studies on how to provide retail prices in real-time or near real-time offers a reasonable approach to this complex problem. This decision therefore orders that PG&E, SCE and SD&E, either separately or jointly, initiate a pilot study within six months to explore useful and cost-effective ways to provide price information in real-time or near real-time. PG&E, SCE, and SDG&E must consult with the Commission staff on the details of the pilot studies.

7. What Access to Covered Data Should Utilities Provide and When Should they Provide it?

This proceeding considered several ways of providing a customer with information on his or her covered data discussed in this proceeding including the provision of information over the internet with the information hosted/presented by the utility or by a third party and the provision of information through a customer premises device in direct communication with the Smart Meter, where the device is either owned by the customer or under a service contract with either the utility or a third party. In addition, it was noted that a consumer can sometimes directly install a device on his or her electric service that provides much of the information available from a Smart Meter. Finally, when a customer deploys a HAN-enabled device in their home, this device may be in communications with customer appliances or, via the internet, with other energy service entities and obtaining information simultaneously from multiple sources.

Currently, PG&E permits its customers to obtain usage data delayed by one day over the internet.207 Similarly, SCE also permits its customers to obtain usage data delayed by one day over the internet.208 SDG&E enables third parties, such as Google, to provide customers with information on their usage over the internet and has adopted policies to ensure that this occurs on a secure basis.209 SDG&E's data on usage is also delayed by a day. SDG&E is planning to offer its customers access to information via a SDG&E web site in 2011.

7.1. Position of Parties

Concerning the provision of data access, PG&E noted that "the nationwide working groups addressing both the Smart Energy 2.0 standard for HAN and the OpenADE standard are addressing privacy, security, and pricing models, with standards likely to be approved during 2011."210 In comments on the PD, PG&E also argued that "the PD be clarified to authorize recovery of incremental costs of implementing the new privacy tariffs as well as the third-party access program."211 PG&E further stated that "its costs of implementing a centralized data clearinghouse for third-party access to customer energy usage data consistent with the OpenADE standard would likely be in the millions of dollars."212

SCE argued that "OpenADE efforts, now renamed `Energy Service Provider Interface (ESPI)' have been delayed, and is [sic] now expected to be ratified by NAESB [North American Energy Standards Board] and accepted by NIST in mid-2011."213 Despite the delay in standards adoption, SCE "plans to implement ESPI functionality using a phased approach to provide customers and authorized third parties with data access."214

SCE further argued:

This phased approach will allow SCE to be best prepared to provide customers and their authorized third parties with access to usage data in timely manner once the final standard and rules are adopted by the Commission.

... SCE recommends that the Commission order the IOUs to file applications in early 2011, detailing their respective plans to implement ESPI functionality, forecast costs and proposed recovery of implementation costs. Neither ESPI nor any comparable functionality was proposed in the Edison SmartConnect Application or in any other proceeding.215

SCE also argued in comments on the PD that "the SDG&E/Google PowerMeter experience was a small scale third party data access pilot and not a full third party access solution"216 SCE, like PG&E, asserted that "[a] full [ESPI] solution that will scale to many third parties and all eligible IOU customers will undoubtedly require additional funding..."217

In contrast to SCE and PG&E, SDG&E already provides access to third parties. In particular, "SDG&E provided residential customers with Smart Meters the option to access their hourly interval consumption data via Google's PowerMeter."218 SDG&E's Reply Comments provided details on the procedures that customers must follow to give an authorized third-party access to covered data as well as the numerous security steps that SDG&E and Google have implemented to protect customer data from those attempting to secure access fraudulently.

TURN also provided extensive comments concerning issues that arise from providing customers and authorized third parties access to covered data. In particular, TURN argued that there is a difference between third parties who obtain covered information from an internet connection with the utility (referred to as the backhaul) and those that receive information from a device bolted to the customer's line or directly from the customer's meter. TURN stated:

The backhaul data is collected without any customer input, and the data is available only because the utilities installed the new communicating interval meters on the premises of residential and small commercial customers. These customers had no choice in the collection of the consumption data. For this reason, any dissemination of backhaul data should be highly protected through the rules proposed by CDT/EFF.219

Concerning access to covered data, TURN, in comments on the PD, expressed concerns with the costs, and states that "our concern would ... be greatly alleviated if the PD were modified to order PG&E and SCE to likewise implement this functionality for under one million dollars."220

Concerning access through devices installed by a consumer, TURN noted that:

... a customer can choose to voluntarily install "bolt-on technologies" to their meter and obtain real-time meter wireless output signal data to their own HAN Systems...[t]he customer chooses to obtain this data irrespective of any action by the utility, and should thus have complete control over the disposition of the data.221

UCAN also highlighted concerns over enforcement of privacy rules in its comments, and argued that there should be a utility role in vetting third party service providers.222 SoCalGas similarly supported a certification and registration process for third parties, but stated that it "does not believe that the IOUs represent a proper channel to provide this certification or registration function."223 SDG&E likewise supported registration of third parties by the Commission.224 In Comments on the PD, DRA requested that the Commission "direct the utilities to establish a Working Group comprised of representatives from all parties to carefully construct a proposed Smart Grid Electric Rule to govern third party access to information."225

In contrast to data access through the backhaul and data access through a measurement device attached near the meter, TURN argued that data from the smart meter obtained through communication with the meter falls between these two poles and requires a different approach. TURN urged that the Commission "should require that utilities file a Tier 3 advice letter prior to any authorization/registration of devices to read the meter signal" and proposed requirements governing this process.226

EnerNOC argued for providing customers and their agents with full access to usage data generated by the Smart Meter as soon as possible:

EnerNOC believes that customers, and their authorized agents, should have access to data on a real-time basis at the meter through Zigbee227-enabled devices using Smart Energy Profile (SEP) protocol228 as soon as possible. Customers, or their agents, should be able to access all data recorded by the meter on as granular a basis as is possible. While not all customers may want or need this capability, the smart meters should be able to provide a choice of data interval and SEP is available today (version 1.0).229

Control4 similarly urged that the Commission should order consumer access to their Smart Meter data quickly and directly. Control4 argued that the Commission should order the use of communication standard SEP 1.0 rather than waiting for SEP 2.0.230 "The individual consumption data communicated in near real time (i.e., every ten seconds) via SEP 1.0 is more than adequate to provide consumers with analytics about their usage patterns, contextualized energy efficiency tips, and energy costs.231

Tendril argued that access to meter information should be provided immediately by SDG&E, PG&E, and SCE. Tendril stated that it fails "to see any justification in the record of this proceeding to support the assertion by SCE that achieving the objective established by the Commission is in any way `dependent' on the development of a future standard."232

The PD's proposal to permit HAN devices access to the Smart Meter generated many comments. DRSG argued that the Commission not to wait for SEP 2.0 because waiting would delay consumer benefits from the Smart Meter.233 DRSG asked that the Commission direct a "phasing" of the Smart Meters, not a "piloting" because the AMI decisions already ordered and funded interfaces for HAN devices.234 DRSG also asked that HAN activation extend to residential buildings, not just residential homes.235 DRSG also requested that the Commission make available other data provided by the Smart Meter, such as voltage and power quality.236

DRA has pointed out that AMI project costs "include budgets to test and ensure HAN connectivity with the household."237 DRA cautions against ordering pilot projects. UCAN pointed out that "the IOUs currently have monies allocated in their smart meter deployment and dynamic pricing customer education accounts that, if pooled, could be harnessed for such a pilot."238

TURN, in contrast, opposed the activation of the HAN, stating that it "completely opposes this additional incursion of the utilities into the role that is supposed to be played by the competitive market."239 TURN recommended that "if the Commission pursues this pilot, it should order the utilities to develop one pilot project."240

7.2. Discussion

TURN is right to suggest that Smart Meter data provided by PG&E, SCE, or SDG&E via the internet (or the backhaul) should be subject to protections because consumers do not need to take any affirmative action to either acquire the data or to make it available to others. The measures adopted in this decision protect that data and require an affirmative action by the customer before making the data available for secondary purposes.

Comments provided by SCE and PG&E raised substantial factual issues concerning the costs of implementing a standards-based program for providing third-parties with access to covered data over the backhaul. TURN also raised substantial issues concerning whether providing such access is worth the costs.

There is also merit in UCAN's recommendation of a registration process to certify third parties who offer energy services in California that require access to consumption data and to DRA's recommendation of developing a Working Group. At this time, the demand for and cost of providing access to covered data over the internet is unclear. Since this decision requires each utility to file an application to consider whether the benefits in providing access to covered data via the backhaul when authorized by the customer outweigh the costs, those proceedings will also be the most propitious time for the Commission to consider whether to require a registration process or some other process for governing third party access to covered data when authorized by the customer.

Concerning a customer's use or disclosure of his or her usage data, it is not necessary nor is it reasonable for the Commission to regulate this activity at this time. The utilities covered by the rules adopted in this decision can provide consumers receiving data with information explaining the importance of protecting that data. Therefore, this decision declines to develop regulations pertaining to those who receive usage data from the customer because they are not necessary at this time. The Commission, however, will monitor the experiences of customers in this area and determine whether future circumstances require a different approach.

Although SDG&E gained Commission authorization for providing information to third parties through a Tier 2 advice letter that was only three pages in length (plus tariff sheets) and which had implementation costs that were "estimated between $650K and $750K, funded through current AMI contingency funding and energy efficiency education and outreach funding,"241 it is not clear that PG&E and SCE will have a similar experience. Therefore, PG&E and SCE shall each file an application with corresponding tariffs to provide third-parties, when authorized by the consumer and when agreeing to the privacy protections adopted in this decision, access to the covered data. This application may seek the recovery of implementation costs and should provide information concerning potential demand for this information. This filing is due within six months of the mailing of this decision.

Furthermore, SDG&E should also file an application within six months of the mailing of this decision that modifies its current tariff to bring its tariff into conformity with the rules adopted in this decision. SDG&E's application should also address data format standards and the potential demand for this covered information. SDG&E's application may also seek the recovery of additional implementation costs.

Also, as discussed above, the applications should include a process, such as a registration program for entities receiving covered data via the backhaul when authorized by the customer, which enables the Commission to ensure that those receiving the covered data respect the privacy rights of consumers.

Granting third-party access to covered data from the utility when authorized by the customer is reasonable and in the public interest. California ratepayers have incurred substantial costs to modernize the electric meters throughout the state. Many of the benefits of these new meters will not be realized until customers can obtain access to their covered data through utilities or through third parties, like Google, who specialize in the presentment of actionable information to consumers. We see no reason to delay this further.

Providing direct access to the granular data through connecting a device to the Smart Meter, however, raises issues concerning privacy that are similar to those raised in providing access to covered data via the backhaul, but access via the meter raises different technical issues. This decision finds that the granular nature of the data collected at the Smart Meter requires privacy protections.

As this proceeding developed, adoption of SEP 2.0 standard was anticipated. With the continuing delays in the development of SEP 2.0, it is reasonable to order SCE, SDG&E, and PG&E to work with Commission staff and to file a Tier 3 advice letter advice letter within four months to develop Smart Meter HAN implementation plans specific to each.

Each implementation plan should include an estimated rollout implementation strategy, including a timetable, for making HAN functionality and benefits generally accessible to customers in a manner similar across all three companies. The implementation plans shall include an initial phase with a rollout that enables up to 5,000 HAN-enabled devices to be directly connected with Smart Meters as envisioned in the decisions approving the deployment of AMI, even if full functionality and rollout to all customers awaits resolution of technology and standard issues. The implementation plans should envision a rollout of a service by March 1, 2012, The implementation strategy for HAN activation should discuss key issues, such as costs, expanded data access and data granularity, current and evolving national standards & security risk mitigation and best practices, responsibilities for secure HAN connection, outcomes from working on HAN device interoperability, security testing and certification methodologies developed in collaboration with interested third parties (for example, with Lawrence Berkeley National Laboratories (LBNL) or California State University-Sacramento (CSU-Sacramento)), customer needs and preferences, a strategy for learning from the initial rollout, and provisions for accommodating customers' efforts to utilize HAN functionality independent of the utility. The full rollout shall require smart meters to transmit energy usage data to the home so that it can be received by a HAN device of the consumer's choice. PG&E, SCE, and SDG&E should also work with third parties, and other parties, if interested, (such as LBNL and CSU-Sacramento, who are actively conducting research in this area) to develop interoperability and security testing and certification methodologies to allow for tested and approved devices to be available for customer purchase.

The goal of this roll out is to provide California customers with secure, private, and direct access to the disaggregated data available in the Smart Meters. To the extent practical, PG&E, SCE, and SDG&E should collaborate in order to ensure that the roll outs work towards providing a common interface for the devices of customers and third parties.

As DRA has pointed out,242 the AMI decisions have already approved funding for the roll out of an activated HAN.

8. Conclusion

This decision, based on an extensive record discussed above, has adopted rules and procedures to protect the privacy and security of covered information and ordered PG&E, SCE, and SDG&E to bring their practices into conformity with the rules adopted here and contained in Attachment D. These rules implement policies contained in the Pub. Util. Code and those adopted in SB 1476. Each utility must file a Tier 2 advice letter within 90 days of the mailing of this decision that includes revisions to tariffs, where needed, to bring current practices into conformity with the privacy and security policies adopted herein.

The decision orders that within six months of the mailing of this decision, SDG&E must file a Tier 2 advice letter including tariff changes to make price, usage and cost information available to its customers online. The information must be updated at least on a daily basis, with each day's usage data, along with applicable price and cost details and with hourly or 15-minute granularity (matching the time granularity programmed into the customer's smart meter), available by the next day. The tariff changes must offer residential customers bill-to-date, bill forecast data, projected month-end tiered rate, and notifications as the customers cross rate tiers as part of the pricing data provided to customers. The prices must state an "all in" price the customers pay for electricity.

The decision also orders that PG&E and SCE continue to provide customers with price and usage data. Within six months of the mailing of this decision, PG&E and SCE must each file a Tier 2 advice letter including tariff changes to make price, usage and cost information available to its customers online and updated at least on a daily basis, with each day's usage data, along with applicable price and cost details and with hourly or 15-minute granularity (matching the time granularity programmed into the customer's smart meter), available by the next day. The tariff changes must offer residential customers bill-to-date, bill forecast data, projected month-end tiered rate, and notifications as the customers cross rate tiers as part of the pricing data provided to customers. The prices must state an "all in" price the customers pay for electricity.

The decision orders that PG&E, SCE, and SDG&E shall each work with the CAISO in developing a methodology to make wholesale prices available to customers on each company's website, and shall include the provision of wholesale prices in these advice letters.

The decision orders that within six months of the mailing of this decision, PG&E, SCE and SDG&E must each file an application that includes tariff changes which will provide third parties access to a customer's usage data via the utility's backhaul when authorized by the customer. The three utilities should propose a common data format to the extent possible and be consistent with ongoing national standards efforts. The program and procedures must be consistent with the policies adopted in this decision and with the Rules Regarding Privacy and Security Protections for Energy Usage Data in Attachment D of this decision. The applications should propose eligibility criteria and a process for determining eligibility whereby the Commission can exercise oversight over third parties receiving this data. The three utilities are encouraged to participate in a technical workshop to be held by the Commission in advance of the filing date. The applications may seek recovery of incremental costs associated with this program.

The decision orders that within six months of the mailing of this decision, PG&E, SCE, and SDG&E must , either separately or jointly, commence a pilot study to provide price information to customers in real time or near-real time. The pilot study shall be of a size that yields meaningful results. Each utility shall file status reports semi-annually with the Energy Division Director for a period of two years, unless directed by Energy Division director to continue such reports for a specified additional period of time.

The decision orders that PG&E, SCE, and SDG&E work with Commission staff and must each file a Tier 3 advice letter within four months to develop Smart Meter HAN implementation plans specific to each.

These policies will provide customers with access to the services and features supported by Smart Meters and will help California ratepayers to realize more of the benefits afforded by Smart Meters.

Finally, the Commission initiates a new phase of this proceeding to determine how the rules and policies adopted in this decision should apply to gas corporations, community choice aggregators, electric service providers in addition to PG&E, SCE, and SDG&E.

9. Comments on Proposed Decision

The proposed decision of President Peevey in this matter was mailed to the parties in accordance with Section 311 of the Public Utilities Code and comments were allowed under Rule 14.3 of the Commission's Rules of Practice and Procedure. Comments were filed by June 2, 2011 by AT&T, CASMU, CAISO, California Cable and Telecommunications Association (CCTA), CDT/EFF, CEERT, Consumer Electronics Association (CEA), CFC, Demand Response and Smart Grid Coalition (DRSG), DRA, Environmental Defense Fund (EDF), EnergyHub, the Future of Privacy Forum (FPF), the Local Government Sustainable Energy Coalition (LGSEC), Ontario, OPOWER, PG&E, SCE, SDG&E, SoCalGas, TURN, UCAN, TechNet, Verizon, and Walmart Stores, Inc. and Sam's West, Inc. (Walmart), Reply comments were filed on June 8, 2011 by CCTA, CAISO, Cisco Systems, Inc., CDT/EFF, CFC, CTIA-The Wireless Association (CTIA), DRA, DRSG, PG&E, SCE, SeaKay, Inc. (SeaKay), Telecommunications Industry Association, TURN, and Verizon and AT&T (filing jointly).

Because of the extensive nature of the comments and replies, this decision addresses the comments here and in the issue-related sections based on where such a discussion best serves the exposition. Although this decision does not discuss each recommendation made by the many parties commenting, the revisions to the decision reflect a consideration of all comments and replies. This section will first address who is subject to the privacy rules, the proposed rules, other issues, and the required subsequent filings.

9.1. Who Is Covered by the Privacy Rules?

The issue of who must follow these privacy rules attracted numerous comments, some calling for a greater exercise of Commission jurisdiction, and some arguing that the proposed scope of the privacy rules exceeds the Commission's jurisdiction.

The CFC, 243 DRA244 and UCAN245 argued that the privacy rules should apply to any entity that receives the covered information, no matter how the entity receives the covered information and that the Commission has the authority to adopt such rules. EDF argued that "the Commission itself appears to remain uncertain about the extent of its jurisdiction."246

Revisions incorporated into this decision clarify that at this time the Commission is exercising authority over utilities and those with whom they contract for utility operations, third parties who receive covered data from the utility pursuant to Commission order, and third parties that receive covered data, when authorized by the customer, from the utility over the backhaul pursuant to tariffs.

The Commission, however, is not exercising authority over consumers or over those who receive covered information from the consumer because the consumer has the ability to unplug any device and thereby immediately stop the transfer of this data. Moreover, there is little experience available in either California or other states because HAN-enabled devices are in their infancy. For these reasons, it is not necessary for the public interest to adopt regulatory policies pertaining to this situation at this time. Please note that this decision makes no determination concerning the extent of the Commission's authority over consumers or over those receiving covered information from consumers at this time.

The distinction between "locked" and "unlocked" devices, which was contained in the proposed decision, garnered many comments. EDF argued that there should be a single policy to cover all devices.247 CCTA,248 CEA,249 TURN,250SCE,251 DRSG252 CEERT,253 DRA, 254 TechNet,255 SDG&E,256 and UCAN257 pointed out practical, technical, legal and policies issues arising from the policy in the proposed decision concerning "locked" devices. No party spoke in support of the proposal to adopt special rules for "locked" devices. This decision, as revised, now treats all devices alike and has dropped all discussion of "locked" devices.

EDF,258 DRSG, 259 and CEERT260argued that as worded, the proposed decision conferred a special status on utilities engaged in the primary purposes of energy efficiency, demand response or energy management to the detriment of other entities so engaged. Revisions in this decision now clarify that those engaged in a primary purpose pursuant to a program approved by the Commission, whether a utility or a non-utility, have similar rights and responsibilities pertaining to the data needed to accomplish the primary purpose.

9.2. Should the Proposed Privacy Rules Be Adopted or Rejected?

The question of whether to adopt privacy rules was itself subject to extensive comments. Verizon argued that SB 1476 does not require implementing regulations and that the Commission's proposed rules are "unlawful" and, if adopted, should be subject to a sunset provision in two years.261 AT&T argued that the proposed rules are "unnecessary and premature."262 FPF263 and CTIA264 support national standards, and therefore oppose California's privacy protections. CCTA argued that the Commission needs no regulation, but should instead rely on consumer education.265

In contrast, numerous parties supported the development of regulations patterned on the FIP principles. UCAN,266 SDG&E, 267 TURN,268 SCE,269 CDT/EFF,270 DRA,271 CAISO,272 Walmart,273 and PG&E274 supported privacy regulations but many of these supporters sought clarifications and other changes to the rules.

This decision concludes that the proposed regulations are necessary to clarify how the Commission will implement SB 1476. Despite the objections of several parties, the range of comments engendered by our own efforts to clarify the scope, applicability and requirements of SB 1476 convinces us that the adoption of specific rules and regulations serves the public and helps to resolve confusion and ambiguities in advance of the widespread dissemination of the data generated by smart meters.

9.3. Should the Proposed Privacy Rules Be Further Modified?

Many parties provided comments concerning specific proposed rules. Frequently, comments sought clarification of the rules or pointed out potential unintended consequences. In responding to comments of this sort, this decision was revised to ensure clarity and to avoid predictable unintended consequences, often without reference to the comments.

Still other parties opposed the rules in the PD based on specific arguments. In responding to comments of this sort, this decision revised rules when persuaded of an arguments merits and rejected revisions that the decision deemed unwarranted, often with reference to the comments.

The changes incorporated into the rules based on the Comments on the PD and on the Reply Comments on the PD are too numerous to permit a detailed discussion of each in this section. For clarity, changes resulting from comments on the PD are generally addressed in the discussion of a specific rule. This decision, however, will address some significant changes requested in the comments and reply comments on the proposed decision at this point.

As noted previously, several parties objected that the PD provided the utilities with a special status with respect to information. As discussed above, the decision seeks to provide equal treatment and this required clarification in the definitions of covered entity and covered information and in many places too numerous to mention.

In addition to revisions to rules concerning access to information and privacy requirements, other changes were also necessary.

OPOWER argued that the PD's proposal to require an "opt-out" provision in energy efficiency programs, stating that SB 1476 recognizes "the implementation of energy-efficiency programs as a primary utility purpose..."275 CEERT276 and CCTA277 made similar arguments and concluded that the "opt-out" provision has the consequence of provided unequal treatment between utilities and other covered entities.278 PG&E also opposed the "opt-out" provision.279

These arguments are persuasive, and this decision has eliminated the "opt-out" provision that previously applied to demand response, energy efficiency, and demand management programs. This policy is more consonant with the clear legislative intent of SB 1476 and with Commission policy to treat these programs on par with new generation. In addition, removing the "opt-out" provision also clarifies that the decision aims to provide equal treatment to utilities and third parties who are approved by the Commission to provide services to meet a primary purpose of California's energy program.

Concerning the FIP principle of Transparency, AT&T argued that the notice requirements are superfluous, and a notice should only be provided "when confirming a new customer account."280 Verizon also objected to the twice a year notice.281 In response, the decision now requires subsequent notices to be sent only once a year.

Concerning the FIP principles of Individual Participation (Access and Control), Verizon282 argued that requiring that consumers be provided access to detailed information would "essentially require production of raw data used for back end operations." This decision finds Verizon's argument unpersuasive - it should be possible to communicate detailed information in a comprehensible and comprehensive fashion.

On the FIP principle of Individual Participation, Verizon283 and AT&T284 also argued that requiring the utility to notify the consumer in the event of a subpoena conflicts with Code of Civil Procedure § 1985.3. In reply, CDT/EFF cites Foothill Federal Credit Union v. Superior Court (2007) (155 Cal.App.4th 632, 639) that Code of Civil Procedure § 1985.3 "does not prescribe or proscribe conduct the recipient of the subpoena."285 The decision, therefore, continues to require disclosure by the utility receiving the subpoena.

The FIP principle of Data Minimization attracted little attention in the comments and reply comments on the PD, and it is unchanged.

The FIP principle of Use and Disclosure Limitation attracted both general and specific comments. Although Verizon argued that there should be no restrictions on the use of aggregate usage data, the restrictions in Rule 6(g) are taken directly for statutory language adopted in SB 1476, and the decision rejects Verizon's proposed changes.286 The FIP principle of Data Quality and Integrity and the principle of Data Security attracted few comments. Verizon argued that the requirement for a notification of security breaches within one week should be replaced with a reasonable time.287 PG&E expressed broad support for these rules.288 TURN asked that the breach notification rules be modified to require notification of the customer, not just the Commission.289

This decision, however, leaves the rules concerning the notification of breaches within one week unchanged because a this deadline for notifications of breaches is reasonable. Furthermore, since customers will be notified directly concerning breaches pursuant to other state laws and there is no need for the Commission to require additional notifications.

In summary, the Commission has reviewed the various comments and replies on the FIP principles and amended the proposed rules in response.

9.4. Other Issues

Concerning access to data, LGSEC asked that the Commission "establish an up-front blanket authorization for local governments to be provided access to approved customer energy usage data for their ongoing community energy and greenhouse gas tracking and management ..."290 LGSEC has stated that "[l]ocal governments will accept Commission jurisdiction over the release of energy usage data to either a local government or a designated third party who will be bound by the privacy rules adopted by the Commission."291 LGSEC argued that "[l]ocal governments cannot wait until 6 months after a final decision on the Smart Grid proceeding ... for ... a tariff schedule that will govern supply of non-confidential, aggregated consumption data."292

Concerning access to aggregate consumption data by local government, this decision makes it clear that the Commission can order access to usage data outside of the tariff process that will be subject of future applications. The Commission currently considers requests from local government for access to usage data on a case-by-case basis, and this decision leaves that current process in place and unchanged. When data is provided for a primary purpose, no "opt-out" provisions apply. In addition, our disclosure rules provide that:

Covered entities shall permit the use of aggregated usage data that is removed of all personally-identifiable information to be used for analysis, reporting or program management provided that the release of that data does not disclose or reveal specific customer information because of the size of the group, rate classification, or nature of the information.

The "third party tariff process" for providing third parties with access to customer-specific data when authorized by the customer does not appear relevant to the data needs identified in the LGSEC filing, and the adoption of this decision should not hamper local government access to data. In particular, the six-month timetable for filing applications with tariffs to make data available via the backhaul should not affect the availability of data to local governments.

9.5. Subsequent Filings and Rollouts of Information Services

Numerous parties addressed issues concerning subsequent filings to provide access to covered data and to provide for the rollout of services enabling the connection of HAN devices to the Smart Meters and the activation of the HAN capabilities of the Smart Meters. These comments were discussed above and led to substantial revisions to the process envisioned in the PD.

10. Assignment of Proceeding

President Michael R. Peevey is the assigned Commissioner and Timothy J. Sullivan is the assigned ALJ in this proceeding.

Findings of Fact

1. The Department of Homeland Security developed a framework for information systems affecting national security called Fair Information Practice (FIP) principles. The framework includes eight principles: (1) Transparency, (2) Individual Participation, (3) Purpose Specification, (4) Data Minimization, (5) Use Limitation, (6) Data Quality and Integrity, (7) Security, and (8) Accountability and Auditing.

2. The FIP principles are consistent with emerging national privacy and security principles recommended by the Department of Homeland Security.

3. The FIP principles offer a practical tool for developing rules to protect the privacy and security of electricity usage data.

4. The principle of data minimization will promote the security of data.

5. Data quality and integrity is critical to the rendering of accurate and reasonable bills.

6. It is reasonable to require PG&E, SCE, and SDG&E to adopt policies applying to themselves and those with whom they contract in the provision of operational services that comply with SB 1476 and the privacy rules adopted in this decision.

7. It is reasonable to exempt from the privacy and security requirements in this decision third parties obtaining information on the usage of ten or less households because failure to do so would complicate situations where a family member or friend takes care of the affairs of a small number of other people.

8. It is reasonable to open another phase of this proceeding to determine how the rules and policies adopted in this decision should also apply to gas corporations, community choice aggregators, and electric service providers.

9. It is reasonable to require that when and if Bear Valley Electric Service (a division of Golden State Water Company, U913E), Mountain Utilities (U906E) PacifiCorp (dba Pacific Power Company, U901E) and California Pacific Electric Company, LLC (CalPeco) (U903E) file an application to deploy Smart Meters, then that application shall address how these privacy protections should apply to their operations.

10. It is reasonable to define as "covered information" any electrical usage information obtained through the use of the capabilities of Advanced Metering Infrastructure when associated with any information that can reasonably be used to identify a customer, except that covered information does not include usage information from which identifying information has been removed such that a customer cannot reasonably be identified or re-identified.

11. It is reasonable to adopt different rules depending on the purpose for which the information is collected.

12. It is reasonable to define as "a primary purpose" the use of information to:

(1) provide or bill for electrical power,

(2) fulfill other operational needs of the electrical system or grid,

(3) provide services as required by state or federal law or specifically authorized by an order of the Commission, or

(4) implement demand response, energy management, or energy efficiency programs under contract with an electrical corporation, under contract with the Commission, or as part of a Commission authorized program conducted by a governmental entity under supervision of the Commission.

13. It is reasonable to define as a "secondary purpose" any purpose that is not a primary purpose.

14. Electronic transactions are growing in importance throughout the economy.

15. It is reasonable to require covered entities to provide information on their privacy policy when confirming a new customer account or new customer relationship.

16. It is reasonable to require that a covered entity title its notice pertaining to the information covered by this decision as Notice of Accessing, Collecting, Storing, Using and Disclosing Energy Usage Information because this title indicates that these rules cover actions pertaining to energy usage information.

17. It is reasonable to require that privacy policies be written so that the policies are "reasonably understandable."

18. It is reasonable for a covered entity to provide customers with access to prior versions of privacy policies in the event that a customer desires such access.

19. It is reasonable to require covered entities to ensure the transparency of their privacy policies by providing customers with notice that meet the following requirements:

2. TRANSPARENCY (NOTICE)

(a) Generally. Covered entities shall provide customers with meaningful, clear, accurate, specific, and comprehensive notice regarding the accessing, collection, storage, use, and disclosure of covered information. Provided, however, that covered entities using covered data solely for a primary purpose on behalf of and under contract with utilities are not required to provide notice separate from that provided by the utility.

(b) When Provided. Covered entities shall provide written notice when confirming a new customer account and at least once a year shall inform customers how they may obtain a copy of the covered entity's notice regarding the accessing, collection, storage, use, and disclosure of covered information, and shall provide a conspicuous link to the notice on the home page of their website, and shall include a link to their notice in all electronic correspondence to customers.

(c) Form. The notice shall be labeled Notice of Accessing, Collecting, Storing, Using and Disclosing Energy Usage Information and shall-

    (1) be written in easily understandable language, and

    (2) be no longer than is necessary to convey the requisite information.

(d) Content. The notice and the posted privacy policy shall state clearly-

    (1) the identity of the covered entity,

    (2) the effective date of the notice or posted privacy policy,

    (3) the covered entity's process for altering the notice or posted privacy policy, including how the customer will be informed of any alterations, and where prior versions will be made available to customers, and

    (4) the title and contact information, including email address, postal address, and telephone number, of an official at the covered entity who can assist the customer with privacy questions, concerns, or complaints regarding the collection, storage, use, or distribution of covered information.

20. Because of the large and changing number of companies that receive access to information concerning consumers when assisting the utility in its operations, because the Commission can obtain the identities of all companies receiving information for a utility, and because the Commission requires utilities to ensure that companies supporting utilities in utility operations follow the same rules as the utility, it is unreasonable to require the disclosure of the identities of all companies receiving information from the utility.

21. Providing consumers with information on the categories of customers receiving information from a covered entity provides sufficient information to customers to enable them to understand the potential uses of their information.

22. It is reasonable to require utilities to ensure that companies supporting utilities in utility operations follow the same rules as the utility and to ensure that they cannot use information pertaining to a customer for any purpose other than the purpose for which the utility had contracted their services.

23. It is reasonable to adopt further rules pertaining to disclosure of the specific purposes for which the information is collected as follows:

3. PURPOSE SPECIFICATION

The notice required under section 2 shall provide-

(a) an explicit description of-

    (1) each category of covered information collected, used, stored or disclosed by the covered entity, and, for each category of covered information, the reasonably specific purposes for which it will be collected, stored, used, or disclosed,

    (2) each category of covered information that is disclosed to third parties, and, for each such category, (i) the purposes for which it is disclosed, and (ii) the categories of third parties to which it is disclosed, and

    (3) the identities of those third parties to whom data is disclosed for secondary purposes, and the secondary purposes for which the information is disclosed;

(b) the approximate period of time that covered information will be retained by the covered entity;

(c) a description of-

    (1) the means by which customers may view, inquire about, or dispute their covered information, and

    (2) the means, if any, by which customers may limit the collection, use, storage or disclosure of covered information and the consequences to customers if they exercise such limits.

24. It is not reasonable to require the advance notice of a request by an authority for access to data held by a covered entity in all circumstances.

25. It is reasonable to require a report from covered entities on disclosures of covered information made pursuant to legal process when the Commission requests the preparation of such a report and as part of an annual report to the Commission.

26. The following rules, which provide individuals with access and control of their covered information, are reasonable and promote the Fair Information Practice principle of individual participation.

4. INDIVIDUAL PARTICIPATION (ACCESS AND CONTROL)

(a) Access. Covered entities shall provide to customers upon request convenient and secure access to their covered information-

(1) in an easily readable format that is at a level no less detailed than that at which the covered entity discloses the data to third parties.

(2) The Commission shall, by subsequent rule, prescribe what is a reasonable time for responding to customer requests for access.

(b) Control. Covered entities shall provide customers with convenient mechanisms for-

(1) granting and revoking authorization for secondary uses of covered information,

(2) disputing the accuracy or completeness of covered information that the covered entity is storing or distributing for any primary or secondary purpose, and

(3) requesting corrections or amendments to covered information that the covered entity is collecting, storing, using, or distributing for any primary or secondary purpose.

(c) Disclosure Pursuant to Legal Process.

(1) Except as otherwise provided in this rule or expressly authorized by state or federal law or by order of the Commission, a covered entity shall not disclose covered information except pursuant to a warrant or other court order naming with specificity the customers whose information is sought. Unless otherwise directed by a court, law, or order of the Commission, covered entities shall treat requests for real-time access to covered information as wiretaps, requiring approval under the federal or state wiretap law as necessary.

(2) Unless otherwise prohibited by court order, law, or order of the Commission, a covered entity, upon receipt of a subpoena for disclosure of covered information pursuant to legal process, shall, prior to complying, notify the customer in writing and allow the customer 7 days to appear and contest the claim of the person or entity seeking disclosure.

(3) Nothing in this rule prevents a person or entity seeking covered information from demanding such information from the customer under any applicable legal procedure or authority.

(4) Nothing in this section prohibits a covered entity from disclosing covered information with the consent of the customer, where the consent is express, in written form, and specific to the purpose and to the person or entity seeking the information.

(5) Nothing in this rule prevents a covered entity from disclosing, in response to a subpoena, the name, address and other contact information regarding a customer.

(6) On an annual basis, covered entities shall report to the Commission the number of demands received for disclosure of customer data pursuant to legal process or pursuant to situations of imminent threat to life or property and the number of customers whose records were disclosed. Upon request of the Commission, covered entities shall report additional information to the Commission on such disclosures. The Commission may make such reports publicly available without identifying the affected customers, unless making such reports public is prohibited by state or federal law or by order of the Commission.

(d) Disclosure of Information in Situations of Imminent Threat to Life or Property. These rules concerning access, control and disclosure do not apply to information provided to emergency responders in situations involving an imminent threat to life or property. Emergency disclosures, however, remain subject to reporting rule 4(c)(6).

27. Data minimization promotes privacy and security by limiting the amount of personal data collected and the amount that must be secured and protected.

28. It is reasonable to minimize the amount of personal data collected in order to promote the privacy and security of data.

29. Adopting a principle of data minimization will be a new principle in the regulation of electric utilities.

30. The data historically collected by electric utilities and the Commission most commonly concerned the costs of providing electric service, the demand for electric service, billing data and company revenues.

31. A principle of data minimization can serve as a guide for the revision and development of other regulations pertaining to the collection and retention of information.

32. There is a tension between a principle of data minimization and the Commission's need for data to exercise effective oversight of utility operations and programs.

33. It is appropriate to permit the covered entity to collect data that is reasonably necessary and to retain it for as long as is reasonably necessary.

34. The Commission creates data collection and retention requirements as part of its regulatory program. These requirements carry Commission authorization for the collection and retention of data.

35. It is reasonable to set a time period for the retention of data that is not open-ended.

36. Data minimization is a "best practice" in strategies to protect and secure the usage data of electric utility customers.

37. It is reasonable to adopt the following rules that apply to covered entities to encourage the protection of the privacy and security of usage data through a strategy of data minimization.

5. DATA MINIMIZATION

(a) Generally. Covered entities shall collect, store, use, and disclose only as much covered information as is reasonably necessary or as authorized by the Commission to accomplish a specific primary purpose identified in the notice required under section 2 or for a specific secondary purpose authorized by the customer.

(b) Data Retention. Covered entities shall maintain covered information only for as long as reasonably necessary or as authorized by the Commission to accomplish a specific primary purpose identified in the notice required under section 2 or for a specific secondary purpose authorized by the customer.

(c) Data Disclosure. Covered entities shall not disclose to any third party more covered information than is reasonably necessary or as authorized by the Commission to carry out on behalf of the covered entity a specific primary purpose identified in the notice required under section 2 or for a specific secondary purpose authorized by the customer.

38. It is reasonable for an electrical corporation to collect, store and use covered information for primary purposes, as defined above, on the condition that they follow the restrictions found reasonable in Finding of Fact 51.

39. It is reasonable to permit other covered entities to collect, store and use covered information when they have the prior consent of a customer, on the condition that they follow the restrictions found reasonable in FOF 47.

40. It is reasonable to require covered entities to ensure compliance of contractors with the privacy and security policies adopted herein through the "chain of responsibility" concept, whereby the responsible entity terminates business with contracts who fail to follow the privacy and security policies adopted in this decision.

41. It is reasonable that any tariffs that make customer usage information available to authorized third parties contain a provision that enables a residential customer to withdraw authorization at any time.

42. It is not in the public interest for a customer's authorization of the disclosure of information to a third party to automatically expire after two years.

43. It is reasonable to require a covered entity receiving usage information for a non-primary purpose to provide a residential customer with an annual reminder of the prior authorization and an opportunity to opt out.

44. Determining which activities should be "eligible" secondary purposes would be burdensome both to the Commission and to the entities seeking to use the information.

45. Requiring regulatory reviews to determine which secondary purposes would be "eligible" to obtain usage data from customers (when authorized) could have a chilling effect on product and service innovation in California.

46. It is reasonable to adopt the following rules that apply to covered entities to limit the use and disclosure of consumer usage information:

6. USE AND DISCLOSURE LIMITATION

(a) Generally. Covered information shall be used solely for the purposes specified by the covered entity in accordance with section 3.

(b) Primary Purposes. An electrical corporation, a third party acting under contract with the Commission to provide energy efficiency or energy efficiency evaluation services authorized pursuant to an order or resolution of the Commission, or a governmental entity providing energy efficiency or energy efficiency evaluation services pursuant to an order or resolution of the Commission may access, collect, store and use covered information for primary purposes without customer consent. Other covered entities may collect, store and use covered information only with prior customer consent, except as otherwise provided here.

(c) Disclosures to Third Parties.

(1) Initial Disclosure by an Electrical Corporation. An electrical corporation may disclose covered information without customer consent to a third party acting under contract with the Commission for the purpose of providing energy efficiency orenergy effiency evaluation services authorized pursuant to an order or resolution of the Commission or to a governmental entity for the purpose of providing energy efficiency or energy efficiency evaluation services pursuant to an order or resolution of the Commission. An electrical corporation may disclose covered information to a third party without customer consent

    a. when explicitly ordered to do so by the Commission, or

    b. for a primary purpose being carried out under contract with and on behalf of the electrical corporation disclosing the data,

    provided that the covered entity disclosing the data shall, by contract, require the third party to agree to access, collect, store, use, and disclose the covered information under policies, practices and notification requirements no less protective than those under which the covered entity itself operates as required under this rule, unless otherwise directed by the Commission.

(2) Subsequent Disclosures. Any entity that receives covered information derived initially from a covered entity may disclose such covered information to another entity without customer consent for a primary purpose, provided that the entity disclosing the covered information shall, by contract, require the entity receiving the covered information to use the covered information only for such primary purpose and to agree to store, use, and disclose the covered information under policies, practices and notification requirements no less protective than those under which the covered entity from which the covered information was initially derived operates as required by this rule, unless otherwise directed by the Commission.

(3) Terminating Disclosures to Entities Failing to Comply With Their Privacy Assurances. When a covered entity discloses covered information to a third party under this subsection, it shall specify by contract, unless otherwise directed by the Commission, that it shall be considered a material breach if the third party engages in a pattern or practice of accessing, storing, using or disclosing the covered information in violation of the third party's contractual obligations to handle the covered information under policies no less protective than those under which the covered entity from which the covered information was initially derived operates in compliance with this rule.

    · If a covered entity disclosing covered information for a primary purpose being carried out under contract with and on behalf of the entity disclosing the data finds that a third party contractor to which it disclosed covered information is engaged in a pattern or practice of accessing, storing, using or disclosing covered information in violation of the third party's contractual obligations related to handling covered information, the disclosing entity shall promptly cease disclosing covered information to such third party.

    · If a covered entity disclosing covered information to a Commission-authorized or customer-authorized third party receives a customer complaint about the third party's misuse of data or other violation of the privacy rules, the disclosing entity shall, upon customer request or at the Commission's direction, promptly cease disclosing that customer's information to such third party. The disclosing entity shall notify the Commission of any such complaints or suspected violations.

(4) Nothing in this section shall be construed to impose any liability on an electrical corporation relating to disclosures of information by a third party when i) the Commission orders the provision of covered data to a third party; or ii) a customer authorizes or discloses covered data to a third party entity that is unaffiliated with and has no other business relationship with the electrical corporation. After a secure transfer, the electrical corporation shall not be responsible for the security of the covered data or its use or misuse by such third party. This limitation on liability does not apply when a utility has acted recklessly.

(d) Secondary Purposes. No covered entity shall use or disclose covered information for any secondary purpose without obtaining the customer's prior, express, written authorization for each type of secondary purpose. This authorization is not required when information is-

(1) provided pursuant to a legal process as described in 4(c) above;

(2) provided in situations of imminent threat to life or property as described in 4(d) above; or

(3) authorized by the Commission pursuant to its jurisdiction and control.

(e) Customer Authorization.

(1) Authorization. Separate authorization by each customer must be obtained for all disclosures of covered information except as otherwise provided for herein.

(2) Revocation. Customers have the right to revoke, at any time, any previously granted authorization. Non-residential customers shall have the same right to revoke, unless specified otherwise in a contract of finite duration.

(3) Opportunity to Revoke. The consent of a residential customer shall continue without expiration, but an entity receiving information pursuant to a residential customer's authorization shall contact the customer, at least annually, to inform the customer of the authorization granted and to provide an opportunity for revocation. The consent of a non-residential customer shall continue in the same way, unless specified otherwise in a contract of finite duration, but an entity receiving information pursuant to a non-residential customer's authorization shall contact the customer, to inform the customer of the authorization granted and to provide an opportunity for revocation either upon the termination of the contract, or annually if there is no contract..

(f) Parity. Covered entities shall permit customers to cancel authorization for any secondary purpose of their covered information by the same mechanism initially used to grant authorization.

(g) Availability of Aggregated Usage Data. Covered entities shall permit the use of aggregated usage data that is removed of all personally-identifiable information to be used for analysis, reporting or program management provided that the release of that data does not disclose or reveal specific customer information because of the size of the group, rate classification, or nature of the information.

47. Because the usage data collected by smart meters expands the type and amount of information collected by a utility, it is reasonable to adopt rules to require data quality and integrity.

48. Because covered entities must notify customers of security breaches, there is no need for the covered entities to notify the Commission each time a security breach occurs.

49. Because of the Commission's responsibility to exercise regulatory oversight concerning the security of usage data, it is reasonable to require all covered electrical corporations to provide the Commission with a report on security breaches annually or upon a breach affecting more than 1,000 customers.

50. It is reasonable to adopt the following rules to protect data quality and integrity and to provide for data security:

7. DATA QUALITY AND INTEGRITY

Covered entities shall ensure that covered information they collect, store, use, and disclose is reasonably accurate and complete or otherwise compliant with applicable rules and tariffs regarding the quality of energy usage data.

8. DATA SECURITY

(a) Generally. Covered entities shall implement reasonable administrative, technical, and physical safeguards to protect covered information from unauthorized access, destruction, use, modification, or disclosure.

(b) Notification of Breach. A covered third party shall notify the covered electrical corporation that is the source of the covered data within one week of the detection of a breach. Upon a breach affecting 1,000 or more customers, whether by a covered electrical corporation or by a covered third party, the covered electrical corporation shall notify the Commission's Executive Director of security breaches of covered information within two weeks of the detection of a breach or within one week of notification by a covered third party of such a breach. Upon request by the Commission, electrical corporations shall notify the Commission's Executive Director of security breaches of covered information.

(c) Annual Report of Breaches. In addition, electrical corporations shall file an annual report with the Commission's Executive Director, commencing with the calendar year 2012, that is due within 120 days of the end of the calendar year and notifies the Commission of all security breaches within the calendar year affecting covered information, whether by the covered electrical corporation or by a third party.

51. Under the rules adopted in this decision, no covered entity will obtain access to an individual's consumption data without authorization from the individual except for that information used to meet a primary purpose, as defined in this decision.

52. It is not necessary for the Commission to regulate a customer's use of his or her own usage data.

53. It would burdensome and impractical to regulate a customer's use of his or her own usage data.

54. Electric utilities can provide consumers receiving usage data either over the internet (the backhaul) or through the Smart Meter with information explaining the importance of protecting that data.

55. The following rules to promote the accountability of covered entities for compliance with the requirements adopted in this decision and to permit the auditing of compliance are reasonable:

9. ACCOUNTABILITY AND AUDITING

(a) Generally. Covered entities shall be accountable for complying with the requirements herein, and must make available to the Commission upon request or audit-

(1) the privacy notices that they provide to customers,

(2) their internal privacy and data security policies,

(3) the categories of agents, contractors and other third parties to which they disclose covered information for a primary purpose, the identities of agents, contractors and other third parties to which they disclose covered information for a secondary purpose, the purposes for which all such information is disclosed, indicating for each category of disclosure whether it is for a primary purpose or a secondary purpose. (A covered entity shall retain and make available to the Commission upon request information concerning who has received covered information from the covered entity.), and

(4) copies of any secondary-use authorization forms by which the covered party secures customer authorization for secondary uses of covered data.

(b) Customer Complaints. Covered entities shall provide customers with a process for reasonable access to covered information, for correction of inaccurate covered information, and for addressing customer complaints regarding covered information under these rules.

(c) Training. Covered entities shall provide reasonable training to all employees and contractors who use, store or process covered information.

(d) Audits. Each electrical corporation shall conduct an independent audit of its data privacy and security practices in conjunction with general rate case proceedings following 2012 and at other times as required by order of the Commission. The audit shall monitor compliance with data privacy and security commitments, and the electrical corporation shall report the findings to the Commission as part of the utility's general rate case filing.

(e) Reporting Requirements. On an annual basis, each electrical corporation shall disclose to the Commission as part of an annual report required by Rule 8(b), the following information:

(1) the number of authorized third parties accessing covered information,

(2) the number of non-compliances with this rule or with contractual provisions required by this rule experienced by the utility, and the number of customers affected by each non-compliance and a detailed description of each non-compliance.

56. The record in this proceeding concerning privacy is substantial.

57. Additional workshops to develop privacy policies at this time are not necessary.

58. Tier 2 advice letter filings, comments and Commission review can lead to adoption of the detailed procedures and forms needed to operationalize the privacy rules adopted in this decision.

59. PG&E and SCE have made substantial progress in making price information available to consumers over the internet.

60. It is reasonable to require PG&E, SCE, and SDG&E to provide approximate price information to customers.

61. PG&E, SCE, and SDG&E should provide actionable pricing data to consumers.

62. It is reasonable to require that PG&E, SCE, and SDG&E offer to customers - at a minimum - bill-to-date, bill forecast, projected month-end tiered rate, and notifications to ratepayers, if desired, when the customers cross rate tiers.

63. It is reasonable for PG&E, SCE, and SDG&E to provide customers with an "all in" price that the customers pay for electricity.

64. It is reasonable to require PG&E, SCE, and SDG&E each to file a Tier 2 advice letter within 90 days of the mailing of this decision to bring policies, practices and tariffs into conformity with the rules adopted in Attachment D.

65. It is reasonable to require PG&E, SCE, and SDG&E each to file a Tier 2 advice letter within six months of the mailing of this decision to provide pricing, usage and cost data, as specified herein, to customers via an online service offered by the utility.

66. The provision of price information in real-time or near real-time will be most useful following the deployment of HAN-enabled devices.

67. The provision of price information in real-time or near real-time will be most useful to consumers if the Commission adopts real-time-prices or critical peak pricing tariffs.

68. The complexity of current tariff schedules makes it difficult to determine the real-time or near real-time price charged for electricity.

69. Since the HAN is not yet activated, it is not reasonable to order the provision of price information in real-time or near real-time at this time.

70. SDG&E has provided a customer's usage data to Google for presentation to the consumer when the consumer has authorized this action.

71. It is reasonable to require SCE and PG&E to provide access to a consumer's usage data to an authorized third party at this time.

72. SDG&E obtained Commission approval to provide a customer's usage data to an authorized third party via an advice letter.

73. It is reasonable to require PG&E, SCE, and SDG&E to file an application within six months of the mailing of this decision to provide third-party access to covered data consistent with the privacy rules adopted in this decision. It is reasonable to require that these applications address the costs and benefits of providing access to the covered data and provisions for ensuring that those receiving data follow privacy rules.

74. It is reasonable to require that PG&E, SCE, and SDG&E to commence a pilot study, either jointly or separately, that offers price information to customers in real-time or near-real-time.

75. The usage data provided by a Smart Meter to a HAN-enabled device is very granular and can provide information that discloses a household's use of appliances and daily habits.

76. Many of the benefits of a Smart Meter arise from establishing a home area network that has access to the granular data produced by the Smart Meters.

77. It is reasonable to order SCE, SDG&E, and PG&E to work with Commission staff and file a Tier 3 advice letter within four months to develop Smart Meter HAN implementation plans specific to each. .

78. It is reasonable to require PG&E, SCE, and SDG&E to coordinate with the CAISO to determine an effective and inexpensive way to make wholesale pricing data available to those California customers who desire this information.

79. It is reasonable to require the filing of reports by PG&E, SCE and SDG&E concerning breaches of privacy and information disclosures required by the privacy rules.

80. It is not reasonable to hold utilities liable for the actions of those who receive covered information the Commission directs the disclosure or the consumer requests or makes a disclosure.

81. It is not reasonable to exempt utilities from liability for reckless actions.

Conclusions of Law

1. SB 1476 (Chapter 497, Statutes of 2010) clarified Commission responsibility and authority to protect the privacy and security of customer usage data arising from Smart Meters.

2. The FIP principles of Transparency, Individual Participation, Purpose Specification, Use Limitation and Data Security can be linked to the provisions of SB 1468 and the Pub. Util. Code as detailed herein.

3. The FIP principles are consistent with SB 1476 and other California statutes.

4. Using the FIP principles as guides for developing California policies and regulations that aim to protect the privacy and security of customer data is reasonable.

5. SB 1476 provides guidance and authority to the Commission to protect the privacy of energy consumption data in the possession of utilities or in the possession of third parties responsible for system, grid, or operational needs, or energy efficiency programs.

6. The use of tariffs to regulate the connection of devices to the Smart Meter is consistent with Commission regulatory practice.

7. The Order Instituting Rulemaking that initiated this proceeding set the general scope of this proceeding as that of considering further actions pertaining to electric utilities and the smart grid. It did not include gas companies, community choice aggregators, or electric service providers.

8. SB 1476 applies to the customer usage data of electric and gas corporations.

9. The Definitions that follow set a scope for privacy rules that falls within the Commission's jurisdiction:

1. DEFINITIONS

(a) Covered Entity. A "covered entity" is (1) any electrical corporation,293 or any third party that provides services to an electrical corporation under contract, (2) any third party who accesses, collects, stores, uses or discloses covered information pursuant to an order or resolution of the Commission, unless specifically exempted, who obtains this information from an electrical corporation, or (3) any third party, when authorized by the customer, that accesses, collects, stores, uses, or discloses covered information relating to 11 or more customers who obtains this information from an electrical corporation.294

(b) Covered Information. "Covered information" is any usage information obtained through the use of the capabilities of Advanced Metering Infrastructure when associated with any information that can reasonably be used to identify an individual, family, household, residence, or non-residential customer, except that covered information does not include usage information from which identifying information has been removed such that an individual, family, household or residence, or non-residential customer cannot reasonably be identified or re-identified. Covered information, however, does not include information provided to the Commission pursuant to its oversight responsibilities.

(c) Primary Purposes. The "primary purposes" for the collection, storage, use or disclosure of covered information are to-

(1) provide or bill for electrical power or gas,

(2) provide for system, grid, or operational needs,

(3) provide services as required by state or federal law or as specifically authorized by an order of the Commission, or

(4) plan, implement, or evaluate demand response, energy management, or energy efficiency programs under contract with an electrical corporation, under contract with the Commission or as part of a Commission authorized program conducted by a governmental entity under the supervision of the Commission.

(e) Secondary Purpose. "Secondary purpose" means any purpose that is not a primary purpose.

10. Holding covered entities responsible for meeting the following requirements to ensure the transparency of privacy notices and policy is consistent with SB 1476, relevant provisions of the Pub. Util. Code and past Commission policies to protect privacy:

2. TRANSPARENCY (NOTICE)

(a) Generally. Covered entities shall provide customers with meaningful, clear, accurate, specific, and comprehensive notice regarding the accessing, collection, storage, use, and disclosure of covered information. Provided, however, that covered entities using covered data solely for a primary purpose on behalf of and under contract with utilities are not required to provide notice separate from that provided by the utility.

(b) When Provided. Covered entities shall provide written notice when confirming a new customer account and at least once a year shall inform customers how they may obtain a copy of the covered entity's notice regarding the accessing, collection, storage, use, and disclosure of covered information, and shall provide a conspicuous link to the notice on the home page of their website, and shall include a link to their notice in all electronic correspondence to customers.

(c) Form. The notice shall be labeled Notice of Accessing, Collecting, Storing, Using and Disclosing Energy Usage Information and shall-

    (1) be written in easily understandable language, and

    (2) be no longer than is necessary to convey the requisite information.

(d) Content. The notice and the posted privacy policy shall state clearly-

    (1) the identity of the covered entity,

    (2) the effective date of the notice or posted privacy policy,

    (3) the covered entity's process for altering the notice or posted privacy policy, including how the customer will be informed of any alterations, and where prior versions will be made available to customers, and

    (4) the title and contact information, including email address, postal address, and telephone number, of an official at the covered entity who can assist the customer with privacy questions, concerns, or complaints regarding the collection, storage, use, or distribution of covered information.

11. The Commission may obtain access to the names of companies receiving data from a utility regulated by the Commission.

12. A utility may impose privacy restrictions on firms with which it contracts.

13. Holding covered entities responsible for meeting the following requirements pertaining to the disclosure of the purposes for which information is collected, used, stored or disclosed is consistent with SB 1476, relevant provisions of the Pub. Util. Code and past Commission policies to protect privacy:

3. PURPOSE SPECIFICATION

The notice required under section 2 shall provide-

(a) an explicit description of-

    (1) each category of covered information collected, used, stored or disclosed by the covered entity, and, for each category of covered information, the reasonably specific purposes for which it will be collected, stored, used, or disclosed,

    (2) each category of covered information that is disclosed to third parties, and, for each such category, (i) the purposes for which it is disclosed, and (ii) the categories of third parties to which it is disclosed, and

    (3) the identities of those third parties to whom data is disclosed for secondary purposes, and the secondary purposes for which the information is disclosed;

(b) the approximate period of time that covered information will be retained by the covered entity;

(c) a description of-

    (1) the means by which customers may view, inquire about, or dispute their covered information, and

    (2) the means, if any, by which customers may limit the collection, use, storage or disclosure of covered information and the consequences to customers if they exercise such limits.

14. Rules that provide the individual customer with access to and control over his or her own usage information promote individual participation in the information collection and are consistent with the FIPs and California law.

15. It is not necessary to require the advance notice of a request by an authority for access to data held by a covered entity in all circumstances.

16. The following rules to provide individuals with access and control of their covered information are consistent with SB 1476 and California law and policies:

4. INDIVIDUAL PARTICIPATION (ACCESS AND CONTROL)

(a) Access. Covered entities shall provide to customers upon request convenient and secure access to their covered information-

(1) in an easily readable format that is at a level no less detailed than that at which the covered entity discloses the data to third parties.

(2) The Commission shall, by subsequent rule, prescribe what is a reasonable time for responding to customer requests for access.

(b) Control. Covered entities shall provide customers with convenient mechanisms for-

(1) granting and revoking authorization for secondary uses of covered information,

(2) disputing the accuracy or completeness of covered information that the covered entity is storing or distributing for any primary or secondary purpose, and

(3) requesting corrections or amendments to covered information that the covered entity is collecting, storing, using, or distributing for any primary or secondary purpose.

(c) Disclosure Pursuant to Legal Process.

(1) Except as otherwise provided in this rule or expressly authorized by state or federal law or by order of the Commission, a covered entity shall not disclose covered information except pursuant to a warrant or other court order naming with specificity the customers whose information is sought. Unless otherwise directed by a court, law, or order of the Commission, covered entities shall treat requests for real-time access to covered information as wiretaps, requiring approval under the federal or state wiretap law as necessary.

(2) Unless otherwise prohibited by court order, law, or order of the Commission, a covered entity, upon receipt of a subpoena for disclosure of covered information pursuant to legal process, shall, prior to complying, notify the customer in writing and allow the customer 7 days to appear and contest the claim of the person or entity seeking disclosure.

(3) Nothing in this rule prevents a person or entity seeking covered information from demanding such information from the customer under any applicable legal procedure or authority.

(4) Nothing in this section prohibits a covered entity from disclosing covered information with the consent of the customer, where the consent is express, in written or electronic form, and specific to the purpose and to the person or entity seeking the information.

(5) Nothing in this rule prevents a covered entity from disclosing, in response to a subpoena, the name, address and other contact information regarding a customer.

(6) On an annual basis, covered entities shall report to the Commission the number of demands received for disclosure of customer data pursuant to legal process or pursuant to situations of imminent threat to life or property and the number of customers whose records were disclosed. Upon request of the Commission, covered entities shall report additional information to the Commission on such disclosures. The Commission may make such reports publicly available without identifying the affected customers, unless making such reports public is prohibited by state or federal law or by order of the Commission.

(d) Disclosure of Information in Situations of Imminent Threat to Life or Property. These rules concerning access, control and disclosure do not apply to information provided to emergency responders in situations involving an imminent threat to life or property. Emergency disclosures, however, remain subject to reporting rule 4(c)(6).

17. The principle of data minimization adopted here does not change any existing regulations that currently require the retention of data for periods of time nor does it change any reporting requirements.

18. Adopting the principle of data minimization in this decision does not create a new liability that falls upon utilities and other entities that collect usage data. This limitation on liability does not apply when a utility has acted recklessly.

19. Since a principle of data minimization is a "best practice" in the protection of the privacy and security of usage data, a principle of data minimization is consistent with SB 1476 and the Pub. Util. Code.

20. The following rules to implement the principle of data minimization are consistent with SB 1476 and the Pub. Util. Code:

5. DATA MINIMIZATION

(a) Generally. Covered entities shall collect, store, use, and disclose only as much covered information as is reasonably necessary or as authorized by the Commission to accomplish a specific primary purpose identified in the notice required under section 2 or for a specific secondary purpose authorized by the customer.

(b) Data Retention. Covered entities shall maintain covered information only for as long as reasonably necessary or as authorized by the Commission to accomplish a specific primary purpose identified in the notice required under section 2 or for a specific secondary purpose authorized by the customer.

(c) Data Disclosure. Covered entities shall not disclose to any third party more covered information than is reasonably necessary or as authorized by the Commission to carry out on behalf of the covered entity a specific primary purpose identified in the notice required under section 2 or for a specific secondary purpose authorized by the customer.

21. The following limitations on the use and disclosure of customer usage data are consistent with SB 1476 and the Pub. Util. Code:

6. USE AND DISCLOSURE LIMITATION

(a) Generally. Covered information shall be used solely for the purposes specified by the covered entity in accordance with section 3.

(b) Primary Purposes. An electrical corporation, a third party acting under contract with the Commission to provide energy efficiency or energy efficiency evaluation services authorized pursuant to an order or resolution of the Commission, or a governmental entity providing energy efficiency or energy efficiency evaluation services pursuant to an order or resolution of the Commission may access, collect, store and use covered information for primary purposes without customer consent. Other covered entities may collect, store and use covered information only with prior customer consent, except as otherwise provided here.

(c) Disclosures to Third Parties.

    (1) Initial Disclosure by an Electrical Corporation. An electrical corporation may disclose covered information without customer consent to a third party acting under contract with the Commission for the purpose of providing energy efficiency or energy efficiency evaluation services authorized pursuant to an order or resolution of the Commission or to a governmental entity for the purpose of providing energy efficiency or energy efficiency evaluation services pursuant to an order or resolution of the Commission. An electrical corporation may disclose covered information to a third party without customer consent

    a. when explicitly ordered to do so by the Commission, or

    b. for a primary purpose being carried out under contract with and on behalf of the electrical corporation disclosing the data,

    provided that the covered entity disclosing the data shall, by contract, require the third party to agree to access, collect, store, use, and disclose the covered information under policies, practices and notification requirements no less protective than those under which the covered entity itself operates as required under this rule, unless otherwise directed by the Commission.

    (2) Subsequent Disclosures. Any entity that receives covered information derived initially from a covered entity may disclose such covered information to another entity without customer consent for a primary purpose, provided that the entity disclosing the covered information shall, by contract, require the entity receiving the covered information to use the covered information only for such primary purpose and to agree to store, use, and disclose the covered information under policies, practices and notification requirements no less protective than those under which the covered entity from which the covered information was initially derived operates as required by this rule, unless otherwise directed by the Commission.

    (3) Terminating Disclosures to Entities Failing to Comply With Their Privacy Assurances. When a covered entity discloses covered information to a third party under this subsection 6(c), it shall specify by contract, unless otherwise directed by the Commission, that it shall be considered a material breach if the third party engages in a pattern or practice of accessing, storing, using or disclosing the covered information in violation of the third party's contractual obligations to handle the covered information under policies no less protective than those under which the covered entity from which the covered information was initially derived operates in compliance with this rule.

    · If a covered entity disclosing covered information for a primary purpose being carried out under contract with and on behalf of the entity disclosing the data finds that a third party contractor to which it disclosed covered information is engaged in a pattern or practice of accessing, storing, using or disclosing covered information in violation of the third party's contractual obligations related to handling covered information, the disclosing entity shall promptly cease disclosing covered information to such third party.

    · If a covered entity disclosing covered information to a Commission-authorized or customer-authorized third party receives a customer complaint about the third party's misuse of data or other violation of the privacy rules, the disclosing entity shall, upon customer request or at the Commission's direction, promptly cease disclosing that customer's information to such third party. The disclosing entity shall notify the Commission of any such complaints or suspected violations.

(4) Nothing in this section shall be construed to impose any liability on an electrical corporation relating to disclosures of information by a third party when i) the Commission orders the provision of covered data to a third party; or ii) a customer authorizes or discloses covered data to a third party entity that is unaffiliated with and has no other business relationship with the electrical corporation. After a secure transfer, the electrical corporation shall not be responsible for the security of the covered data or its use or misuse by such third party. This limitation on liability does not apply when a utility has acted recklessly.

(d) Secondary Purposes. No covered entity shall use or disclose covered information for any secondary purpose without obtaining the customer's prior, express, written authorization for each type of secondary purpose. This authorization is not required when information is-

    (1) provided pursuant to a legal process as described in 4(c) above;

    (2) provided in situations of imminent threat to life or property as described in 4(d) above; or

    (3) authorized by the Commission pursuant to its jurisdiction and control.

(e) Customer Authorization.

    (1) Authorization. Separate authorization by each customer must be obtained for all disclosures of covered information except as otherwise provided for herein.

    (2) Revocation. Customers have the right to revoke, at any time, any previously granted authorization. Non-residential customers shall have the same right to revoke, unless specified otherwise in a contract of finite duration.

    (3) Opportunity to Revoke. The consent of a residential customer shall continue without expiration, but an entity receiving information pursuant to a residential customer's authorization shall contact the customer, at least annually, to inform the customer of the authorization granted and to provide an opportunity for revocation. The consent of a non-residential customer shall continue in the same way, unless specified otherwise in a contract of finite duration, but an entity receiving information pursuant to a non-residential customer's authorization shall contact the customer, to inform the customer of the authorization granted and to provide an opportunity for revocation either upon the termination of the contract, or annually if there is no contract.

(f) Parity. Covered entities shall permit customers to cancel authorization for any secondary purpose of their covered information by the same mechanism initially used to grant authorization.

(g) Availability of Aggregated Usage Data. Covered entities shall permit the use of aggregated usage data that is removed of all personally-identifiable information to be used for analysis, reporting or program management provided that the release of that data does not disclose or reveal specific customer information because of the size of the group, rate classification, or nature of the information..

22. Under current federal and state laws, covered entities must notify customers of security breaches.

23. The following rules to promote the quality and integrity of usage data and to ensure the security of data are consistent with SB 1476 and the Pub. Util. Code:

7. DATA QUALITY AND INTEGRITY

Covered entities shall ensure that covered information they collect, store, use, and disclose is reasonably accurate and complete or otherwise compliant with applicable rules and tariffs regarding the quality of energy usage data.

8. DATA SECURITY

(a) Generally. Covered entities shall implement reasonable administrative, technical, and physical safeguards to protect covered information from unauthorized access, destruction, use, modification, or disclosure.

(b) Notification of Breach. A covered third party shall notify the covered electrical corporation that is the source of the covered data within one week of the detection of a breach. Upon a breach affecting 1,000 or more customers, whether by a covered electrical corporation or by a covered third party, the covered electrical corporation shall notify the Commission's Executive Director of security breaches of covered information within two weeks of the detection of a breach or within one week of notification by a covered third party of such a breach. Upon request by the Commission, electrical corporations shall notify the Commission's Executive Director of security breaches of covered information. In addition, electrical corporations shall file an annual report with the Commission's Executive Director, commencing with the calendar year 2012, that is due within 120 days of the end of the calendar year and notifies the Commission of all security breaches within the calendar year affecting covered information, whether by the covered electrical corporation or by a third party.

As a tariff condition, the Commission can require compliance with privacy rules by third parties who obtain usage information from utilities via the internet (also knows as "the backhaul").

24. The following rules are consistent with SB 1476 and the Pub. Util. Code:

9. ACCOUNTABILITY AND AUDITING

(a) Generally. Covered entities shall be accountable for complying with the requirements herein, and must make available to the Commission upon request or audit-

(1) the privacy notices that they provide to customers,

(2) their internal privacy and data security policies,

(3) the categories of agents, contractors and other third parties to which they disclose covered information for a primary purpose, the identities of agents, contractors and other third parties to which they disclose covered information for a secondary purpose, the purposes for which all such information is disclosed, indicating for each category of disclosure whether it is for a primary purpose or a secondary purpose. (A covered entity shall retain and make available to the Commission upon request information concerning who has received covered information from the covered entity.),, and

(4) copies of any secondary-use authorization forms by which the covered party secures customer authorization for secondary uses of covered data.

(b) Customer Complaints. Covered entities shall provide customers with a process for reasonable access to covered information, for correction of inaccurate covered information, and for addressing customer complaints regarding covered information under these rules.

(c) Training. Covered entities shall provide reasonable training to all employees and contractors who use, store or process covered information.

(d) Audits. Each electrical corporation shall conduct an independent audit of its data privacy and security practices in conjunction with general rate case proceedings following 2012 and at other times as required by order of the Commission. The audit shall monitor compliance with data privacy and security commitments, and the electrical corporation shall report the findings to the Commission as part of the utility's general rate case filing.

(e) Reporting Requirements. On an annual basis, each electrical corporation shall disclose to the Commission as part of an annual report required by Rule 8.b, the following information:

(1) the number of authorized third parties accessing covered information,

(2) the number of non-compliances with this rule or with contractual provisions required by this rule experienced by the utility, and the number of customers affected by each non-compliance and a detailed description of each non-compliance.

25. The privacy rules adopted in this decision meet the requirements of SB 1476 and existing statutory and regulatory frameworks that protect the privacy of consumers.

ORDER

IT IS ORDERED that:

1. The Rules Regarding Privacy and Security Protections for Energy Usage Data in Attachment D of this decision are adopted for Pacific Gas and Electric Company, Southern California Electric Company, and San Diego Gas & Electric Company.

2. Within 90 days of the mailing of this decision, Pacific Gas and Electric Company, Southern California Edison Company, and San Diego Gas & Electric Company must each file a Tier 2 advice letter including whatever tariff changes are necessary to conform its corporate policies concerning customer usage data to the Rules Regarding Privacy and Security Protections for Energy Usage Data in Attachment D of this decision.

3. Pacific Gas and Electric Company, Southern California Edison Company, and San Diego Gas & Electric Company must each submit annual privacy reports to the Executive Director, commencing with calendar year 2012, no later than 120 days after the end of the calendar year. These annual reports must contain the information required to be reported annually by Rule 8(b) and Rule 9(c) of the Rules Regarding Privacy and Security Protections for Energy Usage Data in Attachment D of this decision.

4. Pacific Gas and Electric Company, Southern California Edison Company, and San Diego Gas & Electric Company must each conduct independent audits of its data privacy and security practices, as required by Rule 9(d) of the Rules Regarding Privacy and Security Protections for Energy Usage Data in Attachment D of this decision, and must report the audit findings as part of each general rate case application filed after 2012.

5. Within six months of the mailing of this decision, San Diego Gas & Electric Company must file a Tier 2 advice letter including tariff changes to make price, usage and cost information available to its customers online. The information must be updated at least on a daily basis, with each day's usage data, along with applicable price and cost details and with hourly or 15-minute granularity (matching the time granularity programmed into the customer's smart meter), available by the next day. The tariff changes must offer residential customers bill-to-date, bill forecast data, projected month-end tiered rate, and notifications as the customers cross rate tiers as part of the pricing data provided to customers. The prices must state an "all in" price the customers pay for electricity.

6. Pacific Gas and Electric Company and Southern California Edison Company shall continue to provide customers with price and usage data. Within six months of the mailing of this decision, Pacific Gas and Electric Company and Southern California Edison Company must each file a Tier 2 advice letter including tariff changes to make price, usage and cost information available to its customers online and updated at least on a daily basis, with each day's usage data, along with applicable price and cost details and with hourly or 15-minute granularity (matching the time granularity programmed into the customer's smart meter), available by the next day. The tariff changes must offer residential customers bill-to-date, bill forecast data, projected month-end tiered rate, and notifications as the customers cross rate tiers as part of the pricing data provided to customers. The prices must state an "all in" price the customers pay for electricity.

7. Pacific Gas and Electric Company, Southern California Edison Company, and San Diego Gas & Electric Company shall each work with the California Independent System Operator in developing a methodology to make wholesale prices available to customers on each company's website, and shall include the results of the methodological discussions and a proposal for providing wholesale prices in the advice letters required by Ordering Paragraphs 5 and 6 above.

8. Within six months of the mailing of this decision, Pacific Gas and Electric Company, Southern California Edison Company, and San Diego Gas and Electric must each file an application that includes tariff changes which will provide third parties access to a customer's usage data via the utility's backhaul when authorized by the customer. The three utilities should propose a common data format to the extent possible and be consistent with ongoing national standards efforts. The program and procedures must be consistent with the policies adopted in Ordering Paragraphs 6 and 7 and the Rules Regarding Privacy and Security Protections for Energy Usage Data in Attachment D of this decision. The applications should propose eligibility criteria and a process for determining eligibility whereby the Commission can exercise oversight over third parties receiving this data. The three utilities are encouraged to participate in a technical workshop to be held by the Commission in advance of the filing date. The applications may seek recovery of incremental costs associated with this program.

9. San Diego Gas & Electric Company must continue to provide third parties access to a customer's usage data when authorized by the customer pursuant to its current tariffs pending Commission action on its backhaul application.

10. Within six months of the mailing of this decision, Pacific Gas and Electric Company, Southern California Edison Company, and San Diego Gas & Electric Company must, separately or jointly, commence a pilot study to provide price information to customers in real time or near-real time. The pilot study shall be of a size that yields meaningful results. Each utility shall file status reports semi-annually with the Energy Division Director for a period of two years, unless directed by Energy Division director to continue such reports for a specified additional period of time.

11. Pacific Gas and Electric Company, Southern California Edison Company, and San Diego Gas & Electric Company must each file a Tier 3 advice letter within four months to develop Smart Meter Home Area Network (HAN) implementation plans specific to each. Each implementation plan should include an estimated rollout implementation strategy, including a timetable, for making HAN functionality and benefits generally accessible to customers in a manner similar across all three companies. The implementation plans shall include an initial phase with a rollout of up to 5,000 HAN devices, which would allow for HAN activation for early adopters upon request, even if full functionality and rollout to all customers awaits resolution of technology and standard issues. The implementation strategy for HAN activation should discuss key issues, such as costs, expanded data access and data granularity, current and evolving national standards & security risk mitigation and best practices, responsibilities for secure HAN connection, outcomes from working on HAN device interoperability, security testing and certification methodologies developed in collaboration with interested third parties (e.g. Lawrence Berkeley National Laboratories or California State University-Sacramento), customer needs and preferences, a strategy for learning from the initial rollout, and provisions for accommodating customers' efforts to utilize HAN functionality independent of the utility. The full rollout shall require smart meters to transmit energy usage data to the home so that it can be received by an HAN device of the consumer's choice.

12. The scope of this rulemaking is amended to consider in Phase 2 how the Rules Regarding Privacy and Security Protections for Energy Usage Data in Attachment D of this decision and other requirements of this decision should apply to gas corporations, community choice aggregators, and electric service providers. We will issue an amended scoping memo, which will set a new deadline for the resolution of this proceeding consistent with § 1701.5.

13. When and if Bear Valley Electric Service (a division of Golden State Water Company, U913E), Mountain Utilities (U906E) PacifiCorp (dba Pacific Power Company, U901E) and California Pacific Electric Company, LLC (CalPeco) (U903E) file an application to deploy Smart Meters, then that application shall address how these privacy protections should apply to their operations.

14. The Executive Director shall cause this Order to be served on all entities identified in Attachment E and the service list for Rulemaking (R.) 10-05-005, R.03-10-003 and R.07-05-025.

15. A party that expects to request intervenor compensation for its participation in Phase 2 of this rulemaking shall file its notice of intent to claim intervenor compensation no later than 30 days after the prehearing conference in this phase of the proceeding or pursuant to a date set forth in a later ruling which may be issued by the assigned Commissioner or Administrative Law Judge.

This order is effective today.

Dated , at San Francisco, California.

Peevey Agenda Dec Revision 4 Attachments A-E

1 SDG&E currently has a tariff for providing third party access to usage data. The SDG&E application will therefore differ from that filed by PG&E and SCE. The SDG&E application shall propose any changes needed to comply with the privacy protections adopted in this decision, to provide a common data format, and to facilitate Commission oversight of third parties obtaining data.

2 Chapter 497, Statutes of 2010.

3 SB 1476 was signed by the Governor and chaptered on September 29, 2010.

4 The focus on the specific usage data generated by the Smart Meters and its concrete uses is the analytic approach adopted in this decision. At every point, the decision seeks to avoid discussion of abstractions and instead focuses on actions needed to protect usage and personal data.

5 SB 1476 is appended to this decision as Attachment A.

6 Verizon consists of a group of licensed utilities in California consisting of California RSA No. 4 Limited Partnership, Cellco Partnership, Fresno MSA Limited Partnership, GTE Mobilnet of California Limited Partnership, GTE Mobilnet of Santa Barbara Limited Partnership, Los Angeles SMSA Limited Partnership, MCI Communications Services Inc., Modoc RSA Limited Partnership, Sacramento Valley Limited Partnership, Verizon California Inc., Verizon Wireless (VAW) LLC and WWC License L.L.C.

7 All references to Opening Comments in this document will refer to the responses filed on October 15, 2010, unless otherwise noted.

8 PG&E's review of applicable statutes and Commission decisions is included as Attachment B to this decision for reference purposes.

9 Throughout this document, unless otherwise noted, Reply Comments will refer to the reply comments filed on November 8, 2010.

10 Chapter 327, Statutes of 2009.

11 16 U.S.C. § 2621(d).

12 SB 1476, Chapter 497 of Statutes of 2010 at 1-2.

13 Joint Comments of the Center for Democracy & Technology and the Electronic Frontier Foundation on Proposed Policies and Finding Pertaining to the Smart Grid, March 9, 2010 at 15.

14 Id.

15 Proposed Smart Grid Privacy Policies and Procedures: Opening Response of the Center for Democracy & Technology and the Electronic Frontier Foundation to Assigned Commissioner's Ruling of September 27, 2010, at Appendix A at 1-4.

16 Opening Responses of Pacific Gas and Electric Company to Assigned Commissioner's Ruling on Customer Privacy and Security Issues, October 15, 2010, Appendix A: List of Current Statutes, Regulations, Decisions and Protocols Related to Customer Privacy Applicable to California Energy Utilities. We have included this as Attachment B to this decision.

17 This information was contained in a power point presentation made by PG&E at the workshop. The presentation was titled "Consumer Privacy Policy" and was made available to all parties through posting on the Commission's website. As of February 3, 2011, the presentation was available at http://www.cpuc.ca.gov/NR/rdonlyres/9B3563D4-5C59-4FD7-8DC4-24422AB6EFE2/0/PrivacyWorkshop_Oct2520103.pdf.

18 CDT Reply Comments at 1.

19 DRA Reply Comments at 1.

20 Id.

21 UCAN Opening Comments at 5.

22 TURN Opening Comments at 5.

23 Future of Privacy Forum Reply Comments at 2.

24 PG&E Reply Comments at 1.

25 SCE Reply Comments at 2.

26 SDG&E Reply Comments at 5.

27 Id. The terms "investor owned utility" (IOU) and "utility" are used interchangeably in this decision.

28 SoCalGas Reply Comments at 3.

29 Id. at 5.

30 EnerNOC Reply Comments at 8.

31 CEERT Reply Comments at 2.

32 Id. at 6.

33 AT&T Reply Comments at 2.

34 Verizon Reply Comments at 9.

35 D.10-06-047 at 41.

36 Id.

37 SoCalGas Reply Comments at 3.

38 ALJ Ruling, October 29, 2010, at 2.

39 Customer Representatives Opening Brief at 3.

40 Id. at 5.

41 Id. at 3.

42 Id. at 5.

43 PG&E Corp. v. Public Utilities Com. (2004) 118 Cal. App. 4th at 1174.

44 Customer Representatives Opening Brief at 5.

45 Id. at 8.

46 Id.

47 Id. at 11, quoting from Excerpts from Bill Analysis of Senate Judiciary Committee, SB 1476 (Padilla), 2009-2010 Regular Session, available at http://www.leginfo.ca.gov/pub/09-10/bill/sen/sb_1451-1500/sb_1476_cfa_20100412_120118_sen_comm.html .

48 Id. at 12.

49 Id. at 15.

50 CFC Opening Brief at 7.

51 SCE Opening Brief at 2.

52 Id.

53 Id.

54 Id.

55 Id.

56 Id.

57 Hillsboro Properties v. Public Utilities Com. (2003) 108 Cal. App. 4th at 246.

58 PG&E Corp. v. Public Utilities Com. (2004) 118 Cal. App. 4th at 1174.

59 PG&E Opening Brief at 3.

60 Id. at 4, footnote omitted.

61 Id. at 6.

62 Id. at 8.

63 Id. at 8.

64 The Energy Detective (TED) device is a home energy monitor that enables the owner to see energy usage in real time. The TED device is currently commercially available.

65 Sempra Opening Brief at 9.

66 Telephone Companies Opening Brief at 6.

67 Id. at 6.

68 Id. at 8.

69 Technology Companies Opening Brief at 6.

70 Id. at 10.

71 Customer Representatives Reply Brief at 5.

72 The findings of Commission jurisdictional authority over third-party demand response providers (DRPs) as discussed in D.10-12-060 are not superseded by any jurisdictional designations herein.

73 Section 8380(b).

74 Section 8380(d).

75 Section 8380(e)(2), emphasis added.

76 Section 8380(c).

77 A non-utility HAN-enabled device must be authorized by the utility in order to enable the direct transfer of data from the Smart Meter. The process of authorization requires that the device be "registered" by the particular smart meter. A utility will provide this registration service to the consumer who either buys a device or subscribes to a service that uses the device.

78 There is a national effort to adopt standards for data exchange with the utility (a process called OpenADE - Open Automatic Data Exchange) and with the Smart Meter (a process called Smart Energy Profile) that will provide standardized and secure information. The Commission will consider via a regulatory proceeding whether to require California utilities to conform with these national standards when adopted.

79 It is important to note that the privacy requirements adopted here do not apply to the Commission and its agents, including but not limited to contractors and consultants. SB 1476 creates obligations applicable to "electrical or gas corporation[s]." The Commission and its agents are subject to separate statutory provisions pertaining to the protection of data. These requirements are not the subject of this decision.

80 Although SDG&E currently provides this data via tariff, this decision also requires an application from SDG&E to ensure that its program to provide this information eventually shares a common structure with that of SCE and PG&E.

81 We clarify that our action does not absolve a utility of liability in situations where the utility is reckless in sharing the data with the third party.

82 CDT Reply Comments at 3.

83 CDT Reply Comments at 11.

84 Id.

85 Id.

86 Id. at 4-5.

87 Id. at 4.

88 SCE Reply Comments at 3.

89 TechNet and the State Privacy and Security Coalition Reply Comments at 6-7.

90 TURN Reply Comments at 6.

91 Id.

92 SoCalGas Reply Comments at 4-5.

93 DRA Opening Comments on PD at 11.

94 Id.

95 CEERT Opening Comments on PD at 10-11.

96 PG&E Opening Comments on PD at 4.

97 SDG&E Opening Comments on PD at 6.

98 R.08-12-009 at 13, emphasis added.

99 These utilities do not propose to install Smart Meters at this time.

100 CASMU Comments on PD at 2.

101 CDT/EFF Opening Comments on PD at 4-8.

102 SDG&E Opening Comments on PD at 12-13.

103 SDG&E Comments on PD at 6.

104 At this time "any electrical corporation" includes only PG&E, SCE, and SDG&E. Phase 2 of this proceeding will determine whether these rules should apply to gas corporations and other electrical corporations.

105 The Commission and its agents, including but not limited to contractors and consultants, are not "covered entities" subject to these rules because the Commission and its agents are subject to separate statutory provisions pertaining to data. In addition, these rules do not apply at this time to gas corporations, other electrical corporations, community choice aggregators, or electric service providers. Phase 2 of this proceeding will make that determination.

106 This conclusion is based on a review of PG&E's Reply Comments at Appendix A at 6. PG&E recommends no revisions to the wording proposed by CDT.

107 SCE Comments at 4.

108 CDT/EFF Comments on PD at 8.

109 CDT/EFF Comments on PD at 9.

110 TechNet, Comments on PD at 14.

111 PG&E Comments on PD at 2-3.

112 Verizon Reply Comments at 4.

113 Id. at 4.

114 Id. at 5.

115 CDT Reply Comments at 5-6.

116 PG&E Reply Comments at 6.

117 Id.

118 SCE Reply Comments at 5.

119 TechNet and the State Privacy and Security Coalition Reply Comments as 6-7.

120 Verizon Reply Comments at 4.

121 CDT/EFF Comments on PD at 10-11.

122 Verizon Coments on PD at 11.

123 SCE Reply Comments at 6.

124 Id.

125 Id. at 7.

126 Id.

127 CDT/EFF Comments on PD at 12, footnote omitted.

128 Section 2891(d)(5).

129 CDT Reply Comments at 7, footnotes omitted.

130 PG&E Reply Comments at 8.

131 UCAN Reply Comments at 5.

132 SDG&E Reply Comments at 5.

133 AT&T Reply Comments at 1.

134 TechNet and the State Privacy and Security Coalition Reply Comments at 7.

135 Id. at 8.

136 CDT/EFF Comments on PD at 13-14

137 Ontario Comments on PD at 5.

138 TechNet and the State Privacy Coalition Reply Comments at 8-9.

139 CDT Reply Comments at 15-16.

140 Id.

141 Id.

142 Id. at 16.

143 Id. at 18.

144 PG&E Reply Comments at 10.

145 DRA Comments on PD at 2.

146 SDG&E Comments on PD at 15.

147 TechNet and the State Privacy and Security Coalition Reply Comments at 9.

148 Verizon Reply Comments at 5.

149 AT&T Reply Comments at 1.

150 Id. at 2.

151 Id. at 2.

152 EnerNOC Reply Comments at 5.

153 Id.

154 SCE Comments on PD at 16.

155 TURN Reply Comments.

156 DRA Reply Comments at 9.

157 Id. at 10.

158 Pub. Util. Code § 8380(e)(1).

159 PG&E Reply Comments at 10.

160 Id. at 10.

161 CFC Reply Comments at 12.

162 CDT Reply Comments at 8.

163 SCE Reply Comments at 10.

164 TURN Reply Comments at 9.

165 PG&E Comments on PD at 7.

166 SDG&E Reply Comments at 2, footnote omitted.

167 SDG&E Reply Comments at 5.

168 Id.

169 TURN Reply Comments at 5.

170 PG&E Opening Comments at 6.

171 SCE Reply Comments at 2.

172 Verizon Reply at 2.

173 D.09-12-046 at 3.

174 Id.

175 PG&E Reply Comments at 2.

176 Id. at 3.

177 Id.

178 SCE Opening Comments at A-5.

179 Id.

180 SCE Reply Comments at 13.

181 Id.

182 Id. at 14.

183 Id. at 15.

184 Id.

185 Id.

186 SCE Opening Comments at A-5 to A-6.

187 SDG&E Opening Comments at 11.

188 Id.

189 ISO Reply Comments at 2.

190 Id.

191 DRA Reply Comments at 3.

192 Id.

193 Id.

194 Id. at 4.

195 DRA Comments on PD at 15.

196 DRA Comments on PD at 16-20.

197 CAISO Comments on PD at 3-4.

198 TURN Reply Comments at 3.

199 Id. at 4.

200 Id.

201 Id.

202 Id.

203 Id. at 5.

204 UCAN Comments at 2.

205 D.09-12-046 at 11 citing 16 U.S.C. § 2621(d)(19).

206 The Commission is aware of many activities going on at the national level to create standardized formats around what data to provide and the means to provide customers with information through such initiatives as the OpenADE initiative. Such initiatives provide for interoperability, which is a central tenet of this Commission, the State and national and Federal Smart Grid policy-making efforts.

207 PG&E Opening Comments at 2.

208 SCE Opening Comments at A-2 to A-3.

209 SDG&E Opening Comments at 4-5.

210 PG&E Reply Comments at 4.

211 PG&E Comments on PD at 2.

212 Id. at 8.

213 SCE Reply Comments at 11-12.

214 Id. at 12.

215 Id.

216 SCE Comments on PD at 22-23.

217 Id. at 23.

218 SDG&E Opening Comments at 12.

219 TURN Reply Comments at 11-12.

220 TURN Comments on PD at 11-12.

221 Id. at 12.

222 UCAN Reply Comments at 3.

223 SoCalGas Reply Comments at 3.

224 SDG&E Reply Comments at 6.

225 DRA Comments on PD at 5.

226 Id. at 13-14.

227 Zigbee is a specification for a suite of high level communication protocols using small, low-power digital radios for low-data-rate wireless personal area networks.

228 Smart Energy Profile (SEP) is a particular protocol in the Zigbee series. SEP 1.0 is currently available and SEP 2.0 is under development.

229 EnerNOC Opening Comments at 10-11.

230 SEP 2.0 is anticipated to provide better security features, among other features, than is available in SEP 1.0.

231 Control4 Reply Comments at 2.

232 Tendril Opening Comments at 9, footnote omitted.

233 DRSG Comments on PD at 2.

234 Id. at 5.

235 Id. at 8.

236 DRSG Comments at 7.

237 DRA Comments on PD at 21.

238 UCAN Comments on PD at 7.

239 TURN Comments on PD at 12.

240 Id. at 13.

241 SDG&E, Advice Letter 2100-E (July 31, 2009) at 2.

242 DRA Comments on PD at 21 notes that D.07-07-042 FOF 4 authorized recovery of funds for SCE and D.09-03-026 authorized recovery of HAN-related funding for PG&E. For SDG&E, D.07-04-043 at 13 also authorized recovery of HAN-related funding.

243 CFC Opening Comments on PD at 3-6.

244 DRA Opening Comments on PD at 8.

245 UCAN Opening Comments on PD at 3.

246 EDF Opening Comments on PD at 4.

247 EDF Opening Comments on PD at 5.

248 CCTA Opening Comments on PD at 2.

249 CEA Opening Comments on PD at 2.

250 TURN Opening Comments on PD at 4.

251 SCE Opening Comments on PD at 11.

252 DRSG Opening Comments on PD at 12.

253 CEERT Opening Comments on PD at 1.

254 DRA Opening Comments on PD at 5.

255 TechNet Opening Comments on PD at 6.

256 SDG&E Opening Comments on PD at 6.

257 UCAN Opening Comments on PD at 3.

258 EDF Opening Comments on PD at 9.

259 DRSG Opening Comments on PD at 6.

260 CEERT Opening Comments on PD at 9.

261 Verizon Opening Comments on PD at 2-3.

262 AT&T Comments on PD at 1.

263 FPF Comments on PD at 2.

264 CTIA Reply Comments on PD at 1-2.

265 CCTA Reply Comments at 3.

266 UCAN Comments on PD at 1.

267 SDG&E Comments on PD at 3.

268 TURN Comments on PD at 2.

269 SCE Comments on PD at 1.

270 CDT/EFF Comments on PD at 1.

271 DRA Comments on PD at 1.

272 CAISO Comments on PD at 1.

273 Walmart Comments on PD at 1.

274 PG&E Comments on PD at 1.

275 OPOWER Comments on PD at 3.

276 CEERT Comments on PD at 10.

277 CCTA Reply Comment on PD at 5.

278 CEERT Comments on PD at 10.

279 PG&E Reply Comments on PD at 3.

280 AT&T Comments on PD at 8.

281 Verizon Comments on PD at 9-10.

282 Verison Comments on PD at 12.

283 Verizon Comments on PD at 13.

284 AT&T Comments on PD at 11-12.

285 CDT/EFF Reply Comments on PD at 4, citing from Foothill Federal Credit Union v. Superior Court (2007).

286 Verizon Comments on PD at 16.

287 Verizion Comments on PD at 18-19.

288 PG&E Comments on PD at 6.

289 TURN Comments on PD at 7.

290 LGSEC Comments on PD at 4.

291 Id. at 2.

292 Id.

293 At this time "any electrical corporation" includes only PG&E, SCE, and SDG&E. Phase 2 of this proceeding will determine how rules should apply to gas corporations and to PacifiCorp, the Sierra Pacific Power, Bear Valley Electric Service and Mountain Utilities.

294 The Commission and its agents, including but not limited to contractors and consultants, are not "covered entities" subject to these rules because the Commission and its agents are subject to separate statutory provisions pertaining to data. In addition, these rules do not apply at this time to gas corporations, other electrical corporations, community choice aggregators, or electric service providers. Phase 2 of this proceeding will make that determination.

Top Of Page