8380.
(a) For purposes of this section, “electrical or gas consumption data” means data about a customer’s electrical or natural gas usage that is made available as part of an advanced metering infrastructure, and includes the name, account number, or residence of the customer.(b) (1) An electrical corporation or gas corporation shall not share, disclose, or otherwise make accessible to any third party a customer’s electrical or gas consumption data, except as provided in subdivision (e) or upon the consent of the customer.
(2) An electrical corporation or gas corporation shall not sell a customer’s electrical or gas consumption data or any other personally identifiable information
for any purpose.
(3) The electrical corporation or gas corporation or its contractors shall not provide an incentive or discount to the customer for accessing the customer’s electrical or gas consumption data without the prior consent of the customer.
(4) An electrical or gas corporation that utilizes an advanced metering infrastructure that allows a customer to access the customer’s electrical and gas consumption data shall ensure that the customer has an option to access that data without being required to agree to the sharing of his or her personally identifiable information, including electrical or gas consumption data, with a third party.
(c) If an electrical corporation or gas corporation contracts with a third party for a service that allows a customer to monitor his or her electricity or gas usage, and that
third party uses the data for a secondary commercial purpose, the contract between the electrical corporation or gas corporation and the third party shall provide that the third party prominently discloses that secondary commercial purpose to the customer and secures the customer’s consent to the use of his or her data for that secondary commercial purpose prior to the use of the data.
(d) An electrical corporation or gas corporation shall use reasonable security procedures and practices to protect a customer’s unencrypted electrical or gas consumption data from unauthorized access, destruction, use, modification, or disclosure.
(e) (1) This section shall not preclude an electrical corporation or gas corporation from using customer aggregate electrical or gas consumption data for analysis, reporting, or program management if all
information has been removed regarding the individual identity of a customer.
(2) This section shall not preclude an electrical corporation or gas corporation from disclosing a customer’s electrical or gas consumption data to a third party for system, grid, or operational needs, or the implementation of demand response, energy management, or energy efficiency programs, provided that, for contracts entered into after January 1, 2011, the utility has required by contract that the third party implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure, and prohibits the use of the data for a secondary commercial purpose not related to the primary purpose of the contract without the customer’s prior consent to that use.
(3) This section shall not preclude an electrical corporation or gas corporation from disclosing electrical or gas consumption data as required or permitted under state or federal law or by an order of the commission. An electrical corporation shall provide electrical consumption data to community choice aggregators pursuant to paragraph (9) of subdivision (c) of Section 366.2, subject to any reasonable security procedures and practices to protect the personal information from unauthorized access, destruction, use, modification, or disclosure ordered by the commission or agreed upon between the electrical corporation and the community choice aggregator.
(f) If a customer chooses to disclose his or her electrical or gas consumption data to a third party that is unaffiliated with, and has no other business relationship with,
the electrical or gas corporation, the electrical or gas corporation shall not be responsible for the security of that data, or its use or misuse.