It seems clear that the Consumer Bill of Rights would apply to the highly granular energy consumption data collected and transmitted by new smart meters. As stated in the report, the “Consumer Bill of rights applies to commercial uses of personal data. This term refers to any data, including aggregations of data, which is linkable to a specific individual.” The proposal thus has important implications for the continued development of smart grid privacy rules. Perhaps most importantly, it holds out the promise of a privately‐generated, uniform national set of enforceable privacy policies that would provide certainty to the industry while creating trust among consumers that their personal private information will be protected.
There are several key aspects of the report: A Consumer Bill of Rights that updates fair information practice principles (FIPPs) to reflect the new era of digital communications and services; a multi‐stakeholder process to establish industry‐specific codes of conduct implementing the principles embodied in the Bill of Rights; and enforcement efforts, including proposed legislation creating a safe harbor for companies complying with codes of conduct. The report also proposes enacting consumer data privacy legislation. These aspects of the report, and how they may affect ongoing efforts to adopt smart grid privacy policies, are discussed below.
Consumer Privacy Bill of Rights
- The Bill of Rights updates FIPPs principles to reflect the far more decentralized and pervasive collection of personal data that exists today, compared to when FIPPs were initially developed. It updates FIPPs in two specific ways. It affirms a set of rights that consumers should expect and it emphasizes the importance of tailoring specific codes of conduct to the types and amount of data collected by specific industries. Nevertheless, the Privacy Bill of Rights will have a familiar ring to many who have studied or applied FIPPs. They are based on seven core principles: Individual Control. Consumers have the right to control what information companies collect and how it is used. Companies should enable informed consumer choices by providing “easily used and accessible mechanisms that reflect the scale, scope, and sensitivity of the personal data that they collect, use or disclose.” Companies should make it just as easy to withdraw consent as it was to grant consent in the first instance.
- Transparency. Consumers have a right to easily understandable and accessible information about privacy and security practices. Companies should provide “clear descriptions of what personal data they collect, why they need the data, how they will use it, when the will delete the data or de‐identify it from consumers, and whether and for what purposes they may share personal data with third parties.” The further the data use deviates from the central purposes for which it was collected – for example, using energy consumption data for marketing purposes – the more prominent the disclosure should be. Of specific note for third‐party access to data collected by utilities, the report states: “[C]ompanies that have first‐party relationships with consumers should disclose specifically the purpose(s) for which they provide personal data to third parties, help consumer to understand the nature of those third parties’ activities, and whether those third parties are bound to limit their use of the data to achieving those purposes.”
- Respect for Context. Consumers have the right to expect that companies will collect, use and disclose personal data in ways that are consistent with the context in which consumers provide the data. The proposal appears to recognize that consumer consent may not be required for the collection of personal data necessary to provide the service the customer expects to receive. For example, a company may infer consent for collecting data to analyze “how consumers use a service in order to improve it.” Some states, such as California, have followed such an approach for smart grid privacy, permitting collection of sensitive data without consent if used solely for standard utility purposes, including improving energy conservation.
- Security. Consumers have a right to secure and responsible handling of personal data.
- Access and Accuracy. Consumers have a right to access and correct personal data in usable formats, in a manner that is appropriate to the sensitivity of the data and risk of adverse consequences to consumers if the data is inaccurate. Companies should provide with reasonable access to data. The report cites as an example the Administration’s support for “providing consumers with timely access to energy usage data in standardized, machinereadable formats over the Internet.”
- Focused Collection. Consumers have a right to reasonable limits on the personal data that companies collect and retain.
- Accountability. Consumers have a right to have personal data handled by companies with appropriate measures in place to assure compliance. Companies should be accountable to enforcement authorities and take responsibility for training, evaluation, and, where necessary, independent privacy audits. Of note for utility provision of personal energy information to third parties, the report states that “if a company transfers personal data to a third party, it remains accountable and thus should hold the recipient accountable – through contracts or other legally enforceable instruments – for using and disclosing data in ways that are consistent with the Consumer Privacy Bill of Rights.”
Collaborative Process to Establish Enforceable Codes of Conduct Implementing the Privacy Bill of Rights
The Administration proposes to convene a multi‐stakeholder process to develop consensus‐based, industry specific, legally enforceable codes of conduct that implement the Consumer Privacy Bill of Rights. The stakeholders themselves would control the process and its results. There would be no Federal regulation at the end of the process, and the codes would not bind any company unless they choose to adopt them. A company’s commitment to adhere to the code would become enforceable by the Federal Trade Commission as a possible unfair or deceptive practice. In any subsequent enforcement proceeding, the FTC should consider adherence favorably. The collaborative process would go forward even if the legislative initiatives proposed in the report do not.
The Department of Commerce’s National Telecommunications and Information Administration (“NTIA”) would convene the processes that address consumer data privacy issues. The report recognizes that other Federal agencies may play this convening role for consumer data privacy issues that arise in their areas of expertise. This may allow the DOE or FERC to play this role for smart grid privacy matters.
The process envisioned by the Administration echoes a central theme that emerged from the DOE’s smart grid forum held at Dow Lohnes. The stakeholders in that forum supported a strong Federal role in convening all interested parties to help build consensus towards codes that would act as guidelines, not regulatory mandates.
The report anticipates that the FTC would take the lead role in enforcing the codes of conduct applicable to entities under its jurisdiction. With regard to smart meter privacy, the FTC’s jurisdiction varies depending on the nature of the utility. It is clear that the FTC has jurisdiction over investor owned utilities and for‐profit cooperatives. The FTC does not have jurisdiction over the federally owned utilities, such as the Tennessee Valley Authority, but they are subject to the Federal Privacy Act. The FTC’s jurisdiction over non‐profit utilities is less clear and may depend on the particular arrangements governing that utility.
The Administration urges Congress to pass legislation adopting the Consumer Bill of Rights. Among the specific proposals are the following:
- Codify the Privacy Bill of Rights, recognizing that the legislation would have to outline companies’ obligations with greater specificity.
- To provide greater certainty, the Administration supports legislation authorizing the FTC and state attorneys general to enforce codes of conduct.
- Provide the FTC with authority to review and “bless’ codes of conduct through a public process subject to the Administrative Procedures Act and to grant a “safe harbor” from enforcement for companies that followed an FTC‐approved code of conduct.
- Preempt State laws that are inconsistent with the Consumer Privacy Bill of Rights and provide forbearance from enforcement of State laws for companies that adopt and comply with FTC‐approved codes of conduct. The report stresses the importance of a national standard in order to “create certainty for companies and consistent protections for consumers.”
- An important potential exception to Federal legislative role envisioned in the report is that “it may be appropriate to allow States to enact laws that apply the Consumer Privacy Bill of Rights to personal data in sectors they closely regulate, such as electricity distribution.” Thus smart grid stakeholders may need to look to states to enact laws codifying the principles in the Consumer Bill of Rights governing their industry.
- Establish a national standard for notifying consumers of security breaches.