The Department of Energy and the Federal Smart Grid Task Force released the final version of a Voluntary Code of Conduct (VCC) for smart grid data privacy on Monday, several hours after President Obama heralded the release of the VCC as part of his speech on privacy and cybersecurity at the Federal Trade Commission. The VCC is the result of a multi-year effort by the Department of Energy and the Federal Smart Grid Task Force to collaborate with industry stakeholders to develop a voluntary code of conduct that addresses smart grid privacy concerns. The VCC does not supersede any federal, state, or local laws or regulations. Instead, it serves as a set of “high level principles of conduct for both utilities and third parties.” The VCC does, however, contemplate that entities could adopt the VCC with “limited exceptions” where required by other laws or regulations.
The VCC primarily protects “customer data,” which is defined as the combination of (i) Account Data and (ii) Customer Energy Usage Data (CEUD). Account Data includes the following information when identified with a specific customer:
- Names
- Geographic subdivisions smaller than a state (including street address and ZIP code)
- Dates of service provided to a customer by the utility or third party or information specific to identifying an individual’s utility service
- Telephone or fax numbers
- E-mail addresses
- Utility or third-party account numbers (except for financial account numbers)
- Device identifiers and serial numbers
Certain types of sensitive information, such as Social Security Numbers and consumer report information, are purposefully excluded from the definition of Account Data and cannot be shared, except as required by law. CEUD is information that “reflects an individual customer’s measured energy usage” without identifying the customer. CEUD without any accompanying account data is considered “anonymous data” and is subject to a more relaxed set of restrictions.
In order to balance between utilities’ need to collect and use data and the privacy interests of customers, the VCC includes a customer consent structure based on: (i) Primary Purposes, for which no customer consent is necessary; and (ii) Secondary Purposes, which require customer consent before customer data can be used or disclosed. A Primary Purpose is one that is “reasonably expected by the customer.” A Secondary Purpose is a use of customer data that is “materially different from a Primary Purpose and is not reasonably expected by the customer” in the context of the services the customer is receiving.
Under the VCC, data can be collected, used, and shared among three types of entities: (i) Service Providers, (ii) Third Parties, and (iii) Contracted Agents. Service Providers are utilities and other entities that collect customer data for Primary Purposes. Third Parties request access to customer data from Service Providers for Secondary Purposes. Contracted Agents, meanwhile, provide services to customers on behalf of Service Providers.
The VCC states that participating entities should provide customers with “clear and conspicuous” notices at the start of service, on a recurring basis thereafter, at the customer’s request, and “when there is a substantial change in procedure or ownership that may impact customer data.” According to the VCC, these notices should explain: (i) the types of data that the Service Provider is collecting, (ii) how that data is being used, (iii) how customers can access their data, (iv) when customers’ data will be shared for Primary and Secondary Purposes, and (v) the Service Provider’s data security, retention, and disposal practices.
While the VCC permits Service Providers and Contracted Agents to use customer data for Primary Purposes, it recommends that they obtain customer consent before using customer data for Secondary Purposes. The VCC suggests that participating entities adopt a customer consent process that informs customers about the types of data that will be shared, the purpose and duration of the sharing, and how customers can authorize different types of disclosures to different Third Parties and rescind authorizations previously granted. The VCC includes exceptions to these consent requirements in certain circumstances, such as required disclosures to law enforcement officials and regulatory authorities, disclosures that “preserve the safety and reliability of the electric grid and critical infrastructure,” or disclosures of aggregated or anonymized data. The VCC states that Service Providers should only maintain customer data for as long as needed to fulfill the purpose for which it was collected, and should “securely and irreversibly dispose of or de-identify” customer data that is no longer needed.
The VCC recommends that participating entities adopt a process by which customers can access their data, identify possible inaccuracies, and request correction of those inaccuracies. According to the VCC, customer data collected by Service Providers should be protected by a cybersecurity risk management program that is designed to identify and address data breaches and provide timely notice to any customers whose data may have been compromised. The VCC also sets forth specific data characteristics that should be considered when producing aggregated or anonymized data. To enforce the VCC, Service Providers who adopt the code must regularly review their customer data practices, conduct regular training for relevant employees, and take action to meet applicable legal and regulatory data protection mandates.