[Updated Friday 2017-07-21 1:15pm pacific with information from the app maker; see below.]
At this week’s National Association of Regulatory Utility Commissioners (NARUC) Summer Policy Summit in San Diego, attendees were encouraged to download a NARUC app to facilitate in-person meetings. There’s just one problem: The smartphone app would violate the privacy rules adopted by commissions in several states.
Privacy rules prevent electric and gas utilities from selling or disclosing personal information except under certain carefully-monitored circumstances. Customer protections, such as privacy policies and clear notices to users about what data are being collected, are absent from NARUC’s smartphone app. This leads to an embarrassing double standard for some state regulators. While Commissioners enjoy the conveniences provided by the “NARUC 2017” networking app, their own rules would outlaw similar practices in their home states.
For example, take California’s rules. In 2011, the Public Utilities Commission issued a lengthy privacy decision that requires software companies that access customer data held by a regulated utility to provide written privacy policies that are “meaningful, clear, accurate, specific and comprehensive.” But, confusingly, NARUC 2017 has two privacy policies (here and here) that are sometimes in conflict with one another. The policies also do not explain what personal information is captured by the user’s mobile device – a clear violation of California’s rules.
Another California requirement is for software companies to distinguish “primary purposes” from “secondary purposes” of the personal data used. A primary purpose could be “to help you save energy and money in your home with tailored recommendations on your smartphone,” while a secondary purpose could be, for example, selling the data to make extra money. Secondary uses are explicity prohibited without the prior written consent of the customer. Unfortunately, NARUC 2017’s terms say vaguely, “We will collect and use of [sic.] personal information solely with the objective of fulfilling those purposes specified by us and for other compatible purposes.” The app doesn’t rule out the lucrative possibility of selling users’ information. If a complaint were filed in California against a similar app maker, the Commission would likely find the software unlawful. [Update: The app maker contacted us to clarify that their contract with NARUC prohibits selling personal information. That is very sensible. Nevertheless, that agreement is between the app maker and NARUC, and it does not appear to be customer-facing, which is a requirement in California and Illinois.]
Other Commission-approved rules require companies to make informational disclosures to consumers prior to releasing personal data. By standardizing disclosures, the idea is that companies are prevented from writing their own vague or misleading language that exploits customers. For instance, PG&E’s form for demand response is four pages long, and deviations from the form are not allowed. Outside of California, Colorado and Illinois Commissions have approved standardized disclosure language. But the NARUC 2017 app does not ask for any specific authorization at all, and, when it does, the authorization language is fluid. Both of its policies say that the app maker “may revise these terms of use at any time without notice.” Changing terms without notifying users is anathema to privacy advocates and consumer groups who fought for rules that ban the practice.
Finally, California’s rules enshrined the principle of “data minimization,” the idea that only the personal data necessary for the task should be collected. Presumably, an app to help people at conferences meet face to face would need information like your name, title, organization, location, and which sessions you want to attend. However, NARUC 2017 for Android requires users to give it permission to much more, such as the right to read and modify any file stored on your device; to create new Bluetooth connections; and to control the phone’s networking settings – none of which are clearly tied to helping people meet at the conference.
It is ironic that many state Commissions publicly take a “tough on privacy” stance that is at odds with their national association’s practices at its summer conference. But the double standard is not altogether surprising. Since the release of smart phones, consumers have routinely traded their personal data for access to free services. Commission requirements for paper forms appear increasingly out of step with modern technology.
Over time, as sharing personal data with tech companies such as banking transactions and health data becomes both easier and more prevalent, it is worth re-examining the utility industry’s practices. Is it reasonable to give away the data on your phone with a single click, while your utility bills requires filling out a four-page legal form?
To be clear, the NARUC 2017 app would only violate Commission rules if it accessed users’ energy information or customer account information held by utilities. Apps that do not request data from a utility operate without Commission oversight. Nevertheless, as leaders in the public sector, state Commissioners and their national association should lead by example. Entrepreneurs in software and energy management have a saying: “Eat your own dog food” – it means that entrepreneurs should use their companies’ products in their personal lives, to live by their creed. We encourage NARUC to do so as well.
Mission:data Coalition supports common-sense privacy rules. We strongly believe that energy management technologies can flourish while simultaneously protecting customer privacy. For more information about privacy and state private rules about energy, see our whitepaper, “Got Data?”