Saturday, March 23, 2019

Opinion: NARUC App Would Conflict with Privacy Rules

By Michael Murray

At last week’s National Association of Regulatory Utility Commissioners Summer Policy Summit in San Diego, attendees were encouraged to download an app to facilitate in-person meetings. There’s just one problem: Were it subject to the privacy rules adopted by commissions in several states, the app would be in violation.


Privacy rules prevent electric and gas utilities from selling or disclosing personal information except under certain, carefully monitored circumstances. Customer protections, such as clear notices to users about what data are being collected, are absent from the app. This leads to an embarrassing double standard for some state regulators. While commissioners enjoy the conveniences provided by the “NARUC 2017” app, their own rules would outlaw similar practices in their home states.

For example, take California’s rules. In 2011, the Public Utilities Commission issued a lengthy privacy decision that requires software companies that access customer data held by a regulated utility to provide written privacy policies that are “meaningful, clear, accurate, specific and comprehensive.” But, confusingly, the app links to two privacy policies that are sometimes in conflict with one another. The policies also do not explain what personal information is captured by the user’s mobile device — a clear violation of California’s rules.

Another California requirement is for software companies to distinguish “primary purposes” from “secondary purposes” of the personal data used. A primary purpose could be “to help you save energy and money in your home with tailored recommendations on your smartphone,” while a secondary purpose could be, for example, selling the data to make extra money. Secondary uses are explicitly prohibited without the prior written consent of the customer. Unfortunately, NARUC 2017’s terms say vaguely, “We will collect and use of [sic] personal information solely with the objective of fulfilling those purposes specified by us and for other compatible purposes.” Thankfully, the app’s developer has an agreement with NARUC not to sell any users’ personal data, according to the company’s CEO. But if a complaint were filed in California against a similar app maker, the commission would likely find the software unlawful.

Other commission-approved rules require companies to make informational disclosures to consumers prior to releasing personal data. By standardizing disclosures, the idea is that companies are prevented from writing their own vague or misleading language that exploits customers. For instance, Pacific Gas and Electric’s form for demand response is four pages long, and deviations from the form are not allowed.

Outside of California, Colorado and Illinois regulators have approved standardized disclosure language. But the NARUC 2017 app does not ask for any specific authorization at all, and, when it does, the authorization language is fluid. Both of its policies say that the app maker “may revise these terms of use at any time without notice.” Changing terms without notifying users is anathema to privacy advocates and consumer groups who fought for rules that ban the practice.

Finally, California’s rules enshrined the principle of “data minimization,” the idea that only the personal data necessary for the task should be collected. Presumably, an app to help people at conferences meet face to face would need information like your name, title, organization, location and which sessions you want to attend. However, the NARUC 2017 app requires users to give it permission to much more, such as the right to read and modify any file stored on your device; to create new Bluetooth connections; and to control the phone’s networking settings — none of which are clearly tied to helping people meet at a conference.

It is ironic that many state commissions publicly take a “tough on privacy” stance that is at odds with their national association’s practices at its summer conference. But the double standard is not altogether surprising. Since the advent of smartphones, consumers have routinely traded their personal data for access to free services. Commission requirements for paper forms appear increasingly out of step with modern technology.

Over time, as sharing personal data such as banking transactions and health data with tech companies becomes easier, it is worth re-examining the utility industry’s practices. Is it reasonable to give away the data on your phone with a single click, while your utility bills require filling out a four-page legal form?

To be clear, the NARUC 2017 app would only violate commission rules if it accessed users’ energy information or customer account information held by utilities. Apps that do not request data from a utility operate without commission oversight.

Nevertheless, as leaders in the public sector, state commissioners and their national association should lead by example. Entrepreneurs in software and energy management have a saying: “Eat your own dog food.” It means that entrepreneurs should use their companies’ products in their personal lives, to live by their creed. We encourage NARUC to do so as well.

Michael Murray is president of Mission:data Coalition, a national coalition of more than 40 innovative technology companies that empower consumers with access to their own energy usage data. We strongly believe that energy management technologies can flourish while simultaneously protecting customer privacy. For more information about privacy and state private rules about energy, see our whitepaper, “Got Data?