1798.98.

 (a) For the purposes of this title, the following definitions shall apply:

(1) “Business” means a sole proprietorship, partnership, corporation, association, or other group, however organized and whether or not organized to operate at a profit, including a financial institution organized, chartered, or holding a license or authorization certificate under the law of this state, any other state, the United States, or of any other country, or the parent or the subsidiary of a financial institution.

(2) “Customer” means a customer of an electrical or gas corporation or a local publicly owned electric utility that permits a business to have access to data in association with purchasing or leasing a product or obtaining a service from the business.

(3) “Data” means a customer’s electrical or natural gas usage that is made available to the business as part of an advanced metering infrastructure provided by an electrical corporation, a gas corporation, or a local publicly owned electric utility, and includes the name, account number, or physical address of the customer.

(4) “Electrical corporation” has the same meaning as in Section 218 of the Public Utilities Code.

(5) “Gas corporation” has the same meaning as in Section 222 of the Public Utilities Code.

(6) “Local publicly owned electric utility” has the same meaning as in Section 224.3 of the Public Utilities Code.

(b) Unless otherwise required or authorized by federal or state law, a business shall not share, disclose, or otherwise make accessible to any third party a customer’s data without obtaining the express consent of the customer and conspicuously disclosing to whom the disclosure will be made and how the data will be used.

(c) A business that discloses data, with the express consent of the customer, pursuant to a contract with a nonaffiliated third party, shall require by contract that the third party implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the data from unauthorized access, destruction, use, modification, or disclosure.

(d) A business shall implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the data from unauthorized access, destruction, use, modification, or disclosure.

(e) A business shall not provide an incentive or discount to the customer for accessing the data without the prior consent of the customer.

(f) A business shall take all reasonable steps to dispose, or arrange for the disposal, of customer data within its custody or control when the records are no longer to be retained by the business by (1) shredding, (2) erasing, or (3) otherwise modifying the data in those records to make it unreadable or undecipherable through any means.

(g) The provisions of this section do not apply to an electrical corporation, a gas corporation, or a local publicly owned electric utility or a business that secures the data as a result of a contract with an electrical or gas corporation or a local publicly owned electric utility under the provisions of subdivision (f) of Section 8380 or subdivision (f) of 8381 of the Public Utilities Code.

8380.

 (a) For purposes of this section, “electrical or gas consumption data” means data about a customer’s electrical or natural gas usage that is made available as part of an advanced metering infrastructure, and includes incremental and monthly meter-specific electricity data, to the extent produced by that infrastructure, and the name, account number, and address of the customer.

(b) (1) An electrical corporation or gas corporation shall not share, disclose, or otherwise make accessible to any third party a customer’s electrical or gas consumption data, except as provided in subdivision (f) or upon the consent of the customer. Customer consent may be verified through an electronic signature authorization process pursuant to the Uniform Electronic Transactions Act (Title 2.5 (commencing with Section 1633.1) of Part 2 of Division 3 of the Civil Code).

(2) An electrical corporation or gas corporation shall not sell a customer’s electrical or gas consumption data or any other personally identifiable information for any purpose.

(3) An electrical corporation or gas corporation or its contractors shall not provide an incentive or discount to the customer for accessing the customer’s electrical or gas consumption data without the prior consent of the customer.

(4) An electrical or gas corporation that utilizes an advanced metering infrastructure that allows a customer to access the customer’s electrical and gas consumption data shall ensure that the customer has an option to access that data without being required to agree to the sharing of the customer’s personally identifiable information, including electrical or gas consumption data, with a third party.

(c) If an electrical corporation or gas corporation contracts with a third party for a service that allows a customer to monitor the customer’s electricity or gas usage, and that third party uses the data for a secondary commercial purpose, the contract between the electrical corporation or gas corporation and the third party shall provide that the third party prominently discloses that secondary commercial purpose to the customer and secures the customer’s consent to the use of the customer’s data for that secondary commercial purpose prior to the use of the data.

(d) An electrical corporation or gas corporation shall use reasonable security procedures and practices to protect a customer’s unencrypted electrical or gas consumption data from unauthorized access, destruction, use, modification, or disclosure.

(e) An electrical corporation or gas corporation shall not share, disclose, or otherwise make accessible to any immigration authority, as defined in Section 7284.4 of the Government Code, a customer’s electrical or gas consumption data without a court-ordered subpoena or judicial warrant.

(f) (1) This section does not preclude an electrical corporation or gas corporation from using customer aggregate electrical or gas consumption data for analysis, reporting, or program management if all information has been removed regarding the individual identity of a customer.

(2) This section does not preclude an electrical corporation or gas corporation from disclosing a customer’s electrical or gas consumption data to a third party for system, grid, or operational needs, or the implementation of demand response, energy management, or energy efficiency programs, provided that, for contracts entered into after January 1, 2011, the utility has required by contract that the third party implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information from unauthorized access, destruction, use, modification, or disclosure, and prohibits the use of the data for a secondary commercial purpose not related to the primary purpose of the contract without the customer’s prior consent to that use.

(3) Except as provided in subdivision (e), this section does not preclude an electrical corporation or gas corporation from disclosing electrical or gas consumption data as required or permitted under state or federal law or by an order of the commission.

(g) If a customer chooses to disclose the customer’s electrical or gas consumption data to a third party that is unaffiliated with, and has no other business relationship with, the electrical or gas corporation, the electrical or gas corporation is not responsible for the security of that data, or its use or misuse.

8381.

 (a) For purposes of this section, “electrical consumption data” means data about a customer’s electrical usage that is made available as part of an advanced metering infrastructure, and includes the name, account number, or residence of the customer.

(b) (1) A local publicly owned electric utility shall not share, disclose, or otherwise make accessible to any third party a customer’s electrical consumption data, except as provided in subdivision (f) or upon the consent of the customer.

(2) A local publicly owned electric utility shall not sell a customer’s electrical consumption data or any other personally identifiable information for any purpose.

(3) A local publicly owned electric utility or its contractors shall not provide an incentive or discount to the customer for accessing the customer’s electrical consumption data without the prior consent of the customer.

(4) A local publicly owned electric utility that utilizes an advanced metering infrastructure that allows a customer to access the customer’s electrical consumption data shall ensure that the customer has an option to access that data without being required to agree to the sharing of the customer’s personally identifiable information, including electrical consumption data, with a third party.

(c) If a local publicly owned electric utility contracts with a third party for a service that allows a customer to monitor the customer’s electricity usage, and that third party uses the data for a secondary commercial purpose, the contract between the local publicly owned electric utility and the third party shall provide that the third party prominently discloses that secondary commercial purpose to the customer and secures the customer’s consent to the use of the customer’s data for that secondary commercial purpose prior to the use of the data.

(d) A local publicly owned electric utility shall use reasonable security procedures and practices to protect a customer’s unencrypted electrical consumption data from unauthorized access, destruction, use, modification, or disclosure, and to prohibit the use of the data for a secondary commercial purpose not related to the primary purpose of the contract without the customer’s consent.

(e) A local publicly owned electric utility shall not share, disclose, or otherwise make accessible to any immigration authority, as defined in Section 7284.4 of the Government Code, a customer’s electrical consumption data without a court-ordered subpoena or judicial warrant.

(f) (1) This section shall not preclude a local publicly owned electric utility from using customer aggregate electrical consumption data for analysis, reporting, or program management if all information has been removed regarding the individual identity of a customer.

(2) This section shall not preclude a local publicly owned electric utility from disclosing a customer’s electrical consumption data to a third party for system, grid, or operational needs, or the implementation of demand response, energy management, or energy efficiency programs, provided, for contracts entered into after January 1, 2011, that the utility has required by contract that the third party implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information from unauthorized access, destruction, use, modification, or disclosure, and prohibits the use of the data for a secondary commercial purpose not related to the primary purpose of the contract without the customer’s prior consent to that use.

(3) Except as provided in subdivision (e), this section shall not preclude a local publicly owned electric utility from disclosing electrical consumption data as required under state or federal law.

(g) If a customer chooses to disclose the customer’s electrical consumption data to a third party that is unaffiliated with, and has no other business relationship with, the local publicly owned electric utility, the utility shall not be responsible for the security of that data, or its use or misuse.