(a) For the purposes of this title, the following definitions shall apply:
(1) “Business” means a sole proprietorship, partnership, corporation, association, or other group, however organized and whether or not organized to operate at a profit, including a financial institution organized, chartered, or holding a license or authorization certificate under the law of this state, any other state, the United States, or of any other country, or the parent or the subsidiary of a financial institution.
(2) “Customer” means a customer of an electrical or gas corporation or a local publicly owned electric utility that permits a business to have access to data in association with purchasing or leasing a product or obtaining a service from the business.
(3) “Data” means a customer’s electrical or natural gas usage that is made available to the business as part of an advanced metering infrastructure provided by an electrical corporation, a gas corporation, or a local publicly owned electric utility, and includes the name, account number, or physical address of the customer.
(4) “Electrical corporation” has the same meaning as in Section 218 of the Public Utilities Code.
(5) “Gas corporation” has the same meaning as in Section 222 of the Public Utilities Code.
(6) “Local publicly owned electric utility” has the same meaning as in Section 224.3 of the Public Utilities Code.
(b) Unless otherwise required or authorized by federal or state law, a business shall not share, disclose, or otherwise make accessible to any third party a customer’s data without obtaining the express consent of the customer and conspicuously disclosing to whom the disclosure will be made and how the data will be used.
(c) A business that discloses data, with the express consent of the customer, pursuant to a contract with a nonaffiliated third party, shall require by contract that the third party implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the data from unauthorized access, destruction, use, modification, or disclosure.
(d) A business shall implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the data from unauthorized access, destruction, use, modification, or disclosure.
(e) A business shall not provide an incentive or discount to the customer for accessing the data without the prior consent of the customer.
(f) A business shall take all reasonable steps to dispose, or arrange for the disposal, of customer data within its custody or control when the records are no longer to be retained by the business by (1) shredding, (2) erasing, or (3) otherwise modifying the data in those records to make it unreadable or undecipherable through any means.
(g) The provisions of this section do not apply to an electrical corporation, a gas corporation, or a local publicly owned electric utility or a business that secures the data as a result of a contract with an electrical or gas corporation or a local publicly owned electric utility under the provisions of subdivision (f) of Section 8380 or subdivision (f) of 8381 of the Public Utilities Code.
(Amended by Stats. 2020, Ch. 188, Sec. 1. (AB 2788) Effective January 1, 2021.)