January 28, 2014 was Data Privacy Day.  Two recent news stories – the thefts of sensitive consumer data from national retailers including Target and Google’s $3.2B acquisition of smart thermostat maker Nest are stimulating much-needed discussion about the security and privacy of personal data. Security and privacy are inextricably linked. In the active criminal investigations underway, authorities will examine the involved parties’ security protections from both of these angles.  We may discover that complacency and failures of imagination were unwitting accomplices to criminal entities.  Let’s not be similar accomplices to weakening our energy data privacy protections.

The USA enacted the Energy Independence and Security Act (EISA 2007) that spurred much of the Smart Grid policies and activities ongoing today.  This legislation acknowledged that smart meters could create new energy data and the need for policies to protect this new data’s privacy.  Since then, Public Utility Commissions in various states have penned privacy guidelines that define what investor-owned utilities (IOUs) must do with energy data derived from smart meters.  For example, in the state of California, smart meter data is owned by the individual consumer (your meter, your data).  Whether that smart meter data remains with the utility or if the consumer authorizes it to be shared with a third party in the form of Green Button data, the California Public Utilities Commission (CPUC) stated it will ensure equal regulatory treatment for third parties who acquire usage data from the utility via a smart meter or through an internet-connected device.

However rules like this do not apply to situations where consumers supply different energy use data directly to businesses.  This is the Nest scenario with their learning thermostat.  In this case, the thermostat gathers sufficient data about user temperature preferences correlated with time and activity sensors to make inferences about future heating and cooling preferences.  This is an “unregulated” peek inside the home at user behaviors.  A number of Nest customers are asking for ZigBee^R or Zwave connections to smart meters to leverage this data along with their learning thermostat data.  If Google/Nest were to do that, in states like California that could mean they would have to abide by the privacy rules governing utilities.

Consider the language of California’s AB 1274.  This bill prohibits the state’s IOUs and publicly-owned utilities “from sharing, disclosing, or otherwise making accessible to any 3rd party a customer’s electrical or natural gas usage data without obtaining the express consent of the customer and conspicuously disclosing to whom the disclosure will be made and how the data will be used. The bill would require a business and a nonaffiliated 3rd party, pursuant to a contract, to implement and maintain reasonable security procedures and practices to protect the data from unauthorized disclosure. The bill would prohibit a business from providing an incentive or discount to the customer for accessing the data without the prior consent of the customer…”

Today, Nest has a privacy policy in place that states it would not provide consumer data to another third party without that consumer’s consent.  Read it.  It’s a reasonable policy, but as we’ve experienced before, privacy policies are subject to change without advance notice.

Nest is already dabbling in a demand response program called Rush Hour.  Google has had interests in energy management in the past.  It will be interesting to watch how this acquisition unfolds in terms of future energy services.  But if I was a California utility lawyer, I’d act like I’m from Missouri, the “show me” state and line up tough ßdisclosure requirements on how smart meter data is used if asked by Google/Nest to provide it.  And if I was a Nest customer, I wouldn’t be complacent – I’d be monitoring that Nest privacy page.

Photo Credit: Google, Nest, and Privacy/shutterstock