At this week’s National Association of Regulatory Utility Commissioners (NARUC) Summer Policy Summit in San Diego, attendees were encouraged to download a NARUC app to facilitate in-person meetings. There’s just one problem: The smartphone app would violate the privacy rules adopted by commissions in several states.
For example, take California’s rules. In 2011, the Public Utilities Commission issued a lengthy privacy decision that requires software companies that access customer data held by a regulated utility to provide written privacy policies that are “meaningful, clear, accurate, specific and comprehensive.” But, confusingly, NARUC 2017 has two privacy policies (here and here) that are sometimes in conflict with one another. The policies also do not explain what personal information is captured by the user’s mobile device – a clear violation of California’s rules.
Is it reasonable to give away the data on your phone with a single click, while your utility bills requires filling out a four-page legal form?
Another California requirement is for software companies to distinguish “primary purposes” from “secondary purposes” of the personal data used. A primary purpose could be “to help you save energy and money in your home with tailored recommendations on your smartphone,” while a secondary purpose could be, for example, selling the data to make extra money. Secondary uses are explicity prohibited without the prior written consent of the customer. Unfortunately, NARUC 2017’s terms say vaguely, “We will collect and use of [sic.] personal information solely with the objective of fulfilling those purposes specified by us and for other compatible purposes.” The app doesn’t rule out the lucrative possibility of selling users’ information. If a complaint were filed in California against a similar app maker, the Commission would likely find the software unlawful. [Update: The app maker contacted us to clarify that their contract with NARUC prohibits selling personal information. That is very sensible. Nevertheless, that agreement is between the app maker and NARUC, and it does not appear to be customer-facing, which is a requirement in California and Illinois.]