IAPP-GDPR Web Banners-300x250-FINAL

The Federal Smart Grid Task Force, led by the U.S. Department of Energy, recently held its first stakeholder meeting on a voluntary code of conduct (VCC) for energy utilities and third parties. The voluntary code would indicate to consumers a company’s commitment to data protection and privacy when it comes to the smart grid. The stakeholder discussions come following widespread consumer and advocate concern on smart grid data use as smart meters are increasingly rolled out, energy data becomes digitized and third parties focus their eyes on using it for marketing and other purposes.

At the live-streamed and interactive February 26 meeting in Washington, DC, stakeholders outlined utilities’ current and future data protection and privacy concerns, such as the granularity of smart grid data; who has access to it and for what purposes, and how to be transparent with consumers.

Federal Trade Commission (FTC) Attorney Ruth Yodaiken of the Federal Smart Grid Task Force opened the event by stating that the FTC, which regulates utilities in cases of deceptive practices, will look favorably at companies engaged in a voluntary code when it must open an investigation into privacy violations, especially “strong codes…codes that are significant and say more than ‘We are gonna try to be good with our consumer data.’”

Paula Carmody of the Maryland Office of People’s Counsel said over the decades, utility customers have become accustomed to dealing with regulated utilities and have enjoyed a sense of security when it comes to data retention. The smart grid, however, has changed that. Energy data can now be used to glean keen insights into consumers’ household habits, and that data is valuable to third parties such as marketers, which makes some consumers and consumer advocates uncomfortable.

“People do have an interest in data security that probably wasn’t there 10 years ago,” Carmody said.

She cautioned that utilities may find themselves increasingly regulated not only by state utility commissions but also by state attorneys general (AG). She noted Maryland AG Doug Gansler’s commitment last year—as president of the National Association of Attorneys General—to “Privacy in the Digital Age” as the organization’s main initiative.

Duke Energy’s Mark Hollis indicated support for a VCC but noted a widely adopted code may be difficult to establish given that utilities operate in various jurisdictions across the U.S. He wondered what a uniform code might look like as a result.

“Will it be one-size-fits-all? Will you have to adopt pieces of it? Can you adopt pieces of it? There are some questions still to be answered there.”

He added that the code, whatever form it may take, must not be lip service and must apply broadly.

“If it’s not adopted widely, and it’s not a strong code, we probably should just call it a day,” he said. “If it’s just another document that everyone will keep on their desks, we’ll bow out gracefully.”

Jules Polonetsky, CIPP/US, co-founder of the Future of Privacy Forum, which launched a smart grid privacy seal last year for companies that use consumer energy data, echoed Hollis’ sentiment that a VCC must not be a document that “sits in a drawer” but rather a code that is “accountable, adopted and therefore enforced.”

He added that times have changed when it comes to the digital information ecosystem.

“Once upon a time, websites had your data and they set the rules for what happened. Today, lots of third parties dictate to websites how data is elected and used, and often those first parties don’t even know or have any substantial say,” he said. “And in fact, those third parties will tell the first party how the data is used, and you’ve got to go along if you like analytics and advertising. That’s what the world looks like now on the Web, and I don’t think that’s what we want this world to look like.”

However, any VCC should have some flexibility, Polonetsky said. He suggested either the establishment of a trade group that would accept members pledging adherence to the code or the development of a process to discipline those who do not.

Xcel Energy’s Megan Hertzler, CIPP/US, said whether the code should apply to companies already regulated by some entity or those outside of that sphere should be confirmed. She added that no matter what code a utility may adhere to, it will be difficult to regulate how associated third parties treat that data once it leaves the utility.

Carmody later introduced a proposed set of elements to be included within a VCC with provisions on data management and accountability; notice and purpose, choice and consent, collection and scope; use and retention; individual access; disclosure and limiting use; security and safeguards; accuracy and quality; openness, monitoring and challenging compliance, and enforcement mechanisms.

Additional concerns voiced at the meeting centered around whether an attempt at establishing a VCC may be a duplication of efforts--given the groundwork already done by the National Institute of Science and Technology and the North American Energy Standards Board, whether a VCC may create a complicated matrix of rules for utilities to comply with­, which players will be charged with what obligations, how to treat aggregated data and creating a sound definition of “sufficiently anonymized data.”

Written By

Angelique Carson, CIPP/US


If you want to comment on this post, you need to login.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Get more News »

Find a KnowledgeNet Chapter Near You

Network and talk privacy at IAPP KnowledgeNet meetings, taking place worldwide.

Women Leading Privacy

Events, volunteer opportunities and more designed to help you give and get career support and expand your network.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

The Training Post—Can’t-Miss Training Updates

Subscribe now to get the latest alerts on training opportunities around the world.

New Web Conferences Added!

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Staff

Get your team up to speed on privacy by bringing IAPP training to your organization.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.

Learn more about IAPP certification »

Get Close-up

Looking for tools and info on a hot topic? Our close-up pages organize it for you in one easy-to-find place.

Where's Your DPA?

Our interactive DPA locator helps you find data protection authorities and summary of law by country.

IAPP Westin Research Center

See the latest original research from the IAPP Westin fellows.

Looking for Certification Study Resources?

Find out what you need to prepare for your exams

More Resources »

GDPR Comprehensive: Spots Going Fast

With the top minds in the field leading this exceptional program, it's no wonder it's filling quickly. Register now to secure your spot.

Be Part of Something Big: Join the Summit

Registration is open for the Global Privacy Summit 2016. Discounted early bird rates available for a short time, register today!

Data Protection Intensive Returns to London

Registration is now open for the IAPP Europe Data Protection Intensive in London. Check out the program!

P.S.R. Call for Speakers Open!

P.S.R. is THE privacy + cloud security event of the year, and you can take a leading role. Propose a session for this year's program.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

Exhibit at an Event

Put your brand in front of the largest gatherings of privacy pros in the world. Learn more.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»