Skip to content


  • Add this article to your LinkedIn page
  • Add this article to your Twitter feed
  • Add this article to your Facebook page
  • Email this article
  • View or print a PDF of this page
  • Share further
  • Add this article to your Pinterest board
  • Add this article to your Google page
  • Share this article on Reddit
  • Share this article on StumbleUpon
  • Bookmark this page

How can utilities in California prepare for Consumer Privacy Act?

This article was first published in Energy Central.

In our increasingly digital age, organizations collect, process, manage or broker a significant amount of personal data. Until recently, consumers have placed a certain amount of trust in those organizations to keep that data safe. However, over the past several years, recent high-profile data breaches (e.g., Facebook, Cambridge Analytica, Target, Equifax, etc.) have called into question whether that trust has been misplaced and whether regional or federal governments should impose more robust standards.

The European Union has already taken action with the General Data Protection Rules (GDPR) which went into effect in May of this year. These rules impact any company that collects or processes the personal data of EU citizens. In the US, more recently, California passed the Consumer Privacy Act (CCPA) which will impact the majority of organizations that do business in the State of California. This includes investor-owned electric and water utilities.

Specifically, the CCPA applies to for-profit businesses that collect and control California residents’ personal information, do business in the state of California, and that satisfy one or more of the following thresholds:

  • have annual gross revenues in excess of $25 million; or
  • receive or disclose the personal information of 50,000 or more California residents, households or devices on an annual basis; or
  • derive 50 percent or more of their annual revenues from selling California residents’ personal information.

Broadly, the CCPA provides for the following new rights for California residents:

  1. The right to be informed regarding what personal information a company has collected about them;
  2. The right to request the deletion of personal information; and
  3. The right to opt out of the sale of personal information to third parties.

Currently, the implementation deadline for the CCPA is January 1, 2020, however, the requirements of the law will likely evolve over the next year or so. Indeed, an amendment was already signed into law in September which (among other changes) delays the CA Attorney General’s ability to bring an enforcement action until July 1, 2020.

The broad rights as outlined above are likely to remain intact however, which makes adhering to the spirit of the regulation (rather than the letter) the most sensible approach. This means organizations must undertake an assessment to understand their privacy capability gaps and how ready they are to meet the new regulation.
We know from experience, having helped over 50 organizations come into compliance with GDPR, that organizations need to take a more proactive approach to managing personal data and implement the following capabilities to be prepared for CCPA.

  • Develop and maintain an inventory of personal data. This is an implicit requirement of the CCPA. Given the complexities of utility processes, the multitude of information systems they employ and the likely lack of a consolidated inventory of where and how personal data is held, this effort should be undertaken immediately. Initial steps should include an assessment and documentation of all the business processes that involve the handling of personal information as well as the systems that capture and store this data. Typical utility software solutions that store personal information may include: Customer Relationship Management, Customer Information System, Enterprise Resource Planning systems, Outage Management Systems, HR systems, Financial/bill-pay systems, Access and Identity Systems, and potentially third-party systems such as customer engagement platforms.
  • Respond to requests such as the right to deletion or requests for information. The CCPA establishes broad rights for California residents that require prompt action. This will have technology impacts as well as business process impacts.
  • Ensure that all staff with access to personal information are aware of the regulation and have been trained appropriately in safe data handling standards. Awareness is the best defense against a breach.
  • Check that third-parties can meet the privacy clauses that will be needed in contracts. Potential reputational damage from a third-party breach could be significant. Assurance processes and appropriate controls must be in place (e.g., customer engagement companies, community solar providers, payment processors).
  • Enable the right of opt-out. Consumers will have the right to opt-out of any future sale of their personal information through at least a “do not sell my personal information” link on an organization’s home page.

With less than 15 months to address all of the implications of this new law, an initial capability assessment should be followed by a detailed gap analysis to identify specific areas that need to be addressed. A plan of action or roadmap can then be developed which will allow organizations to be clear about the specific steps that need to be taken when it comes to governance, processes, organizational structures, capabilities and technical requirements.

James Harvey is an analytics and digital expert at PA Consulting

A global movement towards increased data privacy is changing the way companies do business. Are you ready for the new era of data privacy?

Read more

Contact the author

  • James Harvey

    James Harvey

    PA energy and utilities expert

    Senior energy and utilities industry executive focused on data analytics, grid modernization and digital transformations

    Insights by James Harvey

Contact the energy and utilities team


By using this website, you accept the use of cookies. For more information on how to manage cookies, please read our privacy policy.