V. ICE exploits people’s basic needs for heat, electricity and water by collecting utility records through opaque and unregulated data brokers

In 2014, the House Subcommittee on Financial Institutions and Consumer Credit held a hearing to discuss a bill aimed at expanding credit access for millions of Americans. According to Representative Keith Ellison of Minnesota, there were at least 50 million consumers in the country whose credit histories were too thin to generate high scores and another 50 million who were “credit invisible,” meaning that they had no credit scores at all.235

“The solution is simple,” Ellison told the committee.236 Instead of needing credit to build credit, consumers could establish a record through something that many people already pay on a regular basis: their utility bill. The Credit Access and Inclusion Act would give the green light for gas, water, electric and other utility providers to notify credit bureaus each time a customer pays—or misses—a monthly bill, not just when an account is sent to collections.237 

The idea behind using utility payments to show creditworthiness wasn’t entirely new, and one major credit reporting agency, Equifax, was already collecting the “full-file” utility payment records of millions of customers for use in specialized credit reports delivered specifically to utility companies.238 But the law was still unclear on whether full utility payment data could be factored into a consumer’s credit score, and Ellison wanted to put an official rubber stamp on the practice. Approval from Congress, he hoped, would go a long way in helping low-credit and no-credit Americans break into the mainstream financial system.239

  • 235. An Overview of the Credit Reporting System: Hearing Before the Subcommittee on Financial Institutions and Consumer Credit of the House Committee on Financial Services, 113th Cong. (2014),  https://www.govinfo.gov/content/pkg/CHRG-113hhrg91161/html/CHRG-113hhrg91161.htm. (“More than 50 million Americans have no credit score, are just credit-invisible. Another 50 million have scores that are lower than they should be because they do not have enough lines of debt to generate a score.”).
  • 236. Id.
  • 237. See National Consumer Law Center, Full File Utility Credit Reporting: Harms to Low-Income Consumers (2013), https://www.nclc.org/images/pdf/credit_reports/ib_utility_credit_2013.pdf (“One of the efforts to promote alternative credit data urges that utility companies engage in monthly reporting of customer payments, including late payments, to the Big Three nationwide credit reporting agencies (CRAs), Equifax, Experian, and TransUnion. Currently, the vast majority of electric and natural gas utility companies only report to those three CRAs when a seriously delinquent account has been referred to a collection agency or written off as uncollectible.”).
  • 238. See An Overview of the Credit Reporting System: Hearing Before the Subcommittee on Financial Institutions and Consumer Credit of the House Committee on Financial Services, 113th Cong. 137–38 (2014), https://www.govinfo.gov/content/pkg/CHRG-113hhrg91161/html/CHRG-113hhrg91161.htm (letter from Buddy Flake, NCTUE Board President, and Micheal Gardner, Senior Vice President, Equifax, to Keith Ellison, Member, Committee on Financial Services) (“[The National Consumer Telecom & Utilities Exchange] is a nationwide, member-owned and operated, FCRA-compliant data exchange that houses both positive and negative alternative payment data (i.e., non-traditional financial payment reporting data, such as telecom and utility payments) on consumers, which is then available to NCTUE’s members on a blind basis to aid in their credit decisioning and risk management...member companies currently report and share industry-specific payment data on more than 180 million consumers throughout the United States.”).
  • 239. See An Overview of the Credit Reporting System: Hearing Before the Subcommittee on Financial Institutions and Consumer Credit of the House Committee on Financial Services, 113th Cong. (2014),  https://www.govinfo.gov/content/pkg/CHRG-113hhrg91161/html/CHRG-113hhrg91161.htm (statement of Hon. Keith Ellison) (“I am eager to see this Congress take action to improve our [credit reporting] system by making it more inclusive. … Mr. Fitzpatrick and I, in a bipartisan way, have a bill called the Credit Access and Inclusion Act, and this bill clarifies that current law does not prohibit utility and telecom firms from reporting their customers' on-time payments.”).
Stuart Pratt sits with a microphone in front of him as he testifies before the 2014 House Subcommittee.
Stuart Pratt, then-CEO of the Consumer Data Industry Association, testifies before the House Subcommittee on September 10, 2014. (Photo: House Financial Services Committee)

Among all the witnesses present at the hearing, none spoke as eagerly about the bill’s potential to improve the lives of the underprivileged as Stuart Pratt. Pratt was the president and CEO of a trade group called the Consumer Data Industry Association (CDIA), whose members included the nation’s big three credit reporting agencies: Equifax, Experian and TransUnion. “Ultimately,” Pratt insisted before the committee, when credit bureaus can include full utility payment data in credit reports, “consumers who are new immigrants, unbanked and underbanked, are the beneficiaries.”240

“... consumers who are new immigrants, unbanked and underbanked, are the beneficiaries.”

Just one legislator voiced concerns about whether this trove of information might end up in the wrong hands. “I guess maybe I would ask the panel,” said Vice Chairman Sean Duffy, “what steps are taken to protect the millions of bits of information that are collected in regard to people’s credit history and personal information?”241 As the industry representative, Pratt assured him that the companies in CDIA had security teams and could monitor whether credit reports were unexpectedly accessed, for example, by a Russian IP address.242 

But Pratt failed to mention that Equifax, one of the largest members of his trade association, was packaging up the customer information that it received from utility companies and furnishing it to a private database used by ICE. 

Seven years later, in February 2021, Reps. Raja Krishnamoorthi of Illinois and Jimmy Gomez of California demanded answers from Equifax and the data broker Thomson Reuters about the practice, expressing their concern that sharing utility customers’ data with ICE represents “an abuse of privacy” and that ICE’s use of this information constitutes “an abuse of power.”243

A. ICE exploits the need for water, light, heat, phone and internet to target people for deportation.

On June 2, 2020, an ICE agent emailed a Georgia licensing official seeking assistance. “Happy Tuesday!!!” he wrote. “I’m at an impasse in one of my immigration cases.”244 The agent needed help tracking someone down. He had pulled the person’s utility records, which revealed that the subject had “recently departed” from an address.245 The agent took that information to the licensing department, hoping that driver records could tell him more.

Three months earlier, in the first days of COVID-19 lockdowns in the U.S., the acting head of ICE had announced that the agency would temporarily scale down arrests, with the exception of those deemed “mission critical” to “maintain public safety and national security.”246 But the agent who emailed the Georgia licensing department wasn’t pulling utilities records to find someone who fit within ICE’s newly defined priorities for enforcement. Rather, the agent had tapped a database containing millions of customers’ water, electricity, gas, phone and other utility records in search of someone who had simply entered the country on a visa and remained longer than authorized—a “straight-up Pleasure Visitor overstay.”247

An email from an ICE deportation officer to a Georgia Licensing official is shown. The officer asks for information that he believes will be helpful in one of his cases concerning an immigrant who has overstayed their visa.
A June 2, 2020 email from an ICE deportation officer to a Georgia licensing official. (Source: Center on Privacy & Technology Freedom of Information documents)

For years, it has been known that ICE used a commercial database to gain access to millions of names, addresses and other personal information taken from their utility records.248 What remained unknown, however, were the details: How exactly did utility customer data end up in a private database used by immigration agents? And precisely which utility companies allowed their customers’ information to reach ICE?

By piecing together public marketing documents and DOJ filings, the Center on Privacy & Technology was able to identify the likely longtime source of ICE’s utility information: a little-known credit reporting agency known as the National Consumer and Telecom Utilities Exchange (NCTUE). With access to customer data from NCTUE’s several dozen member utility and telecommunication companies, ICE agents could likely view the utility record information of over 218 million unique consumers, including about 3 in 4 adults in the U.S.249

ICE investigators gained the ability to dig through people’s gas, water, electricity, phone, internet and other utility records when, in 2010, the agency penned a contract with Thomson Reuters for subscription access to a database called CLEAR.250 CLEAR, designed to be a one-stop shop for investigators to gather information about their targets, vacuums up the data trails that individuals leave in the course of their daily lives.251 The database pulls names and Social Security numbers from the top of consumer credit reports; matches license plate numbers from DMV records with snapshots taken at toll roads and parking lots; and—for the most up-to-date information on where people live—gathers the addresses listed on their gas, water, electricity and other utility bills.

“For people who are not easily traceable via traditional sources ... utility hookup records may provide the only current and accurate address and phone number data available.”

In a marketing letter sent to potential subscribers, Thomson Reuters specifically emphasizes that utility records are uniquely valuable in shining a light on populations that are difficult to track through other means. “For people who are not easily traceable via traditional sources” such as credit reports, the letter reads that “locator information from utility hookup records may provide the only current and accurate address and phone number data available.”252 Thomson Reuters has taken care to ensure that its collection of utility records is extensive and up-to-date, boasting in the letter that “CLEAR offers the most comprehensive utility locator information on the market.”253

In the letter, Thomson Reuters also reveals that Equifax is the supplier of CLEAR’s utility dataset.254 Equifax hosts a database containing millions of utility customers’ payment records on the behalf of NCTUE. This arrangement began in 1993, when a band of eight telecommunication carriers went to the DOJ to review its plan to build a “credit information clearinghouse,”255 a central database where each company could share customers’ account information and payment records with each other. (Absent such review, there would have been uncertainty about the outcome of possible antitrust scrutiny.256) The group selected Equifax to build and manage the database,257 and in turn, Equifax negotiated the exclusive right to package the data and deliver it to downstream buyers.258

  • 252. Letter from Kyle Keene, Govt. CLEAR Specialist to Joshua, Thomson Reuters (Jan. 17, 2018), https://www.prorfx.com/Storage/110S34471_051/ProRFx/Upload/Attachments/General/Sole%20Source%20Letter%20-Thomas%20Reuters.pdf.
  • 253. Id.
  • 254. Id.
  • 255. Letter from Judy Whalley to Assistant Attorney Gen. Anne K. Bingaman (Dec. 9, 1993), https://www.justice.gov/sites/default/files/atr/legacy/2014/07/22/303389.pdf. The founding members of the exchange were: Allnet Communication Services, Inc., AT&T, Business Telecom, Inc., Cable & Wireless, Inc., LDDS Metromedia Communications Corporation, MCI Telecommunications Corporation, Sprint, and WilTel Business Networks.
  • 256. The process for obtaining approval is discussed in DOJ regulations. U.S. Department of Justice, What is a Business Review? (June 25, 2015), https://www.justice.gov/atr/what-business-review ("Persons concerned about the legality under the antitrust laws of proposed business conduct may ask the Department of Justice for a statement of its current enforcement intentions with respect to that conduct pursuant to the Department's Business Review Procedure. See 28 C.F.R. § 50.6”).
  • 257. NCTUE, History of NCTUE, https://www.nctue.com/history (last visited Nov. 27, 2021).
  • 258. Press Release, Equifax Investor Relations, Equifax Extends Service Agreement with National Consumer Telecom and Exchange (Nov. 19, 2019), https://investor.equifax.com/news-events/press-releases/detail/89/equifax-extends-service-agreement-with-national-consumer. (“Under the terms of the current agreement, Equifax will continue its operation and management of the NCTUE database. Equifax will also maintain the exclusive right to deliver NCTUE products and services, including: Equifax Insight Scores for Credit, Rental Scores, Advanced Communications Plus, Advanced Energy Plus and many others through 2024. This extended service agreement continues Equifax operation and management of the NCTUE database, subject to the oversight of the NCTUE board of trustees.”). The intention for Equifax to sell this data to outside entities also seems to have been present—and mutual—from the start. In a letter to the DOJ, the founding companies cited “Equifax’s. . . commitment to find and exploit appropriate opportunities for third-party access to exchange data” as a reason for their partnership. The “revenues generated thereby [would pass] back to exchange members to defray their costs,” they claimed, forming one of the “substantial, ever-increasing economic incentives” that motivated the arrangement. See Letter from Craig L. Caesar to Assistant Attorney Gen. Hon. Charles A. James 4 n.5 (Aug. 17, 2001), https://www.justice.gov/atr/page/file/1019991/download.
A diagram is shown demonstrating the confirmed flow of utility data from Maryland MVA to NLETS network to FBI's NCIC Database to ICE. The diagram also shows the possible flow of this data from Maryland MVA to Maryland Criminal Justice Dashboard Network to ICE.
Figure 4Likely Path of Utility Customer Data to ICE, 2010-2021

The purpose of the customer database was twofold. When the telecommunications companies first proposed their clearinghouse to the DOJ, they claimed that its “principal purpose” was “to provide carriers with advance warning about customers who pose a credit risk.”259 A potential customer with a history of leaving balances unpaid, for example, might be asked to pay a larger deposit. But the carriers also planned for this pool of records to serve as a “skip tracing” tool – a way to track down customers who left unpaid bills behind.260 Customers may terminate services or move away, but anytime they signed up with another utility provider in the group, the clearinghouse would update with the new addresses and contact information listed on their applications.

To make it even easier to trace old customers to new addresses, the initial group of telecommunications carriers decided to invite gas, water and electric providers to contribute their customers’ records as well. According to another filing that the telecoms wrote to the DOJ in 2002, “the services provided by utilities companies are tied to physical location,” which means that they “tend to have accurate address information.”261 With the addition of 37 utility companies contributing customer information, the group became known as NCTUE.262 The NCTUE database became not only a useful tool for credit evaluation but also one of the most reliable sources of information on where people live.

When ICE agents used CLEAR to access millions of names and addresses from utility records, they were most likely viewing customer data that NCTUE’s member companies handed over to Equifax. Such an extensive collection of utility record data was unlikely to come from any other source, as the NCTUE database is reportedly “by far the largest database of utility, pay TV, and telecom payment records” in the nation.263 Equifax has also actively touted the NCTUE database’s effectiveness in capturing “that elusive segment of the market – the no-hit or thin-files,”264 who would likely be absent from the credit header data that Thomson Reuters gets from other credit agencies like Experian and TransUnion. 

While no entity involved in supplying Thomson Reuters with utility records has confirmed their exact provenance, the dataset that Equifax manages for NCTUE and the dataset it handed over to CLEAR are near identical in number: CLEAR claims to hold over 400 million names and addresses obtained from more than 80 utility providers,265 and Equifax reveals that the NCTUE database contains over 400 million records from more than 85 companies.266 

Equifax and NCTUE have remained secretive about the full list of utility companies whose customers’ records have ended up in the NCTUE database – and therefore likely in the hands of ICE – but evidence indicates that it has included national giants like Verizon267 and AT&T268 as well as regional utilities like Baltimore Gas & Electric269 and Piedmont Natural Gas.270 Evidence also suggests that even some publicly held service providers like Nevada Energy271 and the Miami-Dade County Water and Sewer Department272 have participated in the data exchange. Additional service providers that may have been part of NCTUE are listed in the Appendix

ICE’s broad access to utility data impacts millions of customers from dozens of utility providers across the U.S. The CLEAR utility dataset is drawn from national and regional telephone, cable, satellite, gas and electric and water providers across the country, including a special “focus on the top 50 companies.”273 The dataset encapsulates utility customers in all 50 states and the district, as well as Puerto Rico, Guam and the U.S. Virgin Islands, and it is updated daily.274

50 outlines of the human body are shaded in varying shades of blue and green signifying NCTUE coverage in each state.
NCTUE coverage by state. (Source: Equifax)
A Verizon employee calls the NCTUE “very empowering” for “underserved, underbanked, multicultural” customers.

Despite supplying the personal information of millions of utility customers to a database used by immigration enforcement, Equifax continues to uphold a public narrative of service to the most underprivileged consumers. In a promotional video posted by Equifax, a director for Verizon proclaims that the NCTUE data exchange is “very empowering”275 for “underserved, underbanked, multicultural”276 customers. An Equifax executive also claimed that the information exchange “present[s] a tremendous opportunity for the underbanked or credit invisible.”277

Sidebar 2. The Early Release of our NCTUE Findings

The Center on Privacy & Technology typically releases its research findings in conjunction with research reports. When we uncovered the likely data pipeline between the NCTUE and ICE, we decided that the information was too important to wait for our report’s release. We provided the documents to Drew Harwell of The Washington Post, which published them in a front-page February 2021 exposé.278 None of the companies involved denied that the data of NCTUE members’ customers was being provided to ICE.

ICE’s agreement with Thomson Reuters for access to the CLEAR database ended in February 2021. That same month, however, ICE appeared to replace its subscription to CLEAR by awarding a $16.8 million contract to LexisNexis Special Services, possibly for access to a similar database called Accurint.279 Although it is unknown whether this contract offers ICE access to utility records from the NCTUE database, LexisNexis has advertised that its datasets include utility records of 210 million consumers—around the same amount as the NCTUE database claims to hold—derived from unspecified sources.280

In October 2021, NCTUE instructed Equifax to end the sale of names, addresses and other biographical data from customer records.281 This was the result of action by Senator Ron Wyden of Oregon, who, after the release of our findings in The Washington Post in February and persistent advocacy by Just Futures Law and Mijente in subsequent months, pushed NCTUE to cease the sale of this information.282 According to a statement issued by Thomson Reuters to customers of its databases, including CLEAR, utility header data is no longer being provided for law enforcement or non-law enforcement entities such as private investigators.283 

However, although NCTUE agreed to end the sale of utility customer data, it is still just one out of many possible sources for this information. Without strong regulations to limit the dissemination of utility data, it may be only a matter of time before data brokers discover new avenues for amassing the same set of customer records. And although ICE has ended its contract with Thomson Reuters, its new agreement with LexisNexis reveals that multiple different companies can provide very similar services. When ICE terminates a relationship with one data broker, it can simply sign new contracts with another.

B. Federal and state laws offer little protection against warrantless ICE searches of utility data.

During a bill signing ceremony in late 2020, Governor Gavin Newsom proudly declared that immigrants and refugees make California a “greater and more vibrant place.”284 Among the new laws bearing the governor’s signature that day was California Assemblymember Todd Gloria’s bill, CA AB 2788, which promised to protect utility customer data—including utility usage information—from exposure to federal immigration enforcement.

Governor Gavin Newsom gives Assemblyman Todd Gloria a thumbs up.
California Gov. Gavin Newsom gives a thumbs up to Assemblyman Todd Gloria at a bill signing ceremony in 2019. (Photo: AP Photo/Rich Pedroncelli)

Gloria’s law responded to an urgent problem. Transparency reports from the state’s utility companies showed that federal immigration enforcement had been routinely requesting Californians’ utility customer information without first presenting a warrant.285 Under the new law, if ICE wanted to directly request Californians’ utility customer information, it would need to go to a judge and obtain a warrant or court order. If ICE wanted to access Californians’ utility customer information through a data broker, the law stopped the data broker dead in its tracks.286

The passage of the law was “a tremendous victory,” Gloria proclaimed, “for the privacy of all Californians and an important safeguard for our immigrant and refugee communities.”287

But our findings regarding Equifax and NCTUE suggest that California’s law contained a massive back door. While the legislation prohibited sales of customer data, it did not protect against simple dissemination. As a result, California’s limit on the selling of customer data would be ineffective against a utility company that shares the information for free – to conduct a credit check, for example. When California utility companies disseminate customer information to NCTUE for credit evaluation and other purposes, they may not realize that NCTUE is entitled to resell their customers’ information to third parties once the credit check is over. Indeed, despite the passage of this legislation, 1 in 2 Californians’ utility customer data may have still been accessible by ICE through Equifax and NCTUE.288

California is not the only state whose laws have allowed utility customer information to reach ICE. Massive gaps in state utility privacy laws, combined with gaps in federal privacy laws, have left millions of Americans bereft of meaningful privacy protections when they sign up for gas or water. Within this regulatory vacuum, companies have built a lucrative marketplace to buy and sell utility customer information with ICE and other entities, even when legislators have tried to put strong regulations in place.

1. Federal privacy laws offer little to no protection.

When a marketplace for utility customers’ name and address information first began to emerge in the late 1990s, federal regulators resisted putting rules on the buying and selling of that data. As the Federal Trade Commission (FTC) told Congress in 1997, “advances in computer technology” made it possible to look up Americans’ personal information “from sources such as phone records, public utility records, and air travel records” more “easily and cheaply than ever before.”289 Despite how easy it was for that information to become available, however, many Americans had expressed strong privacy preferences,290 and honoring those preferences seemed to be in the utility companies’ own best interests.

The FTC simply recommended that Congress allow the Individual Reference Services Group (IRSG), a trade association representing major data brokers like Equifax and LexisNexis, to “be given the opportunity” to self-regulate. The ISRG accepted, promising the FTC that its companies would not sell customer information from telephone companies in cases where the customer chose to remain unlisted or any “similar information.”291

It didn’t take long for industry self-regulation to collapse. After the FTC adopted rules in 2000 to protect the privacy of consumers’ personal information at banks and other financial institutions, the ISRG disbanded.292 No federal regulators stepped up in its absence to safeguard customer data provided to utility companies. Over the next 20 years, Congress has failed to pass a single law protecting utility customer privacy.

Without meaningful lawmaking or industry self-regulation, utility customer privacy was hung out to dry. Federal regulators had already interpreted existing privacy laws like the Fair Credit Reporting Act and the Gramm-Leach-Bliley Act to protect consumers’ information only in the limited cases when financial institutions like banks used it or when it was material to consumer credit reporting.293 Other privacy laws like the Cable Privacy Act or the Electronic Communications Privacy Act weren’t interpreted to offer meaningful protections for the sale of consumers’ name and address information either. And privacy protections for gas, electric and water customers were left to state regulators.

  • 289. Federal Trade Commission, Individual Reference Services - A Report To Congress (1997), https://www.ftc.gov/reports/individual-reference-services-report-congress.
  • 290. According to one study from 1996, approximately 1 in 3 Americans opted to have their phone company keep them unlisted. Id. at n.142 (citing Paul M. Schwartz & Joel R. Reidenberg, Data Privacy Law, Michie Law Publishers, Charlottesville, VA, 1996).
  • 291. Id.
  • 292. Notice of Termination of IRSG, WayBack Machine (last visited Nov. 27, 2021) http://web.archive.org/web/20020202103820/www.irsg.org/html/termination.htm ("It doesn't make sense to maintain a self-regulatory program when this information is now regulated under the Gramm-Leach-Bliley Ac … All IRSG members have agreed to continue to abide by the IRSG data use principles for data collected prior to July 1, 2001.”).
  • 293. See, e.g., In re Trans Union Corp., 9255, 200 WL 257766 (F.T.C., Feb. 10, 2000).

2. State privacy laws fail to adequately protect people’s information.

Most states lack any meaningful privacy protections for the data generated by customers of gas, electric, water, telephone and cable companies. For the few laws and policies that do exist, closer examination reveals that the vast majority do little to protect customers’ addresses against the two pipelines of disclosure through which that data travels: (1) disclosure to law enforcement by the company and (2) disclosure to commercial third parties, the path through which the bulk of that information travels to ICE, as evidenced by ICE’s access of that data from Thomson Reuters and likely, today, LexisNexis.

        a. State Utility Privacy Protection Scorecard

The Center on Privacy & Technology scored 51 jurisdictions’ protections for utility customer addresses across the two pipelines of disclosure to ICE for all five utilities. For disclosure to law enforcement, a jurisdiction was given: 

  • a green score when it required a warrant for compulsory disclosure of a customer’s address; 
  • a yellow score when a court-ordered subpoena or more is required for a customer’s address or where agency regulation (but not law) prohibits disclosure of a customer’s address; and 
  • a red score when an administrative subpoena or less is required to compel disclosure of a customer’s address.

For disclosure to commercial third parties, a jurisdiction was given:

  • a green score when it prohibited dissemination of a customer address to third parties or solely allowed its dissemination for specific business purposes and required prompt disposal;
  • a yellow score when it prohibited dissemination of a customer address to third parties or solely allowed its dissemination for specific business purposes but did not require prompt disposal; and 
  • a red score when no such protections appeared to apply or when the jurisdiction predicated broad dissemination of a customer address to third parties on customer notice and consent, including for the purpose of credit evaluation.
A table exhibits the State Data Protection Scorecard for Law Enforcement Access for 51 jurisdictions.
Figure 5State Utilities Data Protection Scorecard for Law Enforcement Access
A table depicts the State Utilities Data Protection Scorecard for Commercial Third-Party Access for 51 jurisdictions.
Figure 6State Utilities Data Protection Scorecard for Commercial Third-Party Access

State laws designed to establish privacy protections for utility customers’ personal information typically contain one or more significant weaknesses. Weak state laws typically only limit disclosures of utility customer information:

  • when disclosure is compelled by law enforcement, without prohibitions on voluntary dissemination to other entities. Privacy protections that only apply to compulsory requests by law enforcement allow utility companies to voluntarily disclose utility customer information to data brokers and other third parties for any other purpose.
  • when it’s sold, without prohibitions on nonremunerative dissemination. Privacy protections that only apply to the sale of utility customer information allow utility companies to disclose utility customer information to federal immigration enforcement, data brokers and other third parties for any other purpose, including consumer credit reporting and immigration enforcement.
  • concerning usage information, without prohibitions on disclosures of name and address information.
  • unless it’s disclosed to consumer credit reporting agencies. Privacy protections that contain overbroad credit reporting exceptions allow credit reporting agencies to disseminate customers’ name and address information to third parties, including federal immigration enforcement.

As Figure 5 shows, the overwhelming majority of states have failed to adopt meaningful privacy protections restricting the release of utility customer information to law enforcement. Only three states – California, Connecticut and Michigan – require law enforcement to obtain at least a court order to compel the disclosure of gas customers’ information. For electricity customers, it’s five states: California, Delaware, Michigan, Oklahoma and Wisconsin. For telecommunications customers, it’s only California. Zero states have adopted any meaningful restrictions on the disclosure of water and cable customers’ information to law enforcement.

Likewise, as Figure 6 indicates, the overwhelming majority of states have also failed to adopt meaningful privacy protections restricting the dissemination of utility customer information to commercial third parties. 

One state, however, stands out. Nevada has adopted strong rules that prohibit the dissemination of gas, water, electrical and telecommunications consumer information to third parties. Those rules protect consumers by strictly limiting the lawful purposes of dissemination and prohibiting disseminations for commercial purposes. Critically, unlike certain other states, Nevada’s rules don’t make an exception for the dissemination of a consumer’s information with the consumer’s permission. In a world where most regulators don’t understand the marketplace for the resale and dissemination of consumer information, consumers cannot be expected to understand and be able to meaningfully consent to it either.