GDPR for Energy and Utilities Companies: Smart Meters, Billing Data, and Customer Privacy
Energy companies are not obvious targets for data protection scrutiny. But they sit on an extraordinary volume of intimate personal data — and regulators are paying attention.
Smart meter readings reveal when you wake up, when you go to bed, whether you work from home, and how many people live in your house. Billing records connect that usage data to your identity, your address, your payment method, and your financial situation. Layer in direct marketing, third-party data sharing, and smart home integrations, and the GDPR exposure becomes significant.
This guide covers the GDPR framework for energy and utilities companies — from smart meters to supplier switching to vulnerable customer protections.
Why Energy Companies Face Unique GDPR Risks
Most industries collect transactional data. Energy companies collect behavioural data — detailed, granular, and continuous records of how people live their lives at home.
A half-hourly smart meter reading profile can reveal:
- Whether a property is occupied during the day
- Shift patterns and work-from-home arrangements
- Number of occupants and roughly when they sleep
- Use of electric vehicles, heat pumps, or medical equipment
- Unusual events (illness, visitors, changes in routine)
This is what data protection practitioners call "household fingerprinting." It's technically usage data, but it functions like behavioural surveillance. The UK Information Commissioner's Office (ICO) and EU data protection authorities have noted that smart meter data warrants heightened protections precisely because of its inferential richness.
For energy companies, this means the standard approach to data processing — collect what you need, use it for billing — is increasingly insufficient. You need to think carefully about every downstream use of meter data.
Smart Meter Data as "Household Fingerprinting" Under GDPR
Under GDPR Article 4, personal data is any information relating to an identified or identifiable natural person. Half-hourly energy consumption data linked to a supply address is unambiguously personal data. It identifies the household and reveals patterns about the people living there.
The key questions for any smart meter data use are:
What is your lawful basis? Billing and network management are covered by contract and legitimate interest respectively. But using granular consumption data for customer segmentation, tariff modelling, or third-party analytics requires more careful analysis.
Are you using data for the purpose you collected it? Smart meters were sold to customers on the basis of accurate billing and grid management. Using that data for marketing profiling or selling insights to third parties goes well beyond what customers reasonably expect.
Have you done a Data Protection Impact Assessment (DPIA)? Any systematic processing of smart meter data at scale likely requires a DPIA under GDPR Article 35. The combination of granularity, intimacy, and scale makes this a high-risk processing activity.
Lawful Bases for Energy Data Processing
Energy companies typically rely on three lawful bases. Getting the right one for each processing activity matters.
Contract (Article 6(1)(b))
Contract is the appropriate basis for processing necessary to supply energy: billing, account management, fault diagnosis, and metering. It covers what customers would reasonably expect from their energy contract.
It does not cover: marketing other products, sharing data with comparison sites, or building customer profiles beyond what is operationally necessary.
Legitimate Interest (Article 6(1)(f))
Legitimate interest covers processing where the energy company has a genuine operational need that isn't outweighed by customer rights. Network balancing, fraud detection, and demand forecasting at aggregate (non-individual) level can often be justified under legitimate interest — but only after a formal Legitimate Interest Assessment (LIA) that weighs the business need against privacy impact.
Using granular individual consumption data for commercial profiling on legitimate interest grounds is difficult to justify. The intimacy of smart meter data tips the balance toward customer rights.
Consent (Article 6(1)(a))
Consent is required for direct marketing (subject to PECR/ePrivacy rules) and for any processing that goes beyond what customers would reasonably expect — particularly smart home integrations, third-party data sharing for commercial purposes, or building detailed behavioural profiles.
Consent must be freely given, specific, informed, and unambiguous. It cannot be bundled into supply terms. An opt-out tick box is not consent.
Customer Account Data: What You Can and Can't Do
Customer accounts contain a rich data set: name, address, contact details, payment information, credit history, vulnerability status, and communication preferences. Here's the breakdown:
You can:
- Use account data to manage the supply relationship
- Contact customers about their account, bills, and service disruptions
- Use billing history for debt management within your organisation
- Process data to comply with Ofgem licence conditions
You cannot:
- Share contact data with third-party marketers without explicit consent
- Use billing data to profile customers for financial products without a separate lawful basis
- Retain account data indefinitely after the supply relationship ends
- Use vulnerability flags for commercial purposes (see below)
Third-Party Data Sharing: Brokers, Comparison Sites, and Network Operators
Energy companies operate within a complex data-sharing ecosystem. Each relationship has different GDPR implications.
Comparison Sites and Switching Services
When customers use a comparison site to switch suppliers, both the comparison site and the new supplier process personal data. If you're the incumbent supplier, receiving a request to provide consumption data for a switch, you need a lawful basis to share that data with the new supplier. Industry switching frameworks typically provide this — but you still need to document it.
Sharing customer data proactively with comparison sites for lead generation is different. This requires consent, and that consent must be specific, informed, and separate from the supply contract.
Data Brokers and Analytics Partners
Selling or licensing smart meter insights to third parties — even in aggregated form — requires careful DPIA analysis and, in most cases, explicit consent. The ICO has taken enforcement action against organisations that assumed aggregation made data anonymised when it remained re-identifiable.
Distribution Network Operators (DNOs)
Sharing meter data with DNOs for grid management is covered by the regulatory framework and justified under legitimate interest and legal obligation. But the data shared should be limited to what is operationally necessary.
Direct Marketing Compliance for Energy Tariff Offers
Direct marketing to existing customers is governed by both GDPR and PECR (Privacy and Electronic Communications Regulations). The rules are more permissive for existing customers — but not without limits.
Soft opt-in (existing customers): You can market similar products by email or SMS to existing customers without explicit consent, provided:
- You collected their contact details during the sale or negotiation
- You're marketing similar products or services
- You gave them an easy way to opt out at the time of collection
- You give them an easy opt-out in every subsequent communication
"Similar products" means energy tariffs and related services — not financial products, insurance, or home services from third parties.
New prospects or third-party marketing: Explicit consent is required for unsolicited marketing. Cold calling is subject to TPS (Telephone Preference Service) screening. Email/SMS marketing to people who haven't previously bought from you requires prior consent.
Profiling for marketing: If you're using consumption data or billing history to profile customers for targeted marketing, this is likely to require a DPIA and a clear lawful basis beyond legitimate interest.
Supplier Switching and Data Portability
GDPR Article 20 gives customers the right to data portability — to receive their personal data in a structured, commonly used format and transfer it to another controller. In practice, for energy customers, this means consumption history, billing records, and account data.
Supplier switching already has established industry processes for transferring metering and consumption data. But energy companies should be clear in their privacy notices about:
- What data is transferred when a customer switches
- What data is retained by the incumbent supplier and for how long
- What customers can request under data portability rights
The right to portability applies to data processed on consent or contract grounds — not legitimate interest. For most energy data, which sits on contract grounds, portability rights apply fully.
Vulnerable Customer Data and Enhanced Protections
Energy companies maintain Priority Services Registers (PSRs) for vulnerable customers — those with medical dependencies on energy, elderly customers, customers with disabilities, and households with young children. This data is, in effect, special category data or data that warrants equivalent protection.
GDPR implications:
- Processing health-related or vulnerability data requires explicit consent or another Article 9 condition
- Vulnerability flags must not be used for commercial purposes
- Access to PSR data should be strictly controlled and audited
- Retention of PSR data should be time-limited and reviewed regularly
In practice: Many energy companies receive PSR information from third parties (local authorities, NHS, charities). This creates data processor/controller relationships that require Data Processing Agreements (DPAs) and clear role clarification under GDPR.
Privacy Notices for Energy Contracts
A GDPR-compliant privacy notice must be provided at the point of data collection — typically when a customer signs up for a supply contract. The notice must cover:
- Identity and contact details of the data controller
- Contact details for the Data Protection Officer (if appointed)
- Purposes and lawful bases for each processing activity
- Recipients or categories of recipients (DNOs, billing processors, etc.)
- Data retention periods
- Customer rights (access, erasure, portability, objection)
- Right to lodge a complaint with the ICO
For energy companies, the privacy notice needs to specifically address smart meter data collection, demand forecasting uses, and any third-party data sharing. Vague language about "improving our services" is not sufficient — GDPR requires specificity.
Subject Access Requests in the Energy Sector
Energy customers increasingly exercise their right to access under GDPR Article 15. A subject access request (SAR) requires you to provide:
- Confirmation of whether you're processing their data
- A copy of all personal data held
- Information about purposes, retention periods, and recipients
For energy companies, a SAR might encompass: billing history, meter readings, call recordings, correspondence, marketing preferences, credit checks, vulnerability flags, and any profiling data.
Key challenges:
- Half-hourly smart meter data can be voluminous — you need a process to extract and package it
- Call recordings are frequently requested — ensure they're retrievable within the 30-day deadline
- Profiling data must be disclosed — if you score customers for tariff offers or payment risk, you must disclose this
Requests must be responded to within one calendar month. Extensions of up to two additional months are available for complex requests, but you must notify the customer within the first month.
Data Retention for Billing Records: Legal vs GDPR Requirements
Billing records create a tension between legal retention requirements and GDPR's storage limitation principle.
Legal requirements:
- Ofgem licence conditions require retention of billing and metering data for defined periods (typically 5-6 years)
- HMRC rules require retention of financial records for 6 years
- Consumer dispute resolution timescales mean records may need to be retained for dispute purposes
GDPR requirements:
- Data should not be retained longer than necessary
- Retention periods must be documented and justified
- Customers must be told how long their data will be kept
In practice: A documented retention schedule that aligns Ofgem and HMRC requirements with GDPR storage limitation principles is essential. Key categories to address: billing records, meter readings, correspondence, call recordings, marketing data, and credit checks.
Marketing data (consent records, campaign history) should typically be purged on a shorter cycle than billing data — two years of inactivity is a reasonable starting point for most marketing databases.
Ofgem Guidance and GDPR Intersection
Ofgem's licence conditions create data protection obligations that run parallel to GDPR. Key intersections:
Supply licence condition 14 covers billing and metering data — including requirements to provide customers with their consumption data on request. This overlaps with GDPR's data portability and access rights.
Smart Energy Code (SEC) governs smart metering data flows, including what data can be accessed, by whom, and for what purposes. The SEC's consent framework for enhanced data access (half-hourly data above what's needed for billing) must be read alongside GDPR consent requirements.
Priority Services Register obligations — Ofgem requires suppliers to maintain and act on PSR information, but GDPR governs how that data is collected and shared.
Energy companies should document how their Ofgem compliance obligations interact with their GDPR obligations in their Records of Processing Activities (RoPA).
Smart Home Device Integrations and Data Flows
Smart thermostats, EV charging platforms, and voice assistants (Amazon Alexa, Google Home) increasingly integrate with energy accounts. Each integration creates new data flows and GDPR questions.
Joint data controller risks: If your smart home integration shares data with a device manufacturer, you may be joint data controllers, requiring a documented arrangement under GDPR Article 26.
Data minimisation: Smart home integrations often share more data than necessary. The default should be minimum necessary data — not full consumption profiles.
Consent for integrations: Customers must actively choose to link accounts. Pre-enabled integrations or opt-out consent for data sharing with device manufacturers is not compliant.
Third-country transfers: Alexa data goes to Amazon servers. Google Home data goes to Google's infrastructure. These transfers require appropriate safeguards (Standard Contractual Clauses or adequacy decisions).
10 Common GDPR Mistakes Energy Companies Make
Using smart meter data for marketing profiling without consent. Consumption patterns are personal data and their use for commercial profiling requires a valid lawful basis — usually consent.
Bundling marketing consent into supply terms. Consent for marketing must be separate, specific, and freely given. It cannot be a condition of supply.
Sharing customer data with comparison sites without a lawful basis. Proactive data sharing for lead generation requires explicit consent from customers.
Retaining call recordings and correspondence indefinitely. These need retention schedules and deletion processes.
No DPIA for smart meter data processing programmes. Any large-scale processing of smart meter data likely triggers the DPIA requirement under Article 35.
Inadequate SAR processes. Failing to include smart meter data, call recordings, or profiling data in SAR responses is a common compliance gap.
Using PSR/vulnerability data for commercial purposes. Vulnerability flags are for customer protection, not commercial targeting.
Insufficient privacy notices. Vague notices that don't address smart metering, third-party sharing, or data portability rights are non-compliant.
No documented Legitimate Interest Assessments. Using legitimate interest as a catch-all basis without a formal LIA is increasingly challenged by regulators.
Ignoring PECR alongside GDPR. Direct marketing rules under PECR operate alongside GDPR — you need to comply with both.
Getting Your Energy Company's GDPR in Order
The stakes for energy companies are higher than most sectors realise. Smart meter data is intimate, billing data is sensitive, and the combination of scale and data richness creates real regulatory exposure.
The starting point is understanding what data you actually hold and what you're doing with it. That means a proper data audit — mapping every data flow, every third-party integration, every retention period.
Custodia's free website scanner identifies privacy issues and data flows that might not be visible in your internal systems — including third-party trackers, consent gaps, and data sharing that your website is doing without you realising it.
Scan your website free at https://app.custodia-privacy.com/scan — results in 60 seconds, no signup required.
Top comments (0)