A California court has issued a tentative ruling siding with privacy advocates in a case alleging that the Sacramento Municipal Utility District (SMUD) unlawfully handed over thousands of customer records to law enforcement, potentially violating a key state privacy law.
The lawsuit, filed by the Electronic Frontier Foundation (EFF) and the law firm Vallejo, Antolin, Agarwal, Kanter LLP, represents the Asian American Liberation Network and two local residents.
Among the plaintiffs is a man who was wrongly accused of cannabis cultivation based on the utility data shared without consent.
More: When Smart Meters Turn Into Spy Tools
The respite comes from California Public Utilities Code Section 8381, which bars publicly owned utilities from disclosing electrical usage data to third parties without the customer’s consent, except under specific legal circumstances.
The plaintiffs contend that SMUD, which serves all of Sacramento County and parts of Placer County and ranks among the ten largest public utilities in the country, routinely bypassed this protection.
For over a decade, SMUD responded to requests from the City of Sacramento’s cannabis enforcement unit by monitoring and supplying lists of homes that surpassed monthly energy use thresholds.
These lists, covering more than 33,000 households, were filtered by usage patterns presumed to match indoor cannabis growing operations, such as 12- or 18-hour lighting cycles.
However, SMUD employees acknowledged during proceedings that such usage levels could be linked to legitimate, non-criminal reasons, including the use of air conditioning or a larger home size.
The court’s tentative ruling, released in advance of the October 10 oral arguments, affirms that SMUD violated Section 8381.
It found the utility improperly shared consumer data without obtaining customer approval or confirming that the law enforcement requests were connected to a legitimate ongoing investigation, as required by state law.
Though the City argued its cannabis unit was engaged in “proactive investigations,” the court rejected this rationale, stating that continuous, citywide data mining does not meet the legal standard for an “ongoing investigation.”
According to the court, “the City is not investigating a suspected violation of criminal law” when it makes these data grabs. It further noted that SMUD was well aware of the systematic nature of the requests and still chose to cooperate.
The ruling grants a writ of mandate against SMUD and its CEO, Paul Lau, directing the utility to stop disclosing customer energy data under these circumstances.
The petition against the City of Sacramento and its police chief, however, was denied on the basis that requesting information alone, without executing the disclosure, does not constitute a breach of a legal duty.
While this ruling remains tentative until finalized following the hearing, it marks a significant moment in the fight for consumer privacy and protections against data profiling.
The court did not rule on constitutional grounds, having already found sufficient grounds in statutory violations. However, the implications for digital rights and government surveillance through utility infrastructure are clear.
EFF and its co-counsel sought the court’s intervention precisely because consumers had no practical way to avoid being swept into these dragnet surveillance efforts, short of paying extra fees to opt out of smart meter usage.
For many, even that option was out of reach. The plaintiffs’ legal team has argued this creates a coercive situation that allows mass surveillance without meaningful consent or accountability.
The case reflects growing concerns about the misuse of so-called “smart” infrastructure, especially when used to generate suspicion rather than evidence.
