Energy retailers: privacy compliance for credit checks and customer data sharing

Energy retailers — electricity, gas, and broadband providers — routinely access third-party data for credit assessments and customer verification. They also share customer data with credit bureaus, creating a two-way data flow that triggers multiple privacy obligations.

Collecting from third parties

When an energy retailer runs a credit check on a new customer through Centrix, Equifax, or illion, they are collecting personal information from a third-party source. IPP3A requires notification.

Most energy retailers include a credit check consent clause in their sign-up process. For this to satisfy IPP3A, it must:

• Specifically name the credit bureau(s) being accessed
• Describe the type of information being collected
• Be presented at or before the time of collection

Sharing with third parties

When energy retailers share customer payment data with credit bureaus (positive or negative reporting), they are disclosing personal information under IPP11. The individual should be aware that this sharing occurs.

Smart meter data

Smart meter data — including detailed consumption patterns — is personal information. Sharing it with third parties (e.g., for research or marketing) triggers privacy obligations that go beyond credit reporting.

DEIS for energy retailers

DEIS allows energy companies to manage both the collection (credit checks) and the evidence trail. For an industry with millions of customer interactions per year, automated compliance evidence capture is essential.