Financial wellness on a collision course with data privacy in California
An amendment to CCPA that protects retirement plans from the privacy law will sunset at year's end. Then what?
“Two tectonic forces” are on a collision course in California, says Tim Rouse, executive director of the SPARK Institute, which advocates on behalf of retirement plan providers. One stems from the larger digital economy, and consumers’ and lawmakers’ demand for greater privacy and protection of the data individuals generate online.
The other comes from the workplace retirement and benefits segment of the economy, and the growing consumer demand—from individuals and employer plan sponsors—for holistic financial direction tailored to individuals.
Oops: CCPA’s unintended consequences
In California, state lawmakers have been the first to take action to address what Rouse called the “justifiable movement around data privacy.”
Largely in reaction to the Cambridge Analytica scandal, which involved allegedly pirated Facebook data from 87 million of the platform’s users, the California Consumer Privacy Act was introduced in early 2018, and signed into law at the end of June.
Like the digital universe it hopes to regulate, the CCPA is a complicated law. A fact sheet issued by California’s Attorney General says it gives consumers the right to know when personal information is collected, shared, or sold.
It also gives consumers the right to delete the data held by a business or a business’s “service provider” — the latter distinction familiar to those in the retirement industry.
“The language seemed so broad that it encompassed a lot of things the bill wasn’t intended to regulate,” explained Rouse. The data swept under the law could be applied to any employee information—a home address, an email, a social security number.
And that includes virtually all of the other information on an employee that’s needed to offer and deliver the most basic of workplace benefits, to say nothing of the more bespoke offerings that have emerged in the retirement space that tailor specific solutions to specific data sets.
“The law basically encompasses any information that can be linked to an individual—fundamental information that retirement and benefits plans need,” explained Kevin Walsh, a partner at The Groom Law Group.
“Privacy laws are designed to regulate how big data is being used to market to consumers,” explained Walsh. “If the laws are drafted too broadly, they can interfere with a whole bunch of services society views as good things. In the retirement system, it’s accepted that we want third parties to look out for participants’ interests. None of that operates without allowing service providers to use plan data.”
Cali’s lawmakers willing to listen—at least for now
SPARK created a data privacy committee in the wake of the European Union’s passage and implementation of the General Data Protection Regulation in 2016. Initially, SPARK’s members were 50-50 on that regulation’s impact on the retirement sector, said Rouse. But as California’s initiative emerged, more members said data privacy laws were correlated to the provision of retirement benefits.
SPARK hired The Groom Law Group to lead its lobby effort in California. It worked—or has so far. Last year, before the law was implemented, the legislature passed an amendment that exempts employers from the CCPA relative to information collected on a job applicant, an employee, or contractor of that business.
“There was a lot of resonance with the message that employers need to use employee data to deliver benefits,” said Walsh. “Lawmakers listened—it was kind of an ‘ah ha, how did we forget that’ moment.”
But a significant problem remains. The amendment that protects the provision of retirement benefits from the regulation is scheduled to sunset at the end of 2020.
Why an amendment was passed with such a short shelf life is not clear. But California’s Attorney General has issued a revised proposal that would change language in the original bill to specify the definition of employee benefits, and define the administration of employee benefits as a business purpose that is exempted from the CCPA’s broader restrictions on data collection.
A 15-day comment period recently closed on the proposed revisions. Other industry businesses and trade groups, including Alight Solutions and the American Benefits Council, also weighed in.
“There is still work that needs to be done,” said Rouse. Washington State is in the process of crafting a data privacy law that includes a benefits carve-out that he said may not be broad enough. Industry is also at work developing technologies that would give participants greater control over how their data is used, both Walsh and Rouse said.
And at the federal level, data privacy proposals are being drawn up in both chambers of Congress.
That could ultimately create legal friction if a federal statute is at odds with the states that first crossed the finish line.
“Congress is clearly looking at this,” said Walsh. “Preemption will be a key issue—will a federal standard apply nationwide. Complying with 50 different data privacy laws would be a nightmare for sponsors, and not good for participants.”