(Photo: Shutterstock)

"Two tectonic forces" are on a collision course in California,says Tim Rouse, executive director of the SPARK Institute, whichadvocates on behalf of retirement plan providers. One stems fromthe larger digital economy, and consumers' and lawmakers' demandfor greater privacy and protection of the data individualsgenerate online.

The other comes from the workplace retirement and benefitssegment of the economy, and the growing consumer demand—fromindividuals and employer plan sponsors—for holistic financial direction tailored toindividuals.

Oops: CCPA's unintended consequences

In California, state lawmakers have been the first to takeaction to address what Rouse called the "justifiable movementaround data privacy."

Largely in reaction to the Cambridge Analytica scandal, whichinvolved allegedly pirated Facebook data from 87 million of theplatform's users, the California Consumer Privacy Act wasintroduced in early 2018, and signed into law at the endof June.

Like the digital universe it hopes to regulate, the CCPA is acomplicated law. A fact sheet issued by California's AttorneyGeneral says it gives consumers the right to know when personalinformation is collected, shared, or sold.

It also gives consumers the right to delete the data held by abusiness or a business's "service provider" — the latterdistinction familiar to those in the retirement industry.

"The language seemed so broad that it encompassed a lot ofthings the bill wasn't intended to regulate," explained Rouse. Thedata swept under the law could be applied to any employeeinformation—a home address, an email, a social security number.

And that includes virtually all of the other information on anemployee that's needed to offer and deliver the most basicof workplace benefits, to say nothing of the more bespoke offeringsthat have emerged in the retirement space that tailor specificsolutions to specific data sets.

"The law basically encompasses any information that can belinked to an individual—fundamental information that retirement andbenefits plans need," explained Kevin Walsh, a partner at The GroomLaw Group.

"Privacy laws are designed to regulate how big data is beingused to market to consumers," explained Walsh. "If the laws aredrafted too broadly, they can interfere with a whole bunch ofservices society views as good things. In the retirement system,it's accepted that we want third parties to look out forparticipants' interests. None of that operates without allowingservice providers to use plan data."

Cali's lawmakers willing to listen—at least for now

SPARK created a data privacy committee in the wake of theEuropean Union's passage and implementation of the General DataProtection Regulation in 2016. Initially, SPARK's members were50-50 on that regulation's impact on the retirement sector, saidRouse. But as California's initiative emerged, more members saiddata privacy laws were correlated to the provision of retirementbenefits.

SPARK hired The Groom Law Group to lead its lobby effort inCalifornia. It worked—or has so far. Last year, before the law wasimplemented, the legislature passed an amendment that exemptsemployers from the CCPA relative to information collected on a jobapplicant, an employee, or contractor of that business.

"There was a lot of resonance with the message that employersneed to use employee data to deliver benefits," said Walsh."Lawmakers listened—it was kind of an 'ah ha, how did we forgetthat' moment."

But a significant problem remains. The amendment that protectsthe provision of retirement benefits from the regulation isscheduled to sunset at the end of 2020.

Why an amendment was passed with such a short shelf life is notclear. But California's Attorney General has issued a revisedproposal that would change language in the original bill to specifythe definition of employee benefits, and define the administrationof employee benefits as a business purpose that is exempted fromthe CCPA's broader restrictions on data collection.

A 15-day comment period recently closed on the proposedrevisions. Other industry businesses and trade groups, includingAlight Solutions and the American Benefits Council, also weighedin.

"There is still work that needs to be done," said Rouse.Washington State is in the process of crafting a data privacy lawthat includes a benefits carve-out that he said may not be broadenough. Industry is also at work developing technologies that wouldgive participants greater control over how their data is used, bothWalsh and Rouse said.

And at the federal level, data privacy proposals are being drawnup in both chambers of Congress.

That could ultimately create legal friction if a federal statuteis at odds with the states that first crossed the finish line.

"Congress is clearly looking at this," said Walsh. "Preemptionwill be a key issue—will a federal standard apply nationwide.Complying with 50 different data privacy laws would be a nightmarefor sponsors, and not good for participants."