Plan advisers get some relief on proposed California privacy regs

California issued a range of proposed revisions to its sweeping Consumer Privacy Act Friday, including changes that specifically affect employer-sponsored retirement plans.

The consumer-friendly act, which followed the European Union’s 2016 General Data Protection Regulation, requires many businesses to disclose, upon request, what information they keep on customers and allow people to opt out of having their personal data sold. In many cases, customers can also have their data deleted.

A big question for retirement plan service providers is whether they would be exempt from some of those requirements, much as employers are.

“It was a positive step forward,” said David Levine, principal at Groom Law Group. “There was really nothing [previously] about benefits plans in the CCPA regulations. There’s even very little information about the employer-employee relationship.”

The revisions clarify that disclosures for benefits plans fall into their own category and are not the same as those that must be made by companies like Facebook, Mr. Levine said.

“It makes it a lot easier to explain that we are using your data to provide benefits to you,” he said.

Importantly, the proposed changes to the law arguably show that a single disclosure from an employer about the data gathered for benefits plans is sufficient, meaning that not every service provider or adviser serving a plan would have to make subsequent disclosures, Mr. Levine said. But the industry will nonetheless be seeking additional clarity from the state, he said.

Such clarification is particularly relevant given the expansion of services that advisers provide, which often span retirement, health and wealth management, he said. And with the increasing number of acquisitions among RIAs, that span is becoming even more significant.

“Given the consolidation in the industry right now, [with the integration of practices and advisers] … CCPA could come into play for some of these advisers,” Mr. Levine said.

The new law tasks employers with notifying employees and job candidates about what data the company keeps. Employers must also take steps to ensure that the information is secure.

The consequences for infractions can be high. A data breach following “failure to implement reasonable security measures” can cost employers $100 to $750 per person affected “or their actual damages, whichever is greater,” a paper published last year by law firm Fisher Phillips stated.

Parts of CCPA went into effect Jan. 1, but most businesses that are affected by it were given an extra year to prepare for the full list of requirements.

In October, the state indicated that it planned to make several changes to the text of the law, including an outline for how businesses must notify customers about their rights to control their personal data and how quickly companies must respond to requests.

The revisions issued Friday provided some relief for workplace benefits, showing that employers do not need to provide links titled “Do not sell my personal information” to 401(k) participants. Further, employers can provide paper copies of their privacy policies, rather than electronic copies.

One industry group wanted to know just how much responsibility plan service providers will have.

In its December comment letter to California Attorney General Xavier Becerra, the Spark Institute asked the state to clarify whether a single notice to plan participants will suffice.

“Employers, plans and service providers are required to gather information in a variety of ways, and having each service provider send its own notice or having a separate notice provided each time a new category of information is needed would be cumbersome and impair the benefits system,” the group wrote.

There is a related and potentially highly consequential reason why plan service providers do not want to have to make multiple disclosures – it can provide written evidence that they use participant data to cross-sell services, said Jason Roberts, CEO of the Pension Resource Institute. Whether participant data is a plan asset is still a question, and class-action litigation involving prohibited transactions is a danger to record keepers, Mr. Roberts said.

The proposed revisions also allow plans to make general disclosures about what data they have and how they use it, rather than having to make multiple disclosures for the different uses for different bits, he said.

“Now, there is ostensibly more cover [for service providers], so you are not specifically linking the business use case with the particular category,” Mr. Roberts said.

Related Topics: Retirement Plan Advisers