Privacy & Information Security Law Blog

The U.S. Government Accountability Office (the “GAO”) has launched an investigation into how retirement plan providers use data collected from 401(k) plan participants to engage in cross-selling of financial products. Cross-selling in this context refers to the practice of selling additional financial products (e.g., credit cards and life insurance) to an individual participating in a retirement benefit plan by using data acquired about the participant through their participation in the existing 401(k) plan.

The GAO’s investigation stems from a 2022 letter sent to the GAO by the Chair of the U.S. Senate Committee on Health, Education, Labor and Pensions and the Chair of the U.S. House Committee on Education and the Workforce. The letter requested that the GAO examine the need for federal data privacy laws applicable to retirement plans. The letter requests the GAO to investigate key questions, including:

• What types of data do retirement plan service providers and advisers collect about plan participants and beneficiaries?
• How is such data used for non-plan purposes?
• What privacy guarantees, if any, are made to participants and beneficiaries regarding the use of the data collected?
• What notice, if any, is provided to participants and beneficiaries when their data is shared with third parties?
• How, if at all, are participants and beneficiaries permitted to opt out of having their data used to market them with non-plan products and services or shared with third parties?
• What types of U.S. state data privacy laws are implicated when participant and beneficiary data is collected, shared, and used?
• How would a federal data privacy law preempt state privacy laws with respect to retirement plans?

The GAO is in the process of asking relevant questions to industry associations, retirement plan service providers, privacy advocates, and relevant federal agencies about plan data sharing practices. The GAO has not commented on the timing of the investigation.