Do dispensaries share information with the government California

On January 1, 2020 the California Consumer Privacy Act (“CCPA”) took effect. The CCPA promises, among many things, strengthened protection of consumer data for California residents, specifically in the use and sale of their data to third parties, and the right to know what that data is.[1] The CCPA was enacted in 2018, the same year California allowed recreational sale of marijuana.[2] Legalized recreational sale promised economic prosperity by expanding the cannabis industry beyond medicinal use, but with this expansion came several regulatory questions and novel issues specific to the cannabis industry—one of which is consumer data privacy. Medicinal use of marijuana has been legal in California since 1996,[3] and is protected by acts such as the Medical Information Act which requires confidentiality of a patient’s medical information.[4] But for companies engaged in the sale of both recreational and medically prescribed marijuana, additional measures to protect consumer data for recreational sales are required. At the federal level, marijuana is classified as a schedule one controlled substance making its use illegal under federal law.[5] The tension between state and federal marijuana laws make consumer privacy protections all the more significant for consumers.[6]

Under California Business Code § 26161.5, licensed cannabis companies are prohibited from disclosing “personal information” to third parties except for reasons that are needed to make the transaction (such as payment information).[7] Section 26161.5 limits personal information to the civil code’s definition of information such as name, address, and social security number.[8] However, this definition of personal information is much narrower than the CCPA.[9] The CCPA’s broader reading of the term personal information includes any “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”[10] 

The CCPA has three key data requirements for businesses. The first is the disclosure of the company’s data collection and sharing practices to the consumer.[11] This means that the consumer has the right to inquire and learn about personal data the company collects. Second, the CCPA provides consumers the right to request the deletion of their data.[12] And third, it provides the consumer’s right to option out of having their data sold and/or shared.[13] This means that if the consumer does not ask for their data to be deleted, they can request for their information to remain between them and the company. In summary, these definitions and requirements create a mandate for companies who fall under the CCPA to fulfill consumer information requests about data collection—in any of these categories—and to delete or option out of having it shared with others.[14]

Additionally—and particularly of interest for the protection of cannabis users’ data—the CCPA applies only to companies that generate annual revenues of more than 25 million dollars, interact with data of 50,000 or more consumers, or derive half or more of their annual revenues from the collection and selling of consumer information.[15] Currently, most California cannabis companies fall short of the revenue figure that would require compliance with the CCPA.[16] However, despite not falling under the CCPA’s mandate, many cannabis companies are, nonetheless, taking measures to comply with the act.[17] Company executives and boards forecast that cannabis industry developments such as consolidations and mergers will lead to significant revenue increases, therefore subjecting them to the CCPA requirements. With this in mind, executives are beginning to take proactive measures by putting privacy protections in place.

The increase in demand for privacy protections will likely come from cannabis consumers. Concerns over the social stigma marijuana has historically carried may worry users when it comes to jobs and health benefits because despite its legality, some employers and agencies continue to test and screen for its use.[18]  Cannabis companies will likely respond to these pressures by taking actions that closely align with the requirements of the CCPA in order to keep consumers satisfied even if they do not fall under its jurisdiction. Going forward, cannabis companies will need to carefully inspect the data they collect to understand the CCPA’s current and future applicability. For California cannabis consumers, the CCPA provides an extra safety measure needed in an industry that evolves and grows day by day.

Nobody loves privacy like a cannabis user. So as regulators prepare to enforce California’s landmark privacy law, companies in the state’s burgeoning marijuana industry are motivated by customers to comply.

Pot companies are updating business practices, changing websites, and revising policies as directed under the California Consumer Privacy Act. They want to show state officials they’re up to the task of meeting the requirements even though many of them don’t yet fall under the law’s jurisdiction, attorneys and company executives said.

“With all the scrutiny in the industry, you don’t want to be part of a regulator’s naughty list,” said Paige Pembrook, business and cannabis attorney at Ad Astra in San Francisco.

Companies generally fall under the California law’s jurisdiction if they have at least $25 million in annual revenue and collect data on at least 50,000 residents, households, or devices. The law, which will be enforced starting July 1, lets consumers demand that companies delete their personal information in many instances or stop selling it to others, among other new requirements.

Much of California’s pot industry likely falls short of the revenue figure that would require compliance, said John Kagia, chief knowledge officer at New Frontier Data, a cannabis industry data analytics company. “That is likely going to change relatively quickly,” he said.

The California legal cannabis market is expected to more than double its revenue by fiscal 2024 to $7.13 billion from roughly $2.96 billion in fiscal 2019, according to cannabis data firm BDS Analytics.

With industry consolidation, “you’ll have more and more that reach that $25 million threshold,” said Robert Mikos, a professor at Vanderbilt Law School who focuses on cannabis policy.

While it’s unknown how much information pot companies now hold on consumers, they’ll “have to start dealing with more and more data” as they get more customers, said Stuart Bartow, technology and intellectual property partner at Duane Morris in Palo Alto, Calif. That will increase the number of companies required to comply with the law, he said.

Taking Action

Some companies started compliance more than a year before the California law went into effect. Others are beginning efforts even though they don’t yet have to.

MedMen Enterprises Inc., which announced cannabis delivery statewide in California last year, started preparing in late 2018, more than a year before the privacy law took effect, said Morgan Sokol, the company’s executive vice president of regulatory affairs.

MedMen is also looking ahead to new state privacy laws. The company wants to comply, “even when it’s not legally required,” Sokol said.

Cannabis company Columbia Care Inc., with three locations in California and others across the U.S., is using customer data only if “we have consent,” said Kate Driscoll, the company’s vice president of compliance.

The cannabis industry’s embrace of the law contrasts with complaints voiced by the state’s technology sector. The U.S. Chamber of Commerce, tech businesses, and advertisers are all pushing for a federal law to preempt the California statute because of compliance costs and unclear rules.

Marijuana users are highly sensitive to the need for privacy that the California law promises to deliver, and “we respect that,” said Adam Goers, Columbia’s vice president of corporate affairs. Customers worry, for instance, that if their pot use ever became public, their veteran benefits or jobs would be in jeopardy, he said.

Marijuana users also fear that the information pot companies collect about them, such as driver license data and other identifying information, could fall into “the wrong hands,” said Dale Gieringer, state coordinator for the cannabis advocacy group California NORML. Gieringer said he hasn’t heard consumers complain about any pot company privacy violations.

Marijuana firms that opened medical dispensaries as early as 1997 were in a good position to prepare for the California law, said Lara DeCaro, businesses and cannabis partner at Leland, Parachini, Steinberg, Matzger & Melnick LLP in San Francisco. The companies “grew up collecting very sensitive health data,” she said.

Eaze Technologies Inc., an online platform that connects cannabis users and licensed retailers, hired a privacy counsel, conducted a data audit, and determined which of its business practices aligned with the California law, said Elizabeth Ashford, a company spokeswoman. It also examined how the company was communicating its information-protection practices with the public, she said.

Marijuana companies under heavy scrutiny know a compliance failure can shut them down, so “when a new law comes out, we are ready to roll,” Ashford said.

California Requirements

California law requires covered-businesses to delete consumer data when asked in certain situations, honor customer data sale opt-out requests, and allow access to data being collected about them. The law requires that companies be clear in privacy policies about data-use practices.

Eaze, and cannabis dispensary finders such as WeedMaps, are highlighting consumer rights under the California law in their privacy policies and allowing state residents to access, delete, and correct collected data. Carl Fillichio, spokesman for WeedMaps, declined to comment.

Jay-Z-backed Caliva said in its privacy policy that it won’t discriminate against consumers for exercising rights under the California law. However, as allowed under the law, it can offer financial incentives “that can result in different prices, rates, or quality levels,” according to the policy.

Emma Shor, a public relations representative for Caliva, said “all relevant information surrounding their privacy policy is listed on their website,” but she declined to comment further.

Despite the compliance efforts, many pot companies are not ready for the new law, said Griffen Thorne, data security and cannabis attorney at Harris Bricken in Los Angeles.

“There’s a need in the cannabis industry to do the thing that is immediately in front of you,” Thorne said. That includes getting licenses and permits, he said. “Data privacy can often times take a back seat.”

Marijuana businesses should consider adopting privacy policies similar to what the California law requires to get ahead of future compliance hurdles, DeCaro said. They should look at contracts they have with software providers to make sure they protect consumer data, she said.

Other retailers have “come to the incorrect conclusion that they aren’t covered” by the law, DeCaro said.

Such companies can reach the data-collection threshold that requires them to comply through their marketing activities, such as loyalty programs and email lists, DeCaro said. That “shoves a lot of them” under the jurisdiction of the California law, he said.

To contact the reporter on this story:Daniel R. Stollerin Washington at [email protected]

To contact the editors responsible for this story: John Hughes at [email protected];Keith Perineat [email protected]

Why do dispensaries scan your license in California?

Can Uscis access dispensary records?

Do dispensaries share information with the government reddit?

Do dispensaries take out of California ID?