Effective Management of Cannabis Consumer Data Risks
By Dan Goldstein, Founder, Cannabis Privacy and Security
With cannabis now legal for recreational use in 15 US states and for medical use in 35 states, the cannabis industry has moved strongly toward broad-based legitimacy. As is often the case with new and high-value business opportunities, there has been a rush to engage consumers, move product and achieve profitability, often without recognizing or acknowledging relevant privacy and data security risks. In the cannabis industry, those risks manifest in numerous ways across business systems and processing activities, and with dispensaries typically collecting visitor IDs and tracking visits and purchases, good business practices dictate that these risks be addressed.
Maximizing Data Value with Privacy in Mind
As cannabis businesses begin to mature, owners are realizing the value of the personal data they have been collecting, as well as the challenges to contain and proactively manage multi-directional threats to that data. Personal data about cannabis customers can be leveraged to generate a high level of added value over the life of the customer relationship. Loyalty programs, for example, have been proven for decades to help businesses retain customers and increase the lifetime value of those customers by providing them with value-based rewards. The trade-off for consumers choosing to participate is that they generally must agree to allow the retailer to track aspects of their behavior, such as visits to or purchases, thus allowing the business to target them with products they are likely to buy.
In order to for a business to make such use of the data, the consumer must be informed of and agree to such use. This is typically done by making a privacy notice available at the time the consumer’s personal data is collected. The notice should inform the consumer of the type of data being collected, as well as the anticipated uses of the data, including any sharing with third parties. The notice should also describe, with a reasonable level of detail, the manner in which the personal data is protected while in the possession of the business.
Provision of such privacy notice is not only a good customer practice, making it more likely for customers to agree to share their information, it is required by some state and federal laws. For example, the Section 5 of the Federal Trade Commission (FTC) Act prohibits unfair or deceptive business practices. The failure to inform customers of the use of their personal data, as well as how a business will safeguard that data, has been held (in various instances) to be both unfair and deceptive. State laws, such as the California Consumer Privacy Act (CCPA) and state breach notification laws add to the urgency to safeguard personal data and implement compliant privacy practices.
By informing consumers about how their personal data will be used, cannabis businesses empower their customers to make an informed choice about whether they want to provide their information, thus improving customer satisfaction and limiting later complaints to the business, law enforcement or regulators. This can be particularly important, for example, if data is shared with a third party that experiences a breach which includes data originally collected subject to the original notice. In such an instance, the business can demonstrate that the consumer was informed of the sharing and chose to provide their personal data with that knowledge.
Consumer-centric data is highly attractive to bad actors who know its value and seek the opportunity to exploit it. This is realized in numerous ways, including obtaining and selling the data, or holding the data for ransom with threat of releasing it publicly. Cannabis businesses should consider the potential reputational impact to individuals whose data is subject to a ransomware attack where the perpetrator (upon the business deciding not to pay the ransom) releases information on customer purchases. While cannabis for medical or recreational use is reaching unprecedented levels of acceptance, there remains a level of taboo. The impact to individuals of such revelation could include termination from jobs and damage to reputation, potentially affecting future employment and personal relationships.
All US states now have some level of data breach laws on the books, generally requiring notification to individuals whose personal data is exposed or exfiltrated as a result of a security breach. The direct monetary cost of personal data breaches is quite high, reaching approximately $150 per compromised record. Additionally, if personal data of California residents is breached, the CCPA allows private rights of action with statutory damages of up to $750 per record (or actual damages) where it can be demonstrated that the company holding that data did not have reasonable security controls in place. Calculated out over a reasonable number – say 10,000 records of California residents accessed and up to $750,000 in damages – the financial risks begin to become very clear.
Those seeking unauthorized access to personal data will exploit vulnerabilities where they can find them. Point of sale systems have a history across business verticals of providing these access points. While the cannabis dispensary environment has typically required cash transactions due to federal restrictions, automated point-of-sale systems have been making significant headway into the marketplace. Unfortunately, hackers have gained access to some such systems and breached personal data of cannabis consumers. A noteworthy breach in early 2020 exposed scanned government issued identification cards, as well as full names, phone numbers, dates of births, signatures, sales figures and other personal information of dispensary customers. As the cannabis industry continues to grow, instances such as this will become increasingly common, making secure data environments and strong incident response plans a necessary business focal point.
Managing Customer Data Risks
There are a number of actions cannabis businesses should take immediately to meet critical business objectives such as maximizing data value, limiting data risks, enhancing customer trust and effectively complying with legal and regulatory obligations. Some simple remedial actions, such as drafting and publishing (or updating) publicly facing privacy notices, can be readily addressed with proper guidance. However, to adequately safeguard the personal data of their customers, cannabis businesses should also undertake to gain a full understanding of the systems, applications and data stores in which personal data is located, as well as how it is being processed and shared with third parties. For example, some loyalty programs integrate with point-of-sale systems to track purchases and reward customers. Gaining an understanding of such data flows allows the business to effectively manage and safeguard the data, whether through contractual agreements or implementation of technology solutions such as encrypting customer data in transit to service providers. It also supports thorough responses to individual rights requests under laws such as CCPA, which grants individuals the right to request access to or deletion of personal data. Creation of such a data inventory and “mapping” is critical, particularly in instances of potential breaches or rights requests.
Other practical steps include knowing which service providers have access to your customer data and ensuring that they provide a secure data environment. Prior to engaging such providers, information should be obtained which demonstrates the manner in which they secure the personal data to which they will have access (e.g., information shared with a loyalty program provider). This can be presented in a series of targeted questions about their data processing environment and infrastructure, as well as requests for security policies and/or evidence of compliance with standards such as SOC2, which reports on controls that directly relate to the security, availability, processing integrity, confidentiality, and privacy of an organization.
Cannabis businesses should also draft and operationalize comprehensive security policies and supporting procedures that, at a minimum, address fundamental components such as strict access control protocols and potentially encrypting high-risk data (such as customer identification and purchase histories) at rest and in transit. Further, an operational incident response plan that facilitates rapid and effective detection of and response to security breaches is essential.
State legalization of cannabis use has spawned a new and rapidly growing industry. The business opportunities are tremendous, but clearly not without risks. The rush to market and profitability often leaves critical risk factors such as privacy and security as an afterthought. While good, clearly communicated consumer privacy notices are a key factor in limiting privacy risk, we also know that where there are data-rich environments, unauthorized parties will seek to gain access to that data and monetize it for their own purposes. Cannabis retailers and dispensaries need to take a thoughtful approach to safeguarding their customers’ personal data and establishing privacy and security programs that mitigate risk and facilitate compliance with applicable laws.
Cannabis Privacy Checklist
 Ponemon Institute, Cost of a Data Breach Report 2020.