Privacy and Security for Cannabis Business: Often Overlooked, Always Critical

Over the past several years, the cannabis industry has emerged from the shadows.  Whether the sale and use for medical purposes, or sale for recreational use, this new acceptance of cannabis has led to a burgeoning new industry.  Of course, legitimacy and the potential for unprecedented financial success has also drawn the attention of bad actors who know the value of digital data and sniff out the opportunity to exploit it.  Many cannabis business owners are just beginning to recognize the extent of the challenge of containing and proactively managing multi-directional threats to their data and meeting rapidly evolving legal obligations like the California Consumer Privacy Act (CCPA) and other emerging state laws.

​

​California Dispensaries and CCPA

​​

The CCPA comes into effect in January of 2020 and applies to for-profit entities that collect personal information of California consumers, conduct business in California, and:

​

• have annual gross revenues in excess of $25,000,000;

• buy, receive, sell, or share the personal information of 50,000 or more California residents, households, or devices; or

• derive 50% or more of their annual revenues from selling California residents’ personal information. 

​While this will not necessarily apply to “mom and pop dispensaries, it will apply to the larger corporate players.

Perhaps the biggest immediate impact of CCPA on covered businesses is the right of individuals to request access to or deletion of personal information (including deletion from service providers that may be processing such personal information).  Individual rights also include the right to opt-out of sale of personal information, however this will have limited applicability, as cannabis dispensaries are already prohibited from disclosing personal information to third parties except as necessary for payment purposes.

​

CCPA also adds to the urgent need for cannabis businesses to safeguard personal information of their customers, suppliers and others whose personal information they process.  While nearly every US state has personal data breach notification laws on the books, CCPA includes an enhanced a private right of action which allows individuals to bring civil suits seeking statutory damages in the event that their personal information is subject to a data breach.

​

Preparing to Comply

In order to effectively comply with CCPA obligations and similar state laws that we expect will follow in 2020, cannabis businesses need to act quickly.  Some simple remedial actions, such as updating publicly facing privacy statements, can be readily addressed with proper guidance.  However, covered cannabis businesses will also need to undertake to ascertain where personal information is located, as well as how it is being processed, shared and stored in order to effectively respond to individual rights requests.  Creation of a data inventory and “mapping” that enables this response is critical.  A documented process should also be developed and implemented that supports responding to requests in a manner that meets the requirements of applicable laws such as CCPA.  Such a process should address the lifecycle of the request, including intake and verification of the validity of the request, establishing timelines that meet requirements for responding, and identifying data stores to enable full and compliant responses.

​

Of course, addressing the security of personal information is of at least equal importance, as the unauthorized disclosure of personal information of dispensary customers has potentially significant adverse consequences to those customers, including damage to personal and professional reputation.  Covered cannabis businesses should draft and operationalize comprehensive security policies and supporting procedures that, at a minimum, address fundamental components such as strict access control protocols and potentially encrypting high-risk data such as personal information at rest and in transit.  Further, covered businesses should have an operational incident response plan that facilitates rapid and effective detection of and response to security breaches.

Final Thoughts

State legalization of cannabis use has spawned a new and rapidly growing industry.  The business opportunities are tremendous, but clearly not without risks.  As we have seen in recent years, where there are data-rich environments, unauthorized parties will seek to gain access to that data and monetize it for their own purposes.  Cannabis retailers and dispensaries need to take a thoughtful approach to safeguarding customer personal information and establishing privacy and security programs that mitigate risk and facilitate compliance with applicable laws.