Blog

Cannabis, Cybersecurity and Data Privacy – What should you do right now under the approved CCPA regulations

Where the Legalized Cannabis Industry Stands Today with the CCPA

Just this past week, the Office of Administrative Law (“OAL”) for California approved the California Consumer Privacy Act of 2018 (“CPPA”) regulations, submitted by the state’s Attorney General (“AG”) in June. Those regulations went into effect immediately (more information on the scope & requirements of the CCPA can be found here). For industries like legalized cannabis, the CCPA will usher in a new era of regulatory compliance and enforcement given the industry’s rich practice of personal data collection and retention. 

The cannabis industry already faces some hefty regulatory challenges. With a mixed approach under a patchwork of state laws to legalized cannabis across the country, cannabis law is very similar to data privacy laws in that there is no cohesive and uniform approach. It is then not surprising that those states that have legalized cannabis, or at least approved its medicinal use, also have either a data privacy law/regulation or a proactive cybersecurity law in place. In our published article last month titled, “In the Cannabis Industry, Profitability and Data Privacy/Security go Hand-in-Hand,” we discussed that states like California require registered cannabis businesses to trace and inventory how cannabis products move through the business. This requires those businesses to maintain certain data for a specified period of time thereby predictably increasing data security risks, but these data maintenance provisions are substantially impacted by state data privacy laws which should influence how the business treats its data. 

So the foremost pressing question we see at the moment with the CCPA regulations now having been given immediate effect, and with an active AG looking to enforce the regulations, is how can businesses in the legalized cannabis industry effectively and efficiently approach data privacy right now while maintaining future profitability/revenue projections and growth forecasts?

First Things First – What is the California Consumer Privacy Act of 2018?

The most impactful, and likely well-known, data privacy law affecting the legalized cannabis industry is the California Consumer Privacy Act of 2018 (“CPPA”). The CCPA passed on June 28, 2018 and went into effect on January 1, 2020. Although the CCPA went into effect on that date, the California AG was not authorized to begin enforcement until July 1, 2020. On June 1, 2020, the California AG’s office released the third and final set of CCPA proposed regulations (cited above) that were approved on August 14, 2020 by the OAL.

The CCPA gives California resident consumers improved transparency, greater control and a way to protect their personal data from businesses that collect it. For our further insights into the CCPA, check out a previous blog post back in March from XPAN, “A Step-by-Step Guide to the CCPA.” In sum, the CCPA impacts any for-profit business that collects, stores and retains data on a California consumer. Data impacted by CCPA includes: a consumer’s name, driver’s license, mailing address, social security number, purchasing history, and consumer tendencies, or the kind of personal data legalized cannabis businesses are directly required to collect. 

With regulations having gone into immediate effect, it is now time (really past time) for corporate decision makers to take action and assemble the right team that can successfully bring the entire organization into compliance to avoid potentially costly fines and enforcement actions. While many organizations had hoped that the AG would delay enforcement actions as a result of the pandemic, XPAN has been stressing the value of being proactive and responding early to their corporate concerns over enforcement consequences and non-compliance problems. During a recent keynote presentation to the Association of Privacy Professionals, California’s Supervising Deputy AG, Stacey Schesser, confirmed that initial letters were already sent out to allegedly non-compliant businesses. Among the targeted companies were those businesses with deficient key privacy disclosures on their websites and those identified in consumer complaints. It would appear that California is wasting no time in gearing up its enforcement actions

3 Things Your Cannabis Company CAN/SHOULD DO Right Now to Prepare for CCPA Enforcement? 

With the AG squarely focused on enforcement, what should cannabis organizations do TODAY to prepare for the onslaught of compliance? 

First, ensure that your online presence is compliant. 

Legalized cannabis maintains a strong online presence. It appears that the AG looked closely at the proverbial low-hanging fruit to start enforcement actions. Carefully review your online privacy notice/policy. Don’t rely on a privacy notice that your organization “borrowed” from another website or obtained from a non-lawyer. This will simply not work. Privacy notices are specific to how your organization collects, stores and shares consumer data and should be deliberately tailored as such. Remember, a privacy notice is your legal “agreement” with online consumers. The privacy notice should accurately reflect your specific business practices. Failure to make sure that your privacy notice is compliant and up-to-date can result in enforcement actions not just from the AG but also the Federal Trade Commission (“FTC”) that regularly monitors websites. 

Second, understand the comprehensive nature of the data collected. 

Legalized cannabis businesses are required to collect and store certain data. Knowing where that data is coming from, providing a legal basis for collecting that data, and storing sensitive data securely is a key component to compliance. Keep this in mind too, California is not the only “game” in town. Legalized cannabis businesses are most likely collecting personal data from other states as well. Those states may have their own data privacy laws, i.e., Nevada SB 220, or data security laws, i.e., the NY SHIELD Act. Be particularly mindful that the law follows the consumer and the data. Just because your business is not in New York does not mean NY SHIELD does not apply to you. 

Third, make sure you have, above all else, assembled an experienced team with knowledgeable legal counsel and technical analysts. 

Since the legalized cannabis industry is already highly regulated, having well-versed privacy counsel that specifically understands the complexities and nuances of these data privacy and security laws and how it applies to the needs of your corporate organization and industry is critical. This is not an area where you want a general practitioner navigating the road ahead, but a skilled data privacy surgeon that knows the law, technology and how to combine the two. Painting your company’s compliance canvas with broad strokes will simply not satisfy the organizational requirements under the CCPA and lead to unnecessary headaches and expenses when it comes to answering an enforcement complaint. Make sure you have a team that’s responsive, not just reactive, to be able to address these urgent and complex issues. 

The legalized cannabis industry already faces scrutiny by the very nature of its business. Therefore, it is imperative that legalized cannabis businesses take privacy regulations seriously. Enforcement is here and happening now, so delay is just not an option. 

* * * * * *

Nothing contained in this blog should be construed as creating an attorney-client relationship or providing legal advice of any kind.  If you have a legal issue regarding cybersecurity, domestic or international data privacy, or electronic discovery, you should consult a licensed attorney in your jurisdiction.