California is the largest cannabis market in the United States and it is soon to be the first state in the country with a comprehensive data privacy regime designed to protect consumers’ personal information. The California Consumer Privacy Act (“CCPA”) goes into effect on January 1, 2020, and will apply to companies with revenues in excess of $25 million that do business in California (as well as certain other categories of companies). Most cannabis companies with California operations will need to comply, even if they are not headquartered or incorporated in the state.
The CCPA vests California consumers with four main categories of rights regarding their “personal information” – a term that is defined broadly to encompass everything from consumers’ names and addresses, to their biometric information, to their browsing history. First, consumers have a right to have their information deleted; second, consumers have the right to opt-out of sale of their personal information; third, consumers have the right to request and receive disclosures about how companies collect and use their personal information; fourth, consumers have the right not to be discriminated against for exercising their CCPA rights.
Covered cannabis companies will need to modify their privacy policies to disclose these rights – including how consumers can go about exercising the rights – and to disclose certain information about how they use consumer personal information. Companies also need to establish policies on how to respond to consumers’ requests to exercise their rights, including what steps employees should take to verify the consumer’s identity and to assess whether the company needs to comply with the consumer’s request. Moreover, cannabis companies need to ensure their consumers’ personal information is adequately mapped so that employees know how to access the information in response to consumers’ requests.
Some of the CCPA’s finer points remain unclear, as California’s Attorney General has yet to promulgate regulations pursuant to the Act. Nonetheless, with the January 2020 effective date fast approaching, cannabis clients should begin compliance efforts now. Foley Hoag maintains a robust Privacy & Security Practice Group with a dedicated CCPA Compliance Team that can assist cannabis companies in complying with the Act.