On January 1, 2020, entities doing business in California will have to comply with the California Consumer Privacy Act (CCPA), a first-in-the-nation consumer privacy law that grants numerous privacy rights to California residents. The CCPA will require thousands of businesses, including cannabis businesses, to undertake significant compliance efforts or risk substantial penalties. For cannabis businesses, however, compliance efforts must be considered in light of other applicable privacy laws.
The CCPA applies to for-profit legal entities that collect “personal information” of California residents, do business in California, and: (1) have annual gross revenues in excess of $25,000,000, (2) buy, receive, sell, or share the personal information of 50,000 or more California residents, households, or devices; or (3) derive 50% or more of their annual revenues from selling California residents’ personal information.
The CCPA defines “personal information” incredibly broadly to include any “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” That includes not only core personal identifying information such as credit card and social security numbers but also names, IP addresses, email addresses, website browsing history, information concerning a consumer’s interaction with a website (e.g., cookies), medical information, biometric information, and geolocation data, among other categories. In other words, if a business has a store in California or a web page that sells to California residents, it will have personal information of California residents subject to the CCPA.
Cannabis businesses that are subject to the CCPA will need to identify what types of personal information they collect about California residents. For example, does the business collect and store names and contact information when customers pay? Does it collect email addresses and other personal information for newsletters, blogs, rewards programs, or “contact us” features on its web page? Does the business’s web page utilize cookies that will trigger the CCPA?
A business that is subject to the CCPA, will need to undertake numerous compliance efforts, including:
• Drafting/revising its online privacy notice to disclose the types of personal information it collects about California residents and how that information is shared with third parties;
• Responding to requests from California residents to provide the specific pieces of personal information the business has collected about them for the twelve-month period prior to the request;
• Allowing consumers to request that their personal information be deleted; and
• Not discriminating against consumers for exercising their rights.
The CCPA also requires businesses to provide an online mechanism for consumers to opt-out of having their personal information sold to third parties. However, California cannabis dispensaries will need to consider that provision in light of Cal. Bus. & Prof. Code § 26161.5, which prohibits dispensaries from disclosing a consumer’s personal information to a third party, except to the extent necessary to process payments or if the consumer has consented to the disclosure. Notably, Section 26161.5 uses a definition of “personal information” that is narrower than the CCPA’s definition. Consequently, California dispensaries will still need to allow California residents to opt-out of having certain categories of personal information sold to third parties.
Similarly, California cannabis retailers that serve medical marijuana patients will need to analyze how the CCPA’s exclusions of “medical information” and “provider of health care” under the Confidentiality of Medical Information Act apply to their businesses. To ensure compliance, covered businesses will need to conduct a gap analysis to determine what personal information is subject to the CCPA and what is excluded.
The potential consequences of not complying with the CCPA are substantial. The CCPA authorizes the California Attorney General’s office to levy fines of up to $2,500 “per violation” or up to $7,500 “per each intentional violation.” It is unclear whether the AG’s office will apply the term “violation” on a per consumer basis or whether multiple violations of the same privacy right will be aggregated into a single violation.
The CCPA also authorizes consumers to sue businesses if their personal information is “subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information.” In such instances, consumers can seek statutory damages of between $100 and $750 per consumer, per incident. For data breaches affecting numerous California residents, the potential damages could be staggering.
Although the CCPA was enacted in 2018, it will not go into effect until January 1, 2020, and the Attorney General cannot bring enforcement actions until six months after it publishes interpretative regulations or July 1, 2020, whichever is sooner. Nonetheless, because the CCPA allows consumers to request their personal information from businesses for the prior twelve months, the CCPA is effectively already operative, at least with respect to that privacy right.
To ensure compliance with the CCPA, businesses will have to undertake significant efforts, including mapping what personal information flows into and out of the business and whether that personal information is covered by the CCPA or if an exception applies; developing and implementing work flow processes to handle consumer requests; drafting/revising online privacy notices; implementing information security policies; and modifying contracts with third parties.
