Authored By: Chris Nani
A European Union regulation may soon shape the way U.S. cannabis companies create their privacy policies and standards. The European Union will fully implement the General Data Protection Regulation (GDPR) by May 25, 2018.
The regulation is designed to protect E.U. citizens personally identifiable information. Protections include:
(1) giving notice to consumers on how their data will be collected and used;
(2) explicit consent from the consumer to allow the collection of their data;
(3) pseudonymisation which requires all personal data is encrypted so it cannot be identified back to the consumer without additional data;
(4) notice of any data breaches within 72 hours to the consumer;
(5) the right to access any data collected on the consumer and
(6) a limited right to destroy data about oneself.
The GDPR applies to any company that works within the E.U. and to all E.U. citizens globally. For international companies such as Coca-Cola, adopting the GDPR privacy standards now rather than later will save them money. Companies that violate the GDPR can face fines up to either 4% of their total revenue or $24,696,000 whichever is greater for the most serious infringements of a citizen’s privacy.
The GDPR is the highest standard of privacy regulation any world organization has created. By complying with the GDPR, international companies will not only be able to advertise their global compliance but will also quell any hesitations a privacy-sensitive consumer would have.
For example, someone who uses Netflix within the E.U. will have all of their data protected under the GDPR. All of their searches, movies watched, and personal information is protected and if Netflix were to give their information to a third party without their consent Netflix would be fined. The fine acts as a powerful deterrent to any company who normally in their privacy policies waives the right of consumer privacy and markets their information to third parties. Companies now must explicitly ask the consumer beforehand and provide opt-outs for any consumer who doesn’t wish to share their information.
But, how does this effect the U.S. cannabis industry?
Currently, all cannabis in the U.S. is grown and regulated within each individual state. Cannabis can’t be grown in Colorado and sent to another state or country. However, there are two major benefits for complying with the GDPR even though the E.U. would not normally have jurisdiction to fine any local U.S. company.
First, the GDPR can be used as a privacy standard to model a businesses’ privacy policy. Many consumers are afraid their employers, the federal government, or hackers may breach their data and find out they’re cannabis users. By increasing privacy precautions with pseudonymisation and requiring notice of what dispensaries are collecting, cannabis businesses can reassure patients their information will be secure. Regardless if its recreational or medical, due to the sensitive nature of a person’s choice to consume cannabis; dispensaries would be wise to ensure patient confidentiality. Medical dispensaries can further legitimize themselves by enacting their own privacy policies similar to the GDPR.
Recently, companies like MJ Freeway have been targeted for cybersecurity breaches. In six months, they experienced two breaches.
MJ Freeway sells a point-of-sale (POS) system to dispensaries and if they had followed GDPR procedures they could’ve minimized the data breach. Their source code which was used to encode and develop the POS was posted online.
No patient information was exposed but the entire operating system was, which hackers could use to figure out how to access patient information.
If MJ Freeway complied with the GDPR, not only would any breached data have been encrypted but they also would have been required to notify all patients of the breach within 72 hours even if the breach did not directly expose their personal information. It’s important to establish a good reputation to maintain clientele and build a business. The GDPR is a consumer-protection regulation meant to foster good will and trust between the consumer and the producer.
Secondly, international companies that have some of their business in Europe must comply with the GDPR. It makes sense then to implement a uniformal privacy policy for efficiency. The GDPR will be the stringiest privacy regulation enacted and by complying with it, companies won’t have to worry about changing their standards based on their location. Although no U.S. cannabis grower is international, many other cannabis-related companies are. The consequences of not complying with the GDPR would be not having access to the E.U. market.
MJ Freeway markets services for companies globally. By using the “gold” standard for data privacy globally, MJ Freeway wouldn’t have to worry about major compliance issues because it would be following the GDPR. It’s easier to manage one privacy policy over multiple ones and in addition consumers will always want more privacy and security over less. In 2013, Yahoo had over 3 billion user accounts breached. A company once valued over hundreds of billions of dollars was sold three years later to Verizon for $4.48 billion. Data security is tantamount to consumers and companies that comply with the GDPR will have an advantage over others and their clients will appreciate the additional security.
“Chris Nani, law student at Ohio State University, graduating in 2019.
He currently is looking to break into the field of cannabis law through blogging and meeting new attorneys.
If you’d like to contact Chris about his article or have any comments for him you can reach him at nani.4@osu.edu.”
