Authored By: Chris Nani
A European Union regulation may soon shape the way U.S. cannabis companies create their privacy policies and standards. The European Union will fully implement the General Data Protection Regulation (GDPR) by May 25, 2018.
The regulation is designed to protect E.U. citizens personally identifiable information. Protections include:
(1) giving notice to consumers on how their data will be collected and used;
(2) explicit consent from the consumer to allow the collection of their data;
(3) pseudonymisation which requires all personal data is encrypted so it cannot be identified back to the consumer without additional data;
(4) notice of any data breaches within 72 hours to the consumer;
(5) the right to access any data collected on the consumer and
(6) a limited right to destroy data about oneself.
The GDPR applies to any company that works within the E.U. and to all E.U. citizens globally. For international companies such as Coca-Cola, adopting the GDPR privacy standards now rather than later will save them money. Companies that violate the GDPR can face fines up to either 4% of their total revenue or $24,696,000 whichever is greater for the most serious infringements of a citizen’s privacy.
The GDPR is the highest standard of privacy regulation any world organization has created. By complying with the GDPR, international companies will not only be able to advertise their global compliance but will also quell any hesitations a privacy-sensitive consumer would have.
For example, someone who uses Netflix within the E.U. will have all of their data protected under the GDPR. All of their searches, movies watched, and personal information is protected and if Netflix were to give their information to a third party without their consent Netflix would be fined. The fine acts as a powerful deterrent to any company who normally in their privacy policies waives the right of consumer privacy and markets their information to third parties. Companies now must explicitly ask the consumer beforehand and provide opt-outs for any consumer who doesn’t wish to share their information.
But, how does this effect the U.S. cannabis industry?
Currently, all cannabis in the U.S. is grown and regulated within each individual state. Cannabis can’t be grown in Colorado and sent to another state or country. However, there are two major benefits for complying with the GDPR even though the E.U. would not normally have jurisdiction to fine any local U.S. company.
Recently, companies like MJ Freeway have been targeted for cybersecurity breaches. In six months, they experienced two breaches.
MJ Freeway sells a point-of-sale (POS) system to dispensaries and if they had followed GDPR procedures they could’ve minimized the data breach. Their source code which was used to encode and develop the POS was posted online.
No patient information was exposed but the entire operating system was, which hackers could use to figure out how to access patient information.
If MJ Freeway complied with the GDPR, not only would any breached data have been encrypted but they also would have been required to notify all patients of the breach within 72 hours even if the breach did not directly expose their personal information. It’s important to establish a good reputation to maintain clientele and build a business. The GDPR is a consumer-protection regulation meant to foster good will and trust between the consumer and the producer.
“Chris Nani, law student at Ohio State University, graduating in 2019.
He currently is looking to break into the field of cannabis law through blogging and meeting new attorneys.
If you’d like to contact Chris about his article or have any comments for him you can reach him at firstname.lastname@example.org.”