When California legalized adult-use cannabis, lawmakers moved quickly to establish not just licensing and compliance frameworks but consumer protection ones. One of those protections — Assembly Bill 2402, signed into law in September 2018 — specifically prohibits California cannabis licensees from sharing customers’ personal information with third parties without consent.
Nearly a decade later, most independent dispensaries running loyalty programs have never read it.
That gap matters more now than it did at passage. Cannabis loyalty programs have matured from simple punch cards to full CRM platforms with purchase history, behavioral segmentation, and SMS and email marketing tied to identifiable customer records. The data sitting inside a Springbig or Alpine IQ account is exactly what AB 2402 was written to protect — and most operators have never considered whether their platform configuration is compliant.
What AB 2402 Actually Says
AB 2402 is narrow in scope but clear in intent. As cannabis healthcare attorneys noted when the law took effect, a licensed California cannabis retailer may not disclose a consumer’s personal information to a third party — except in limited circumstances: where the disclosure is necessary to process payment, to facilitate state or local government functions, or where the consumer has explicitly consented.
The definition of “personal information” under AB 2402 combines an individual’s name with any of the following: Social Security number, driver’s license number, financial account information, medical information, or health insurance information. The law also classifies marijuana ID cards — used by qualifying medical patients — as medical information under California’s Confidentiality of Medical Information Act. Cannabis licensees who receive those cards are treated as health care providers for CMIA purposes, which carries its own disclosure obligations.
Critically, the law prohibits operators from discriminating against customers who decline to consent to data sharing. If a customer doesn’t want their information shared beyond what’s necessary to complete a transaction, the operator cannot deny them service or alter the terms they receive.
Where Loyalty Programs Create Exposure
AB 2402 includes a carveout for “contractors providing software services to conduct a transaction or verify eligibility” — meaning the loyalty platform itself isn’t automatically a third party if it’s processing the transaction. But that exception has a hard boundary: the contractor cannot share the consumer’s information with other parties.
This is where most operators’ compliance posture gets murky. Loyalty and CRM platforms routinely share data with analytics vendors, advertising partners, or third-party integrations the operator never explicitly reviewed. When an operator signs a platform agreement without examining the data processing terms — specifically, what the vendor does with subscriber data beyond conducting campaigns — they may be creating an AB 2402 exposure they don’t know exists.
CCPA Compounds the Obligation
Layered on top of AB 2402 is the California Consumer Privacy Act, in effect since 2020. CCPA defines “personal information” far more broadly — it includes “commercial information,” which the law specifically covers as “records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.”
A cannabis dispensary’s loyalty database — purchase frequency, product preferences, campaign engagement history, contact information — is personal information under CCPA. For operators meeting certain thresholds (annual gross revenues above $25 million, or annual collection of 50,000 or more consumers’ data), full CCPA obligations apply: a published privacy policy, documented data practices, the ability to honor deletion requests, and no retaliation against customers who exercise their rights.
When a customer submits a deletion request and the operator’s data is spread across a POS system, a loyalty platform, and a third-party email tool, “deleting” that record requires coordinating across systems that may not be built for easy extraction. Most operators have never tested that workflow.
What Getting It Right Looks Like in Practice
None of this requires abandoning loyalty programs. AB 2402 and CCPA together create a compliance framework that’s manageable — for operators who’ve read it. The practical requirements are a clear consent flow at enrollment, vendor agreements that specify data use and non-sharing terms, a functioning deletion process across all integrated platforms, and a privacy policy that accurately reflects what the operator collects and why.
Vallejo Relief Center in Vallejo, California built its loyalty program infrastructure with this framework in mind — consent-based opt-in flows, compliant enrollment through Springbig, and customer relationship management that treats the subscriber list as a protected asset rather than an untethered marketing database. The program has grown to more than 6,000 subscribers and generates over $11,000 in attributed monthly retention revenue.
Compliance-first configuration and strong results aren’t in tension — the operator who builds the right infrastructure gets both.








