On January 1, 2020, entities doing business in California will have to comply with the California Consumer Privacy Act (CCPA), a first-in-the-nation consumer privacy law that grants numerous privacy rights to California residents. The CCPA will require thousands of businesses, including cannabis businesses, to undertake significant compliance efforts or risk substantial penalties. For cannabis businesses, however, compliance efforts must be considered in light of other applicable privacy laws.

The CCPA applies to for-profit legal entities that collect “personal information” of California residents, do business in California, and: (1) have annual gross revenues in excess of $25,000,000, (2) buy, receive, sell, or share the personal information of 50,000 or more California residents, households, or devices; or (3) derive 50% or more of their annual revenues from selling California residents’ personal information.

The CCPA defines “personal information” incredibly broadly to include any “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” That includes not only core personal identifying information such as credit card and social security numbers but also names, IP addresses, email addresses, website browsing history, information concerning a consumer’s interaction with a website (e.g., cookies), medical information, biometric information, and geolocation data, among other categories. In other words, if a business has a store in California or a web page that sells to California residents, it will have personal information of California residents subject to the CCPA.

Cannabis businesses that are subject to the CCPA will need to identify what types of personal information they collect about California residents. For example, does the business collect and store names and contact information when customers pay? Does it collect email addresses and other personal information for newsletters, blogs, rewards programs, or “contact us” features on its web page? Does the business’s web page utilize cookies that will trigger the CCPA?

A business that is subject to the CCPA, will need to undertake numerous compliance efforts, including:

• Drafting/revising its online privacy notice to disclose the types of personal information it collects about California residents and how that information is shared with third parties;
• Responding to requests from California residents to provide the specific pieces of personal information the business has collected about them for the twelve-month period prior to the request;
• Allowing consumers to request that their personal information be deleted; and
• Not discriminating against consumers for exercising their rights.

Read the full article at

Analyzing the California Consumer Privacy Act’s Impact on the Cannabis Industry