Nobody loves privacy like a cannabis user. So as regulators prepare to enforce California’s landmark privacy law, companies in the state’s burgeoning marijuana industry are motivated by customers to comply.
Pot companies are updating business practices, changing websites, and revising policies as directed under the California Consumer Privacy Act. They want to show state officials they’re up to the task of meeting the requirements even though many of them don’t yet fall under the law’s jurisdiction, attorneys and company executives said.
“With all the scrutiny in the industry, you don’t want to be part of a regulator’s naughty list,” said Paige Pembrook, business and cannabis attorney at Ad Astra in San Francisco.
Companies generally fall under the California law’s jurisdiction if they have at least $25 million in annual revenue and collect data on at least 50,000 residents, households, or devices. The law, which will be enforced starting July 1, lets consumers demand that companies delete their personal information in many instances or stop selling it to others, among other new requirements.
Much of California’s pot industry likely falls short of the revenue figure that would require compliance, said John Kagia, chief knowledge officer at New Frontier Data, a cannabis industry data analytics company. “That is likely going to change relatively quickly,” he said.
The California legal cannabis market is expected to more than double its revenue by fiscal 2024 to $7.13 billion from roughly $2.96 billion in fiscal 2019, according to cannabis data firm BDS Analytics.
With industry consolidation, “you’ll have more and more that reach that $25 million threshold,” said Robert Mikos, a professor at Vanderbilt Law School who focuses on cannabis policy.
While it’s unknown how much information pot companies now hold on consumers, they’ll “have to start dealing with more and more data” as they get more customers, said Stuart Bartow, technology and intellectual property partner at Duane Morris in Palo Alto, Calif. That will increase the number of companies required to comply with the law, he said.
Some companies started compliance more than a year before the California law went into effect. Others are beginning efforts even though they don’t yet have to.
MedMen Enterprises Inc., which announced cannabis delivery statewide in California last year, started preparing in late 2018, more than a year before the privacy law took effect, said Morgan Sokol, the company’s executive vice president of regulatory affairs.
MedMen is also looking ahead to new state privacy laws. The company wants to comply, “even when it’s not legally required,” Sokol said.
Cannabis company Columbia Care Inc., with three locations in California and others across the U.S., is using customer data only if “we have consent,” said Kate Driscoll, the company’s vice president of compliance.
The cannabis industry’s embrace of the law contrasts with complaints voiced by the state’s technology sector. The U.S. Chamber of Commerce, tech businesses, and advertisers are all pushing for a federal law to preempt the California statute because of compliance costs and unclear rules.
Marijuana users are highly sensitive to the need for privacy that the California law promises to deliver, and “we respect that,” said Adam Goers, Columbia’s vice president of corporate affairs. Customers worry, for instance, that if their pot use ever became public, their veteran benefits or jobs would be in jeopardy, he said.
Marijuana users also fear that the information pot companies collect about them, such as driver license data and other identifying information, could fall into “the wrong hands,” said Dale Gieringer, state coordinator for the cannabis advocacy group California NORML. Gieringer said he hasn’t heard consumers complain about any pot company privacy violations.
Marijuana firms that opened medical dispensaries as early as 1997 were in a good position to prepare for the California law, said Lara DeCaro, businesses and cannabis partner at Leland, Parachini, Steinberg, Matzger & Melnick LLP in San Francisco. The companies “grew up collecting very sensitive health data,” she said.
Eaze Technologies Inc., an online platform that connects cannabis users and licensed retailers, hired a privacy counsel, conducted a data audit, and determined which of its business practices aligned with the California law, said Elizabeth Ashford, a company spokeswoman. It also examined how the company was communicating its information-protection practices with the public, she said.
Marijuana companies under heavy scrutiny know a compliance failure can shut them down, so “when a new law comes out, we are ready to roll,” Ashford said.
California law requires covered-businesses to delete consumer data when asked in certain situations, honor customer data sale opt-out requests, and allow access to data being collected about them. The law requires that companies be clear in privacy policies about data-use practices.
Eaze, and cannabis dispensary finders such as WeedMaps, are highlighting consumer rights under the California law in their privacy policies and allowing state residents to access, delete, and correct collected data. Carl Fillichio, spokesman for WeedMaps, declined to comment.
Despite the compliance efforts, many pot companies are not ready for the new law, said Griffen Thorne, data security and cannabis attorney at Harris Bricken in Los Angeles.
“There’s a need in the cannabis industry to do the thing that is immediately in front of you,” Thorne said. That includes getting licenses and permits, he said. “Data privacy can often times take a back seat.”
Marijuana businesses should consider adopting privacy policies similar to what the California law requires to get ahead of future compliance hurdles, DeCaro said. They should look at contracts they have with software providers to make sure they protect consumer data, she said.
Other retailers have “come to the incorrect conclusion that they aren’t covered” by the law, DeCaro said.
Such companies can reach the data-collection threshold that requires them to comply through their marketing activities, such as loyalty programs and email lists, DeCaro said. That “shoves a lot of them” under the jurisdiction of the California law, he said.