As the medical and adult use cannabis industry in the U.S. and Canada continues to mature, we expect to see continued investing, lending, and acquisitions activity through 2021and beyond, as additional states continue to legalize cannabis for medical or adult use.
Legal practitioners in these areas must be sensitive to the fact that, unlike many established highly regulated industries such as health care, the cannabis industry is still finding its footing in dealing with an evolving regulatory landscape.
Moreover, because regulation of cannabis companies has traditionally been fragmented and fluid, even the best-intentioned companies frequently have found themselves in a challenging position with respect to identifying, and then complying with, applicable laws and regulations.
This has resulted in several high-profile data breaches at cannabis companies in the past year, and heightened interest in data privacy issues by both regulators and parties to cannabis transactions.
This dynamic is most salient with respect to data privacy, which growing businesses too frequently fail to treat as a significant risk and management priority.
Protecting Confidential Information
It is helpful to think of data privacy as having two major dimensions—legal requirements that arise specifically from state-level cannabis regulations, and then requirements that are more generally applicable but include cannabis businesses.
Cannabis-specific regulations differ between various states, and even within states, such as requirements applicable to medical and adult use consumers.
Many states take an approach to medical user privacy that is inspired by the fairly robust set of standards around health information, including the federal Health Insurance Portability and Accountability Act (HIPAA) and state laws that govern medical records.
HIPAA has long established that the mere fact of receipt of medical care is itself treated as protected health information, and so similarly cannabis firms are frequently required to maintain the confidentiality of medical users.
This is particularly so because states typically establish a list of qualifying medical conditions, typically including terminal illnesses and illnesses presenting severe chronic pain. This is sometimes a closed list created by statute or regulation, or sometimes a more open list subject to the opinions of licensed medical practitioners. Thus, the mere fact of participation in a medical cannabis program implicates significant privacy concerns.
On the adult use side, privacy regulation is more varied but can be exacting, as some states impose extensive requirements on the gathering, use, and retention of adult user personal information.
Outside of cannabis-specific regulation, cannabis firms are also subject to generally applicable state data privacy laws if they gather significant information about customers. The identity verification and record-keeping practices of most cannabis businesses necessarily involve gathering and holding personal information that is subject to state law.
Best Practices for Due Diligence
As with any firm in a highly regulated industry, cannabis companies must contend with the key risks surrounding regulatory compliance relating to their transactions. Such regulatory issues include obtaining and determining the validity of a company’s licenses and permits to conduct operations under state law, particularly because state licensing regimes change frequently and typically issue licenses that must be regularly renewed.
But beyond the important question of whether a firm is legally able to operate in a given jurisdiction, the firm’s compliance with data privacy laws should be a salient part of due diligence. Compliance diligence is necessary to understand and identify any potential liabilities that may arise from past or current operations.
Practitioners should regularly ask questions and request materials related to data privacy on the following matters:
- External-facing privacy policies that establish the rights of consumers, paying particular attention to state laws that dictate the contents and implementation of privacy policies (such as the California Consumer Privacy Act, the CCPA).
- Internal-facing policies that govern the treatment of confidential information, including policies on employee training and administrative, organizational, and technical safeguards for confidential information. (This is especially important in the case of medical cannabis firms.)
- Allegations of noncompliance with data privacy laws.
- Records of customer requests to opt-out of receiving marketing materials (where state law permits such marketing in the first place).
Just as cannabis-specific regulation continues to evolve at the state level, data privacy is one of the most active areas of state legislation.
As noted above, the most prominent example is California, where the CCPA imposes among the most stringent data privacy requirements in the U.S. Even there, the landscape is evolving following voter approval of Proposition 24, which will see California transition to an even stricter regime in the coming years.
Increasingly-stringent legislation is not limited to California, however. Significant new privacy legislation is either working its way through the legislature or has been recently enacted in many states in which medical or adult-use cannabis is also legal, such as Illinois, Maine, New Jersey, New York, and Washington. This counsels a pro-active focus on compliance as the regulatory landscape continues to shift.
This column does not necessarily reflect the opinion of The Bureau of National Affairs, Inc. or its owners.
Chris Hart is a partner at Foley Hoag LLP and co-chair of the firm’s Privacy & Data Security practice. He focuses his practice on data privacy and security issues, and advises companies on regulatory compliance, data breach planning and response, the EU’s General Data Protection Regulation (GDPR), risk management (including cyberinsurance), and litigation.
Jeremy Meisinger is an associate in Foley Hoag LLP’s Administrative Law Department. He counsels clients on a variety of regulatory questions, in such contexts as healthcare, data privacy, and energy.