Co-Author: Ken Stratton
On June 28, 2018, California adopted a comprehensive consumer privacy act, the California Consumer Privacy Act of 2018 (the “CCPA”). Legislators rushed the CCPA through the legislative process with unpreceded speed to stave off a proposed, and more stringent, ballot initiative sponsored by a San Francisco developer. The law, which is similar in scope to the European Union’s General Data Protection Regulation (“GDPR”) and therefore one of the strictest comprehensive privacy laws in the United States, provides California residents with a bundle of rights regarding digital privacy and control over personal information, including the right to:
- know what personal information is being collected;
- request a business to delete personal information;
- know whether their personal information is sold or disclosed and to whom;
- opt out of the sale of personal information;
- freely access personal information; and
- enjoy equal service and price, even if they exercise their privacy rights.
The CCPA will go into effect on January 1, 2020. Under the CCPA, businesses could be penalized up to $7,500 per violation. Additionally, the CCPA makes void and unenforceable arbitration clauses, class action waivers, and provides statutory damages of $750 per consumer, per incident. To avoid liability and be compliant with the CCPA, businesses that are covered will need to budget for implementing or revising their privacy and security practices to comply with the law.
Which businesses does the CCPA affect?
The CCPA will apply to any entity, including cannabis businesses, in California or elsewhere, if:
- the entity’s annual gross revenues exceed $25M;
- the entity in any year buys, receives for its commercial purposes, sells, or shares for commercial purposes,alone or in combination, the personal information of 50,000 or more consumers, households or devices;
- or the entity derives 50% or more of its annual revenues from selling consumers’ personal information.
Based on these criteria, it is clear that the CCPA will apply to many cannabis businesses. For example, any cannabis business that operates a website that annually receives 50k or more visits from California residents will need to comply with the CCPA.
How CCPA Defines Personal Information
The CCPA, like the withdrawn ballot initiative, adopts a uniquely broad approach to personal information. Personal information is defined as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” Of particular note to cannabis businesses, “personal information” also includes a consumer’s commercial information, including “records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.”
Next Steps for California Cannabis Businesses
The CCPA, with its expansive and complex requirements, presents unchartered territory for most businesses. To comply with the new law, cannabis businesses will need to assess what their obligations are to consumers. For example, compliance with a consumer request to “opt-out” of the sale of his or her personal information may require a California cannabis business to, among other things, see whether an exception applies, identify the information, honor the request, and notify the customer. While it is yet unclear what shape the CCPA and any implementing regulations may take over time, the new law will undoubtedly create significant compliance costs.
Cannabis Privacy Bill
On a related note, another legislative privacy initiative may be of particular interest to California cannabis operators. Cannabis businesses are currently free to collect data on their customers and sell customer data to third parties. However, Assembly Bill 2402 aims to prevent licensed cannabis businesses from selling their customers’ personal information. The bill would provide for several exceptions, however, including an “opt-in” option whereby a consumer could affirmatively consent to having his or her information sold or shared with a third party. AB 2402, introduced by Assembly Member Evan Low, is in committee. You can provide your input on AB 2402 by contacting his office.