It’s 2023 and many cannabis businesses are still missing one critical operating document: a privacy policy. I’ve been writing and talking about this issue for years. And things are not getting better. So let’s talk about it once more.
To start, California has required privacy policies for a very long time (well, “long” at least in terms of the Internet). Under California law, operators of commercial websites that collect “personally identifiable information through the Internet about individual consumers residing in California who use or visit its commercial Web site” need a privacy policy. That’s a lot to digest. In English, website owners must have a privacy policy if California consumers use or visit their website.
Any cannabis business that operates in California and has a website is clearly subject to this requirement. But what about an Iowa-based cannabis company? Well, so long as California residents use or visit it, the requirement applies. And unless the cannabis business can definitively say that its website has no California users/visitors, it’s best practice to just get a privacy policy. If you read the above law, the requirements are relatively manageable and not too intense. But that’s not the end of the story.
In 2018, California passed the California Consumer Privacy Act (CCPA). CCPA is inspired by the European Union’s earlier General Data Protection Regulation (GDPR). Like GDPR, CCPA codified a host of consumer rights with respect to their personal information. And it imposed a host of new legal requirements on applicable businesses (more on that below). In 2020, California voters passed the Prop. 24, a/k/a, the California Privacy Rights Act (CPRA), which amended and supplemented CCPA. And you bet that there are also regulations to deal with.
One of the myriad requirements that CCPA imposed was to have a privacy policy. And unlike prior law, CCPA’s requirement is a whole lot more robust. See here for example. This is also the case for GDPR. For any business that is subject to one of these newer privacy regimes, drafting a compliant privacy policy is a challenge. So the million dollar question is, who do these laws apply to? For CCPA, the California attorney general says:
The CCPA applies to for-profit businesses that do business in California and meet any of the following:
- Have a gross annual revenue of over $25 million;
- Buy, sell, or share the personal information of 100,000 or more California residents, households, or devices; or
- Derive 50% or more of their annual revenue from selling California residents’ personal information.
The second million dollar question here is what it means to do business. Of course, CCPA doesn’t clearly define that. But elsewhere in the law, CCPA says “For purposes of this title, commercial conduct takes place wholly outside of California if the business collected that information while the consumer was outside of California, no part of the sale of the consumer’s personal information occurred in California, and no personal information collected while the consumer was in California is sold. This paragraph shall not prohibit a business from storing, including on a device, personal information about a consumer when the consumer is in California and then collecting that personal information when the consumer and stored personal information is outside of California.”
It’s therefore safe for businesses to assume that even tangential relationships to the Golden State could subject them to CCPA’s requirements so long as one of the above thresholds is met. And this means that the business needs a robust privacy policy.
What about GDPR? GDPR is even more broad in scope:
2. This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:
(a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
(b) the monitoring of their behaviour as far as their behaviour takes place within the Union.
A company that simply offers services, even for free, to residents of the EU, may end up subject to GDPR. To be fair, this won’t be the case for your run of the mill cannabis company. It’s more likely to affect hemp/cannabinoid companies that sell in e-commerce. But even cannabis companies can walk themselves into GDPR territory with marketing and sales efforts.
If any of these laws applies – or if a business even thinks the laws could apply – a privacy policy is necessary. There are plenty of plaintiffs’ lawyers out there who will sue, in some cases via class action, if a business fails to employ a privacy policy. Things get even worse if the privacy policy is inaccurate or the company doesn’t adhere to it.
A privacy policy is a key (and often legally required) document for any cannabis company. Without it, there’s not only likely to be a legal violation, but also maybe a lawsuit. It doesn’t need to cost an arm and a leg, and if done right, can save a ton of money and sweat on the back end.
Before ending the post, I should mention that a privacy policy isn’t the only thing cannabis companies need to worry about when it comes to data protection. CCPA, GDPR, and other laws impose numerous requirements beyond simply having a privacy policy. For example, see this post of mine from a while back on CCPA and deletion requests. This stuff can get incredibly complicated. And like with privacy policies, it’s better to invest in privacy law compliance early on, instead of defense counsel down the road.