Insights
Publications

Cannabis Companies and the California Consumer Privacy Act

May 14, 2019 Articles

The new California Consumer Privacy Act of 2018 (CCPA) will come into effect January 1, 2020.  By turning attention to the issue now, cannabis companies can ensure compliance with the new law without significant business disruption.

Are You Subject to the Law?

A California cannabis company should start by determining whether the requirements of the law will actually apply to it. The act applies to for-profit companies that

  • have annual gross revenues in excess of $25,000,000; OR
  • receive or sell/share the personal information of 50,000 or more California residents, households, or devices annually; OR
  • derive at least 50 percent of their annual revenues from selling the personal information of California residents.

What Does the Act Require?

The CCPA provides consumers with four basic rights relating to their personal information:

The Right to Know

Companies must inform consumers, usually through a privacy policy, what personal information is collected, where it was acquired (e.g., through cookies, by request, etc.), what the information is used for, whether it is being shared with third parties, and to whom it is shared with.

At least two methods for a consumer to request that the company identify the personal information in its possession must be provided, including, at a minimum, a toll-free number and a link on the company web site. Such a request will need to be fulfilled by the company without charge and within 45 days after receipt of the request (with the possibility of additional time where reasonably necessary and requested). 

Similarly, the company must inform consumers of their “right to be forgotten,” discussed further below. While the law only requires this disclosure to be in a “form that is reasonably accessible,” the privacy policy is a natural location and will surely satisfy the requirement.

The Right to Opt Out

Companies that provide consumer personal information to third parties must enable consumers to “opt out” of having her/his information transferred. While the opt-out/opt-in requirements are different for consumers under 16, such requirements should not be relevant to cannabis companies who don’t knowingly permit consumers under 21 to utilize their sites/services. In short, though, companies may not sell personal information of consumers age 13 to 16 without express “opt in,” and for consumers under age 13, the company may not sell her/his personal information without “opt in” from the consumer’s parent or guardian.

The privacy policy posted on the site must provide information on how to opt out as discussed above, and additionally must include a link labeled “Do Not Sell My Personal Information” on the home page. 

The Right to Control and Be Forgotten

As noted above, consumers must be able to request the deletion of their personal information. This latter right to be forgotten, however, is not a blanket right and has limitation. Personal information need not be deleted, even after a request for such deletion by a consumer, when the information is, among other things, required to comply with a legal obligation or applicable laws (e.g., age-verification laws).

Note that where a company has a need to hold personal information, it may only hold and use that data for that specific purpose.  If, for example, the company needs to hold the data for evidence of verification or other state regulatory requirements, it may not be used to provide marketing materials to the consumer or any other purpose outside of storage for legal compliance.

The Right to Exercise Privacy Rights Without Prejudice

Companies may not discriminate against consumers who exercise their rights under the CCPA.  That is, a company may not deny customers services, provide different goods or services, or charge customers different prices depending on whether they opt-out or otherwise take advantage of their rights under the CCPA. That said, the law nonetheless permits loyalty programs and other financial incentives that benefit those who don’t opt out.

What to Do to Get Ready?

January is coming.  At this time companies should be discussing the issues with stakeholders within the company, primarily those interested in collecting and using the information—the marketing department—and those that control the technical collection of data—the IT department. It is important that both stakeholders provide input and understand the issues as it is common for systems to collect information that, for example, marketers were not actually looking to collect.

Once the company’s data collection is understood, the privacy policy and required disclosures are posted, and the company has a plan and process to respond to consumer and regulator requests concerning personal information, January 1, 2020 will present only the chance to toast the opportunities of the new year rather than worry about the effective date of the CCPA.

Firm Highlights

Publication

BIPA Liability: Existing CGL Coverage May Provide a Lifeline for Policyholders

Developments in the law have increased the potential liability that companies could face under the Illinois Biometric Information Privacy Act (BIPA), but fortunately for policyholders, Illinois case law has also solidified coverage for BIPA...

Read More
News

Farella 2024 Partner Elevations: Cynthia Castillo and Greg LeSaint

Northern California legal powerhouse Farella Braun + Martel is pleased to announce the election of two lawyers to partnership effective Jan. 1: Cynthia Castillo and Greg LeSaint. “We are thrilled to elevate Cynthia and...

Read More
Publication

Navigating Cannabis in the Workplace: A Guide for California Corporations

The landscape surrounding cannabis in the workplace is rapidly evolving, posing challenges for California corporations and businesses to establish effective policies and procedures. As the use of cannabis, both medical and recreational, becomes more...

Read More
Publication

California AI Proposal Rethinks Consumer Scope and Recordkeeping

The California Privacy Protection Agency will revisit its  draft  regulations for automated decision-making technology on March 8, including use of artificial intelligence to process personal information. Comment periods should be coming soon in 2024...

Read More
Publication

A Simpler Approach To Expanding Banking Access

While the cannabis community anxiously awaits what feels like Congress’ hundredth attempt to pass the SAFE Banking Act, there is one simple step that can be taken today to improve access to banking services...

Read More
Publication

A Summary of New Laws Coming for California Employers in 2024

In 2023, California has adopted several new employment laws either introducing new employee protections or codifying existing practices into state law. With these changes, employers will need to examine and adjust some of their...

Read More
Publication

California Appeals Court Empowers Privacy Agency to Immediately Enforce CCPA Regulations

In  California Privacy Protection Agency et al. v. The Superior Court of Sacramento County  (case number C099130), the Third Appellate District of the California Court of Appeal returned authority to the California Privacy Protection...

Read More
Publication

Thomson Reuters v. Ross Intelligence: AI Copyright Law and Fair Use on Trial

On Sept. 25, 2023, Judge Stephanos Bibas (sitting by designation in the District of Delaware), determined that fact questions surrounding issues of fair use and tortious interference required a jury to decide media conglomerate...

Read More
Publication

Regulatory Changes Underway To Address Dwindling California Property Insurance Market

We keep hearing about how difficult it is for our clients to get property insurance these days, both for homes and businesses in Northern California’s wildfire-prone areas. Which, of course, is most of Northern...

Read More
Publication

California Proposes New AI & Automated Decision-Making Technology Regulations

The California Privacy Protection Agency (CPPA) released its draft  regulatory framework for automated decision-making technology (ADMT) on November 27. These regulations are a preview of what new requirements may look like for companies currently...

Read More