The cannabis user privacy debate has reached California, the nation’s most populous state.
California governor Jerry Brown has signed a bill to prohibit retail cannabis shops from selling customer data to third-party vendors without the customer’s explicit consent. It will also forbid licensees from denying a product or service to consumers who do not authorize them to disclose their personal information.
The bill, introduced in February by assemblymember Evan Low (D-Silicon Valley), will also bar employers from obtaining information about employees who buy cannabis for recreational purposes and guarantee that medical cannabis cards are treated as confidential medical information. The legislation, however, will not be able to prevent federal authorities from seizing customer information.
SUBSCRIBE TO CANNABIS WIRE'S MORNING NEWSLETTER
Original news and analysis from veteran journalists—straight to your inbox every weekday morning. (This newsletter is free now, but will soon be available only to subscribers.)
To verify a cannabis customer’s age, retailers in legal states must ask for valid proof of identification, usually in the form of a driver’s license or a passport. This information is often stored by the retailer and, unbeknownst to the consumer, could wind up in the hands of third parties, either via hackers who steal the information or vendors who sell it, for example, to employers or advertisers. In the United States, this data collection is particularly concerning given that cannabis continues to be illegal at the federal level.
Another worry about personal data: hackers. Data breaches, while uncommon, do occur in the cannabis industry. For instance, MJ Freeway, one of the first companies to offer seed-to-sale tracking services, lost its contract with Nevada after hackers attacked its system in January 2017. And weeks before that, the state itself declared a security breach, in which medical marijuana business license holders’ application files — with Social Security numbers, birth dates, addresses, and phone numbers — were compromised.
Back in May, the Electronic Frontier Foundation (EFF), a nonprofit consumer rights group, wrote in favor of the bill, saying: “As the legal marijuana market in California develops, consumer privacy will be a critical area to protect. That’s doubly true as marijuana vendors turn to apps and websites to market themselves, which will give them the ability to collect data about the most minute customer choices and preferences. That information will be increasingly valuable to data brokers. Not only could such data be used for invasive marketing, it could ultimately be acquired and used by federal law enforcement.”
As Canada prepares for legal recreational cannabis to become legal nationwide Oct. 17, health authorities have announced that although the government will track cannabis sales data, it will not store personal information on individual consumers — an effort to assuage concerns about the gathering and divulging of sensitive personal data by the people who sell the product.
It’s a problem that is already being grappled with elsewhere in the US, where states like Colorado and Oregon have passed laws to protect cannabis consumers’ data.
In Colorado, for example, where voters approved legalization in 2012, privacy safeguards were part of Amendment 64, which states that customers are not required to provide retail marijuana stores with personal information “other than government-issued identification to determine the consumer’s age.” The retailer, moreover, is not obligated to “record personal information about consumers other than information typically acquired in a financial transaction conducted at a retail liquor store.” Recently, Colorado doubled down on broader consumer privacy with legislation that can serve to protect online shoppers. The law redefines personal data to include a name plus another identifier (such as a security question that unlocks a user’s account). It also requires customers, which include cannabis consumers, to be notified of a breach within 30 days.
To protect consumers, Oregon has prohibited its marijuana retailers from keeping or sharing information about their customers’ identities or purchases. Furthermore, the law enacted last year requires that dispensaries destroy all customer personal information within thirty days of any purchase. Customers, however, can still supply their email addresses or phone numbers to dispensaries for personalized shopping, but that data collection must be explicitly voluntary. Similarly, Alaska does not require consumers to provide a retail marijuana store with anything other than government-issued identification to determine their age, and licensees are not required to record personal information about consumers. Retailers in Washington state abide by comparable industry standards.
In California, the bill just signed by the governor will be a significant change. Current state law does not require recreational shops to record in-store customer information after their age has been verified. However, retailers must comply with regulations that limit the amount of cannabis sold to an individual per day, namely, one ounce of cannabis for recreational users, or up to eight ounces for medical patients. For this reason, retailers might feel compelled to track who bought what.
In an investigation into cannabis shops’ data collection in May, The Fresno Bee found that every retailer it contacted in northern and central California stored information about its customers, including names, addresses, birthdays, and phone numbers. Across the state, employees also told the newspaper that any customer who refused to submit personal data was turned away. And in an earlier straw poll conducted by PolitiFact, the half dozen California cannabis shops it contacted all said they retain customer information. Most shops said they scan driver’s licenses, a process through which personal information is sometimes automatically stored in computer systems.
In an email to Cannabis Wire, Jesse Stout, an attorney at Greenbridge Corporate Counsel, which provides services to entrepreneurs in the cannabis industry, underscored the contrast between the scrutiny cannabis businesses are subject to as opposed to the alcohol industry “where customers’ IDs are visually inspected (but not scanned) and there are no purchase limits.”
“If [the] alcohol [industry] faced the same state-federal conflict and risk of incarceration,” Stout added, “then liquor stores might also retain scans of customers’ IDs. So that’s the problem that causes cannabis retailers to retain customer data. A more fundamental solution would be to resolve the state-federal conflict by legalizing cannabis for the whole country, but since assemblymember Low can’t do that, he instead offers this small but reasonable compromise.”
Low’s bill is likely to be implemented alongside the California Bureau of Cannabis Control’s Proposed Regulatory Changes, or, the final draft of the rules for the state’s cannabis industry, which currently contain a requirement that licensees keep records of invoices, receipts, information entered into the track and trace system, and all other documents in connection with the business for at least seven years. Low’s office told Cannabis Wire that although his bill does not prohibit licensees from retaining data to comply with the regulations, it limits their ability to use it without consent.
This story was updated on September 21 to reflect that California governor Jerry Brown signed the bill into law.