Editors' Note:  This is the second in our fifth-annual end-of-year series examining important trends in data privacy and cybersecurity in the coming year.  Read our previous post on Energy.

Though the final results of the 2020 presidential race took a few days to become clear, it was obvious by the morning of November 4 that cannabis legalization had run the table: from deep red Montana, South Dakota, and Mississippi, to purple Arizona, and blue New Jersey, voters overwhelmingly favored state ballot initiatives to legalize adult use and medical cannabis.  The same Election Day, California voters approved an aggressive expansion of the California Consumer Protection Act (the "CCPA") (already among the strictest state privacy laws) into the California Privacy Rights Act, which envisages extensive privacy protections one typically associates with the EU's General Data Protection Regulation.

That cannabis law and privacy law happened to be fellow travelers in the 2020 election is no accident; owing to marijuana's continued treatment as a controlled substance at the Federal level and the lack of comprehensive Federal privacy legislation outside of specific sectors (such as health information), both cannabis and privacy have long been dominated by state law. The cannabis industry has thus come of age in a complex legal landscape for which it has not always been prepared. Indeed, 2020 saw a spate of data breaches among cannabis businesses that were reported to have involved sensitive consumer information and, in the context in which cannabis businesses operate, that is not surprising.

State medical cannabis programs are generally structured around tracking of purchases by individuals enrolled as registered patients, typically following a certification by a health professional that an individual falls within a state statute's definition of an eligible patient. Thus, the mere fact of participation in a medical cannabis program immediately implicates significant and often sensitive medical information about an individual. At the same time, retention and tracking of additional personal data (whether mandated by law or undertaken voluntarily by a cannabis company) add to the potential repository of personal data held by cannabis operators.

Adult use operators, though less likely to have health information regarding consumers, likewise often gather significant other personal information about consumers. In some cases, this collection is explicitly regulated. In Massachusetts, for example, state regulations require individuals entering a dispensary to produce proof of identification and age (generally via a driver's license), and require the dispensary owner to verify the consumer's identification. The same regulations prohibit a dispensary owner from recording or retaining information on a government-issued identification without consumer permission, immediately suggesting the need for something like a privacy policy to which a consumer must agree in order to use information derived from identification.  In other cases, state cannabis regulations do not impose specific duties, but that fact does not leave cannabis operators without a duty to protect consumer information.

Moreover, the scope of consumer privacy issues is likely to grow as adult use cannabis operations expand. Again Massachusetts is a useful example, having recently finalized regulations regarding cannabis deliveries that require delivery agents to utilize body cameras. Because the body cameras would necessarily record deliveries to individual consumers, Massachusetts regulators likewise explicitly require cannabis delivery operators to protect body camera video from unauthorized disclosure, and require data security, records retention, and records destruction policies. This is still another example of a frontier in which cannabis operators are clearly duty-bound to protect consumer information, even if the precise shape of that protection is unclear.

All of which is to say that, in the face of a complicated legal landscape, both medical and adult use cannabis operators may sometimes assume that the lack of an explicit, cannabis-specific regulatory requirement suggests the lack of a duty to protect confidential information. But generally speaking, nothing exempts cannabis from otherwise-applicable state data privacy laws, nor from common law-based protections for data privacy as may be invoked by an individual consumer in a lawsuit. As such, privacy issues are significant as a compliance issue in the day-to-day operations of cannabis companies, and significant in a transactional or due diligence context in evaluating a cannabis company's operations.

For many companies (especially those in medical cannabis markets), the Federal Health Insurance Portability and Accountability Act ("HIPAA") serves as a useful frame of reference and starting point for thinking about protecting customer information. This means creating a comprehensive inventory of personal information held about customers (with special emphasis on health information), creating affirmative written plans for protecting that information that are commensurate with the sensitivity of the customer information held, and then instilling the importance of privacy in employees through training and clear, written operating procedures.  HIPAA has now had years to cultivate its own compliance ecosystem and create clear standards for conducting risk assessments and internal policies; though not always directly applicable, these familiar tools under HIPAA are useful references for protecting sensitive customer information.

Moving beyond the starting point described above, cannabis operators – particularly those operating in multiple jurisdictions – must be cognizant of a varied and evolving landscape of state law. California is a leader in this area but, particularly in 2021 and beyond, is by no means the sole actor. This counsels a proactive approach to compliance that examines every jurisdiction in which a cannabis company operates, focusing not only on cannabis-specific regulations (which vary widely in their level of specificity) but also generally-applicable state privacy laws.  These laws will continue to change and evolve, as many states have been inspired by California's example of enacting the CCPA.

Beyond making good sense to the protection of customers, this approach also makes strong business sense; as the number of data breaches mounts and public awareness of those breaches increases, transactional partners are likely to increase focus on data privacy topics in deals. Thus, a strong record of compliance can serve as a significant future asset.

To view Foley Hoag's Security, Privacy and The Law Blog please click here

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.